Maintainer Meeting - NYC - March 31, 2026 #2547
localden
started this conversation in
Meeting Notes - Other
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Note
Generated from transcripts of the discussions we had on-site. There may be gaps - feel free to add them in the comments below.
1. Sessions: Killing Transport Sessions, Defining Application Sessions
Problem being solved
Direction agreed
create/resume/end. Implicit session creation tied to client-object lifetime is what caused the current mess (one client shared across multiple chat windows).create_sessionmethod +session_required/session_not_founderrors so servers can declare strictness.2. Stateless Multi-Turn Tool Requests (Elicitation Behind Load Balancers)
Problem being solved
awaits the answer on the same connection (SSE / STDIO).The "MRTR" stateless pattern (accepted by core maintainers)
Developer experience & compatibility
await elicit()model. Familiar to web/distributed devs, foreign to others. Classic RPC debate: make remote look local, or expose the difference?awaitstyle. Distributed servers manage the complexity themselves.completevsincompleteresult types.3. STDIO Transport — Security, Supply Chain, and Governance
Why STDIO still exists / is used
The core security problem
0.0.0.0, accidental network exposure, port-forwarding mistakes). The real issue is pulling and executing packages locally (npm/PyPI/npxmalware, cf. recentaxioscompromise).Mitigations discussed
npx <pkg>latest; delay availability ~a week so a malicious publish doesn't hit users instantly.npxrandom packages; PMs install Node for the first time to run an MCP server without understanding whatnpxdoes.Action item: publish security best-practices docs - audit packages before running, pin dependencies, use private registries, package-manager hygiene. A managed/scanned registry is "probably the only real choice in an open world."
4. Standard Client Configuration Format (
mcp.json) & Secret HandlingGoal
Scope decisions
server.json(server-authored schema: required fields, secrets, validation) from the client config file (runtime values to actually launch/connect). Client config can store a reference back toserver.jsonso clients can re-render validated, masked config UIs.Secret security (the bulk of the discussion)
required,description, etc.) — no values, no placeholders. Placeholders encourage users to paste secrets into the file. The client is responsible for prompting the user or fetching the value securely.1password,env, OS keychain, …) + params; client resolves at runtime. Allows diverse secure backends.5. Protocol Release Cadence & Version Support Policy
Problem
Proposed cadence
Support window
Action items: decide cadence + support duration; invite FastMCP/unofficial maintainers into the release discussions.
Cross-Cutting Themes
Consolidated Action Items
Beta Was this translation helpful? Give feedback.
All reactions