Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.52

[dependabot]

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.52.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.52

Added

• MCP authorization now validates bearer tokens end-to-end. A request is authenticated when either a servlet resource-server filter set the request principal (e.g. Spring Security oauth2ResourceServer) or a configured TokenValidator accepts the Authorization: Bearer token (loaded from org.atmosphere.auth.tokenValidator, validated by atmosphere-mcp itself — no framework-specific wiring). The RFC 9728 metadata is now served on the agent registration path too. Proven end-to-end on the embedded server, Spring Boot, and Quarkus (JVM). The spring-boot-mcp-server sample gains an opt-in auth profile (default off) demonstrating it.
• MCP runs on Quarkus. @Agent-based MCP endpoints now register under the Quarkus extension (the build scan recognizes @Agent and indexes the optional atmosphere-agent / atmosphere-mcp jars when an @Agent class is present). JVM mode; native image is not yet supported for @Agent-based MCP.

Tested

• Added a stateless 2026-07-28 round-robin end-to-end test (two tools/call with no session header both succeed, plus server/discover and Mcp-Method mismatch) in modules/integration-tests, proving the no-session-affinity claim over live HTTP.

Atmosphere 4.0.51

Added

• MCP 2026-07-28 release candidate — the largest MCP revision since launch, implemented as a stateless dialect that coexists with the session-based protocol (2024-11-05 through 2025-11-25). The dialect is selected per request (the client carries the protocol version in params._meta or calls server/discover), so existing clients are unaffected. Stateless core has no Mcp-Session-Id and no initialize handshake, so the server runs behind a plain round-robin load balancer with no session affinity.
• MCP operability — Mcp-Method / Mcp-Name routing headers (validated against the body), ttlMs + cacheScope cache metadata on tools/list / resources/list / resources/read, and W3C Trace Context (traceparent / tracestate / baggage) read from _meta and bridged into the OpenTelemetry span.
• MCP Tasks extension (io.modelcontextprotocol/tasks) and multi-round-trip input — @McpTool(longRunning = true) returns a task handle polled via tasks/get, and the stateless dialect can return InputRequiredResult with a base64 requestState to request more input mid-call and resume on any instance.
• JSON Schema 2020-12 dialect ($schema) on generated tool input schemas, and a standardized resource-not-found error (-32602) on the stateless dialect.
• MCP Apps (SEP-1865) — @McpTool(uiResource = "ui://…") plus a text/html;profile=mcp-app resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a bidirectional App Bridge (apps call server tools through the host under the policy gateway; the host lists and calls the app's own appCapabilities.tools), and uses a separate-origin sandbox proxy for isolation (atmosphere.mcp-sandbox-origin, with a localhost↔

... (truncated)

Changelog

Sourced from org.atmosphere:atmosphere-runtime's changelog.

[4.0.52] - 2026-06-08

Added

• MCP authorization now validates bearer tokens end-to-end. A request is authenticated when either a servlet resource-server filter set the request principal (e.g. Spring Security oauth2ResourceServer) or a configured TokenValidator accepts the Authorization: Bearer token (loaded from org.atmosphere.auth.tokenValidator, validated by atmosphere-mcp itself — no framework-specific wiring). The RFC 9728 metadata is now served on the agent registration path too. Proven end-to-end on the embedded server, Spring Boot, and Quarkus (JVM). The spring-boot-mcp-server sample gains an opt-in auth profile (default off) demonstrating it.
• MCP runs on Quarkus. @Agent-based MCP endpoints now register under the Quarkus extension (the build scan recognizes @Agent and indexes the optional atmosphere-agent / atmosphere-mcp jars when an @Agent class is present). JVM mode; native image is not yet supported for @Agent-based MCP.

Tested

• Added a stateless 2026-07-28 round-robin end-to-end test (two tools/call with no session header both succeed, plus server/discover and Mcp-Method mismatch) in modules/integration-tests, proving the no-session-affinity claim over live HTTP.

[4.0.51] - 2026-06-06

Added

• MCP 2026-07-28 release candidate — the largest MCP revision since launch, implemented as a stateless dialect that coexists with the session-based protocol (2024-11-05 through 2025-11-25). The dialect is selected per request (the client carries the protocol version in params._meta or calls server/discover), so existing clients are unaffected. Stateless core has no Mcp-Session-Id and no initialize handshake, so the server runs behind a plain round-robin load balancer with no session affinity.
• MCP operability — Mcp-Method / Mcp-Name routing headers (validated against the body), ttlMs + cacheScope cache metadata on tools/list / resources/list / resources/read, and W3C Trace Context (traceparent / tracestate / baggage) read from _meta and bridged into the OpenTelemetry span.
• MCP Tasks extension (io.modelcontextprotocol/tasks) and multi-round-trip input — @McpTool(longRunning = true) returns a task handle polled via tasks/get, and the stateless dialect can return InputRequiredResult with a base64 requestState to request more input mid-call and resume on any instance.
• JSON Schema 2020-12 dialect ($schema) on generated tool input schemas, and a standardized resource-not-found error (-32602) on the stateless dialect.
• MCP Apps (SEP-1865) — @McpTool(uiResource = "ui://…") plus a text/html;profile=mcp-app resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a bidirectional App Bridge (apps call server tools through the host under the policy gateway; the host lists and calls the app's own appCapabilities.tools), and uses a separate-origin sandbox proxy for isolation (atmosphere.mcp-sandbox-origin, with a localhost↔

... (truncated)

Commits

• 036662f release: Atmosphere 4.0.52
• d7af99e docs(readme): move payment/commerce out-of-scope note from Scope cell to prose
• 75800db docs(readme): foreground the streaming transport as the foundation in the hero
• ecea201 docs(mcp): correct auth docs to what exists (bearer TokenValidator, Quarkus JVM)
• 9ebf239 docs(harness): log the shipped quarkus-oidc auth-delegation doc drift
• f019b9a fix(quarkus): gate agent/mcp indexing on @​Agent presence to fix native image
• 4ef5b86 chore: sync SKILLCARD versions to 4.0.52-SNAPSHOT after 4.0.51 release
• 9ef4629 feat(mcp): close the 4.0.51 OAuth + statelessness gaps (auth E2E, sample, Qua...
• 49f0ab4 docs(harness): post-mortem + drift-log for the 4.0.51 MCP capability oversell
• 65f7bbc chore(js): prepare next development version 5.0.30
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #3234.