test(e2e): audit transport-restricted requirements for the entry arms; admit two and harden entryModern

[felixweinberger]

Audits every transport-restricted requirement in the e2e manifest for applicability to the createMcpHandler entry arms, admits the two whose bodies the per-request entry can already serve, and hardens the entryModern arm against negotiation/envelope drift.

Motivation and Context

The entry arms added in #2309 opt in every requirement without an explicit transports restriction; the ~240 rows that carry one were authored before the entry existed and never reach the arms. This pass reviews each of them so that nothing is skipped silently: requirements the per-request entry can serve today are admitted, and the rest are confirmed as blocked on missing entry features (server→client requests, sessions/standalone streams) or as genuinely transport-specific.

• Two requirements join the entry arms (+4 cells, all green): flow:tool-result:resource-link-follow and custom-methods:notification-handler. Both bodies need only request-scoped delivery, so the per-request entry serves them unmodified on both eras; their notes explain the inclusion. No scenario body was changed and no knownFailure or exclusion was added.
• The rest stay restricted on purpose. Server→client request flows (sampling, elicitation, roots), subscription/list-changed/standalone-stream behaviors, session lifecycle and resumability, and persistent-instance state cannot be expressed on a per-request entry yet; transport-class internals, framework adapters, and stdio/SSE-specific mechanics never will be. The OAuth/auth scenarios stay restricted for a different reason: their bodies host their own servers and auth stacks, so labelling them with an entry arm would not exercise the entry — authenticated serving through createMcpHandler needs dedicated entry-side scenarios, which this review calls out as follow-up coverage alongside the other generic HTTP-mechanics behaviors that deserve dedicated entry-side cells later (several already have them).
• entryModern arm hardening. The arm now asserts immediately after connect that the connection actually negotiated 2026-07-28, so a broken negotiation pin produces one attributable arm-level failure instead of hundreds of downstream ones; and the per-request envelope shim now captures from the latest enveloped message rather than the first, so a renegotiated connection could not keep claiming a stale version.

How Has This Been Tested?

Full e2e matrix before/after on the same machine: 2536 passed / 205 expected-fail / 2741 cells → 2540 / 205 / 2745, zero unexpected failures in both runs. Package typecheck and lint for the e2e workspace are green. No package source, examples, or conformance changes.

Breaking Changes

None — test-only.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update
• Test/coverage change (no runtime behavior change)

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

One candidate that looked admissible analytically — logging emitted via the request context (ctx.mcpReq.log) while the handler is still running — stays restricted, and the reason is sharper than a missing delivery channel: those notifications are emitted without a relatedRequestId, and the per-request transport drops messages that are not related to the single in-flight request, so handler-context logs are never delivered when serving through createMcpHandler. Request-related notifications and progress do ride the in-flight exchange (which is why those cells pass on the entry arms). Whether handler-context logging should be emitted as request-related on per-request serving is left as an explicit follow-up rather than changed here.

[changeset-bot]

⚠️ No Changeset found

Latest commit: e843eab

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@2312

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/codemod@2312

@modelcontextprotocol/server

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@2312

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server-legacy@2312

@modelcontextprotocol/express

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/express@2312

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/fastify@2312

@modelcontextprotocol/hono

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/hono@2312

@modelcontextprotocol/node

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/node@2312

commit: e843eab