Bump org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.53

[dependabot]

Bumps org.atmosphere:atmosphere-runtime from 3.1.0 to 4.0.53.

Release notes

Sourced from org.atmosphere:atmosphere-runtime's releases.

Atmosphere 4.0.52

Added

• MCP authorization now validates bearer tokens end-to-end. A request is authenticated when either a servlet resource-server filter set the request principal (e.g. Spring Security oauth2ResourceServer) or a configured TokenValidator accepts the Authorization: Bearer token (loaded from org.atmosphere.auth.tokenValidator, validated by atmosphere-mcp itself — no framework-specific wiring). The RFC 9728 metadata is now served on the agent registration path too. Proven end-to-end on the embedded server, Spring Boot, and Quarkus (JVM). The spring-boot-mcp-server sample gains an opt-in auth profile (default off) demonstrating it.
• MCP runs on Quarkus. @Agent-based MCP endpoints now register under the Quarkus extension (the build scan recognizes @Agent and indexes the optional atmosphere-agent / atmosphere-mcp jars when an @Agent class is present). JVM mode; native image is not yet supported for @Agent-based MCP.

Tested

• Added a stateless 2026-07-28 round-robin end-to-end test (two tools/call with no session header both succeed, plus server/discover and Mcp-Method mismatch) in modules/integration-tests, proving the no-session-affinity claim over live HTTP.

Atmosphere 4.0.51

Added

• MCP 2026-07-28 release candidate — the largest MCP revision since launch, implemented as a stateless dialect that coexists with the session-based protocol (2024-11-05 through 2025-11-25). The dialect is selected per request (the client carries the protocol version in params._meta or calls server/discover), so existing clients are unaffected. Stateless core has no Mcp-Session-Id and no initialize handshake, so the server runs behind a plain round-robin load balancer with no session affinity.
• MCP operability — Mcp-Method / Mcp-Name routing headers (validated against the body), ttlMs + cacheScope cache metadata on tools/list / resources/list / resources/read, and W3C Trace Context (traceparent / tracestate / baggage) read from _meta and bridged into the OpenTelemetry span.
• MCP Tasks extension (io.modelcontextprotocol/tasks) and multi-round-trip input — @McpTool(longRunning = true) returns a task handle polled via tasks/get, and the stateless dialect can return InputRequiredResult with a base64 requestState to request more input mid-call and resume on any instance.
• JSON Schema 2020-12 dialect ($schema) on generated tool input schemas, and a standardized resource-not-found error (-32602) on the stateless dialect.
• MCP Apps (SEP-1865) — @McpTool(uiResource = "ui://…") plus a text/html;profile=mcp-app resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a bidirectional App Bridge (apps call server tools through the host under the policy gateway; the host lists and calls the app's own appCapabilities.tools), and uses a separate-origin sandbox proxy for isolation (atmosphere.mcp-sandbox-origin, with a localhost↔

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Superseded by #3238.