go-sdk v1.4.0 upgrade + protocol constant consolidation + HTTPTransport removal

[Copilot]

Addresses the go-fan module review recommendations for modelcontextprotocol/go-sdk: upgrade to v1.4.0, fix two hardcoded values in initializeHTTPSession, and remove dead code.

Changes

• Upgrade go-sdk v1.3.1 → v1.4.0 — picks up bug fixes, full sampling-with-tools support (2025-11-05 spec), and experimental client-side OAuth infrastructure

• Fix hardcoded clientInfo.version in initializeHTTPSession — was "1.0.0", now version.Get() to match the rest of the codebase

• Consolidate MCPProtocolVersion constant — moved from internal/server/unified.go to internal/mcp/http_transport.go (where it's actually used in initialization); server now references mcp.MCPProtocolVersion for a single source of truth

  // Before (two independent string literals)
  // server/unified.go:  const MCPProtocolVersion = "2024-11-05"
  // mcp/http_transport.go: "protocolVersion": "2024-11-05",  // inline, "version": "1.0.0"
  
  // After
  // mcp/http_transport.go: const MCPProtocolVersion = "2024-11-05"
  // server/unified.go:     const MCPProtocolVersion = mcp.MCPProtocolVersion
  // mcp/http_transport.go: "protocolVersion": MCPProtocolVersion, "version": version.Get()

• Remove HTTPTransport dead code from internal/server/transport.go — no-op struct implementing sdk.Transport that was never referenced in production; actual HTTP serving uses sdk.NewStreamableHTTPHandler

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• example.com
  • Triggering command: /tmp/go-build3616839411/b297/launcher.test /tmp/go-build3616839411/b297/launcher.test -test.testlogfile=/tmp/go-build3616839411/b297/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true in.so /lto-wrapper rgo/bin/git (dns block)
  • Triggering command: /tmp/go-build1213122719/b301/launcher.test /tmp/go-build1213122719/b301/launcher.test -test.testlogfile=/tmp/go-build1213122719/b301/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/b2/b2adc7ce0f112d7ee8c06bf864110bc00ea771823cd463eb71d47e27f9a4a316-d B4CU0D_pf .cfg 64/pkg/tool/linux_amd64/compile --gdwarf-5 --64 -o 64/pkg/tool/linux_amd64/compile -W g_.a aw-mcpg/internal/auth/header_test.go ache/go/1.25.7/x64/pkg/tool/linux_amd64/vet . 939512/b253/ --64 ache/go/1.25.7/x-buildtags (dns block)
• invalid-host-that-does-not-exist-12345.com
  • Triggering command: /tmp/go-build3616839411/b279/config.test /tmp/go-build3616839411/b279/config.test -test.testlogfile=/tmp/go-build3616839411/b279/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true ternal/fips140/s-I r p/bin/git (dns block)
  • Triggering command: /tmp/go-build1213122719/b283/config.test /tmp/go-build1213122719/b283/config.test -test.testlogfile=/tmp/go-build1213122719/b283/testlog.txt -test.paniconexit0 -test.timeout=10m0s 9395�� g_.a -trimpath 64/pkg/tool/linux_amd64/vet -I fips140/nistec/f-unsafeptr=false -I 64/pkg/tool/linux_amd64/vet 64/s�� ZfDYF9aua .cfg ache/go/1.25.7/x64/pkg/tool/linux_amd64/compile --gdwarf-5 --64 -o ache/go/1.25.7/x64/pkg/tool/linux_amd64/compile (dns block)
• nonexistent.local
  • Triggering command: /tmp/go-build3616839411/b297/launcher.test /tmp/go-build3616839411/b297/launcher.test -test.testlogfile=/tmp/go-build3616839411/b297/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true in.so /lto-wrapper rgo/bin/git (dns block)
  • Triggering command: /tmp/go-build1213122719/b301/launcher.test /tmp/go-build1213122719/b301/launcher.test -test.testlogfile=/tmp/go-build1213122719/b301/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/b2/b2adc7ce0f112d7ee8c06bf864110bc00ea771823cd463eb71d47e27f9a4a316-d B4CU0D_pf .cfg 64/pkg/tool/linux_amd64/compile --gdwarf-5 --64 -o 64/pkg/tool/linux_amd64/compile -W g_.a aw-mcpg/internal/auth/header_test.go ache/go/1.25.7/x64/pkg/tool/linux_amd64/vet . 939512/b253/ --64 ache/go/1.25.7/x-buildtags (dns block)
• slow.example.com
  • Triggering command: /tmp/go-build3616839411/b297/launcher.test /tmp/go-build3616839411/b297/launcher.test -test.testlogfile=/tmp/go-build3616839411/b297/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true in.so /lto-wrapper rgo/bin/git (dns block)
  • Triggering command: /tmp/go-build1213122719/b301/launcher.test /tmp/go-build1213122719/b301/launcher.test -test.testlogfile=/tmp/go-build1213122719/b301/testlog.txt -test.paniconexit0 -test.timeout=10m0s /home/REDACTED/.cache/go-build/b2/b2adc7ce0f112d7ee8c06bf864110bc00ea771823cd463eb71d47e27f9a4a316-d B4CU0D_pf .cfg 64/pkg/tool/linux_amd64/compile --gdwarf-5 --64 -o 64/pkg/tool/linux_amd64/compile -W g_.a aw-mcpg/internal/auth/header_test.go ache/go/1.25.7/x64/pkg/tool/linux_amd64/vet . 939512/b253/ --64 ache/go/1.25.7/x-buildtags (dns block)
• this-host-does-not-exist-12345.com
  • Triggering command: /tmp/go-build3616839411/b306/mcp.test /tmp/go-build3616839411/b306/mcp.test -test.testlogfile=/tmp/go-build3616839411/b306/testlog.txt -test.paniconexit0 -test.timeout=10m0s -test.v=true 64/src/runtime/cgo dPaLDQkT6 64/pkg/tool/linux_amd64/compile pull.rebase (dns block)
  • Triggering command: /tmp/go-build1213122719/b310/mcp.test /tmp/go-build1213122719/b310/mcp.test -test.testlogfile=/tmp/go-build1213122719/b310/testlog.txt -test.paniconexit0 -test.timeout=10m0s .cgo�� /middleware/jqschema.go /middleware/jqschema_bench_test.go ache/go/1.25.7/x64/pkg/tool/linux_amd64/vet 939512/b100/ 939512/b224/ /tmp/go-build791939512/b100/ ache/go/1.25.7/x64/pkg/tool/linu-buildtags (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[go-fan] Go Module Review: modelcontextprotocol/go-sdk</issue_title>
<issue_description># 🐹 Go Fan Report: modelcontextprotocol/go-sdk

Module Overview

github.com/modelcontextprotocol/go-sdk is the official Go SDK for the Model Context Protocol. It provides client and server implementations, all transport layers (stdio, streamable HTTP, SSE), and the complete set of MCP protocol types. This is the single most critical dependency in the project — it is the foundation on which the entire gateway is built.

Current Usage in gh-aw

The project is currently on v1.3.1; the latest is v1.4.0 (released 2026-02-27).

• Files: 21 files across production code and tests
• Import Count: 21 (sdk "github.com/modelcontextprotocol/go-sdk/mcp")
• Key APIs Used:
  • sdk.NewClient / sdk.Client / sdk.ClientSession — backend connections
  • sdk.NewServer / sdk.Server — serving MCP to clients
  • sdk.CommandTransport — stdio (Docker container launches)
  • sdk.StreamableClientTransport / sdk.SSEClientTransport — HTTP client transports
  • sdk.NewStreamableHTTPHandler / sdk.StreamableHTTPOptions — HTTP server
  • sdk.NewInMemoryTransports — unit test infrastructure
  • sdk.Implementation, sdk.ClientOptions, sdk.ServerOptions — identity/config
  • All MCP protocol types: Tool, Resource, Content, TextContent, CallToolRequest, CallToolResult, etc.

Research Findings

Recent Updates (v1.3.1 → v1.4.0)

Released 2026-02-27 — the most recently updated dependency in the project's entire dependency tree.

1. Sampling with Tools — Completes the full [2025-11-25 MCP specification]((modelcontextprotocol.io/redacted) support
2. Client-side OAuth support (experimental, behind mcp_go_client_oauth build tag):
   • New OAuthHandler interface integrated into StreamableClientTransport
   • auth.AuthorizationCodeHandler implements full OAuth 2.0 authorization_code flow per MCP spec §Authorization
   • Features: Protected Resource Metadata discovery, PKCE, dynamic client registration, automatic token refresh
   • Pluggable AuthorizationCodeFetcher callback for browser-redirect flows
3. Bug fixes and stability improvements
4. Note: The only backwards-incompatible change is the renaming of the experimental OAuthHandlerLegacy type (from a previous iteration), which the project does not use.

Best Practices

• The project already uses the SDK idiomatically: Server.AddTool (method version, not function) is correctly used to skip schema validation for backends with non-standard JSON Schema — this is the right call.
• The slog logger integration (logger.NewSlogLoggerWithHandler) is the recommended pattern per SDK docs.
• sdk.NewInMemoryTransports for unit tests is the SDK's recommended in-process test approach.
• The transport fallback strategy (streamable → SSE → plain JSON-RPC) correctly handles backward compatibility.

Improvement Opportunities

🏃 Quick Wins

1. Upgrade to v1.4.0

The project is one minor version behind. v1.4.0 has no breaking changes (outside experimental OAuth API not currently used) and includes bug fixes:

go get github.com/modelcontextprotocol/go-sdk@v1.4.0
go mod tidy

2. Use version.Get() in initializeHTTPSession clientInfo

In internal/mcp/http_transport.go:383, the clientInfo version is hardcoded as "1.0.0" while newMCPClient() (in the same file) correctly uses version.Get(). These should be consistent:

// Current (line 383):
"version": "1.0.0",

// Should be:
"version": version.Get(),

✨ Feature Opportunities

3. Client-side OAuth for HTTP Backends (v1.4.0)

Currently, any HTTP backend with custom headers (auth) is forced to use the plain JSON-RPC transport path — the SDK's StreamableClientTransport is bypassed entirely because it didn't support custom headers. The v1.4.0 OAuthHandler interface provides a proper solution:

• StreamableClientTransport.OAuthHandler field can provide an oauth2.TokenSource for Bearer tokens
• When a 401/403 is received, OAuthHandler.Authorize() can re-run the OAuth flow
• This could replace the "skip SDK for custom headers" bypass for backends using standard OAuth 2.0

The current behavior (plain JSON-RPC for custom-header backends) works fine but limits those backends to the less-capable transport.

4. Sampling with Tools (v1.4.0)

The 2025-11-25 spec's sampling capability (LLM completion requests from server → client) is now fully supported. If the gateway's role expands to proxying sampling requests from backend MCP servers to LLM-capable clients, the foundation is now in place.

📐 Best Practice Alignment

5. Remove or document HTTPTransport dead code

internal/server/transport.go (lines 16–44) defines an HTTPTransport struct implementing sdk.Transport...

Custom agent used: agentic-workflows
GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing

• Fixes [go-fan] Go Module Review: modelcontextprotocol/go-sdk #1595

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Pull request overview

Upgrades github.com/modelcontextprotocol/go-sdk to v1.4.0, centralizes MCP protocol version usage, and removes an unused HTTP transport implementation to align with recent module review recommendations.

Changes:

• Bump go-sdk dependency from v1.3.1 to v1.4.0 (and related indirect deps).
• Replace hardcoded initialization values with shared constants/version.Get() in HTTP session initialization.
• Remove dead HTTPTransport implementation and its tests.

Reviewed changes

Copilot reviewed 5 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
internal/server/unified.go	References a single source of truth for the MCP protocol version.
internal/server/transport.go	Removes unused HTTPTransport implementation.
internal/server/transport_test.go	Deletes tests that only validated the removed dead transport.
internal/mcp/http_transport.go	Introduces shared MCPProtocolVersion constant and uses version.Get() in clientInfo.
go.mod	Upgrades go-sdk and related indirect dependencies.
go.sum	Updates checksums for upgraded dependencies.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.