dependabot[bot] opened a new pull request, #3217: URL: https://github.com/apache/cxf/pull/3217
Bumps [org.atmosphere:atmosphere-runtime](https://github.com/Atmosphere/atmosphere) from 3.1.0 to 4.0.52. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/releases";>org.atmosphere:atmosphere-runtime's releases</a>.</em></p> <blockquote> <h2>Atmosphere 4.0.52</h2> <h3>Added</h3> <ul> <li><strong>MCP authorization now validates bearer tokens end-to-end.</strong> A request is authenticated when either a servlet resource-server filter set the request principal (e.g. Spring Security <code>oauth2ResourceServer</code>) <strong>or</strong> a configured <code>TokenValidator</code> accepts the <code>Authorization: Bearer</code> token (loaded from <code>org.atmosphere.auth.tokenValidator</code>, validated by <code>atmosphere-mcp</code> itself — no framework-specific wiring). The RFC 9728 metadata is now served on the agent registration path too. Proven end-to-end on the embedded server, Spring Boot, and Quarkus (JVM). The <code>spring-boot-mcp-server</code> sample gains an opt-in <code>auth</code> profile (default off) demonstrating it.</li> <li><strong>MCP runs on Quarkus.</strong> <code>@Agent</code>-based MCP endpoints now register under the Quarkus extension (the build scan recognizes <code>@Agent</code> and indexes the optional <code>atmosphere-agent</code> / <code>atmosphere-mcp</code> jars when an <code>@Agent</code> class is present). JVM mode; native image is not yet supported for <code>@Agent</code>-based MCP.</li> </ul> <h3>Tested</h3> <ul> <li>Added a stateless <code>2026-07-28</code> round-robin end-to-end test (two <code>tools/call</code> with no session header both succeed, plus <code>server/discover</code> and <code>Mcp-Method</code> mismatch) in <code>modules/integration-tests</code>, proving the no-session-affinity claim over live HTTP.</li> </ul> <h2>Atmosphere 4.0.51</h2> <h3>Added</h3> <ul> <li><strong>MCP <code>2026-07-28</code> release candidate</strong> — the largest MCP revision since launch, implemented as a <strong>stateless dialect that coexists</strong> with the session-based protocol (<code>2024-11-05</code> through <code>2025-11-25</code>). The dialect is selected per request (the client carries the protocol version in <code>params._meta</code> or calls <code>server/discover</code>), so existing clients are unaffected. Stateless core has no <code>Mcp-Session-Id</code> and no <code>initialize</code> handshake, so the server runs behind a plain round-robin load balancer with no session affinity.</li> <li><strong>MCP operability</strong> — <code>Mcp-Method</code> / <code>Mcp-Name</code> routing headers (validated against the body), <code>ttlMs</code> + <code>cacheScope</code> cache metadata on <code>tools/list</code> / <code>resources/list</code> / <code>resources/read</code>, and W3C Trace Context (<code>traceparent</code> / <code>tracestate</code> / <code>baggage</code>) read from <code>_meta</code> and bridged into the OpenTelemetry span.</li> <li><strong>MCP Tasks extension</strong> (<code>io.modelcontextprotocol/tasks</code>) and multi-round-trip input — <code>@McpTool(longRunning = true)</code> returns a task handle polled via <code>tasks/get</code>, and the stateless dialect can return <code>InputRequiredResult</code> with a base64 <code>requestState</code> to request more input mid-call and resume on any instance.</li> <li><strong>JSON Schema 2020-12</strong> dialect (<code>$schema</code>) on generated tool input schemas, and a standardized resource-not-found error (<code>-32602</code>) on the stateless dialect.</li> <li><strong>MCP Apps (SEP-1865)</strong> — <code>@McpTool(uiResource = "ui://…")</code> plus a <code>text/html;profile=mcp-app</code> resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a <strong>bidirectional App Bridge</strong> (apps call server tools through the host under the policy gateway; the host lists and calls the app's own <code>appCapabilities.tools</code>), and uses a <strong>separate-origin sandbox proxy</strong> for isolation (<code>atmosphere.mcp-sandbox-origin</code>, with a <code>localhost</code>↔</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/Atmosphere/atmosphere/blob/main/CHANGELOG.md";>org.atmosphere:atmosphere-runtime's changelog</a>.</em></p> <blockquote> <h2>[4.0.52] - 2026-06-08</h2> <h3>Added</h3> <ul> <li><strong>MCP authorization now validates bearer tokens end-to-end.</strong> A request is authenticated when either a servlet resource-server filter set the request principal (e.g. Spring Security <code>oauth2ResourceServer</code>) <strong>or</strong> a configured <code>TokenValidator</code> accepts the <code>Authorization: Bearer</code> token (loaded from <code>org.atmosphere.auth.tokenValidator</code>, validated by <code>atmosphere-mcp</code> itself — no framework-specific wiring). The RFC 9728 metadata is now served on the agent registration path too. Proven end-to-end on the embedded server, Spring Boot, and Quarkus (JVM). The <code>spring-boot-mcp-server</code> sample gains an opt-in <code>auth</code> profile (default off) demonstrating it.</li> <li><strong>MCP runs on Quarkus.</strong> <code>@Agent</code>-based MCP endpoints now register under the Quarkus extension (the build scan recognizes <code>@Agent</code> and indexes the optional <code>atmosphere-agent</code> / <code>atmosphere-mcp</code> jars when an <code>@Agent</code> class is present). JVM mode; native image is not yet supported for <code>@Agent</code>-based MCP.</li> </ul> <h3>Tested</h3> <ul> <li>Added a stateless <code>2026-07-28</code> round-robin end-to-end test (two <code>tools/call</code> with no session header both succeed, plus <code>server/discover</code> and <code>Mcp-Method</code> mismatch) in <code>modules/integration-tests</code>, proving the no-session-affinity claim over live HTTP.</li> </ul> <h2>[4.0.51] - 2026-06-06</h2> <h3>Added</h3> <ul> <li><strong>MCP <code>2026-07-28</code> release candidate</strong> — the largest MCP revision since launch, implemented as a <strong>stateless dialect that coexists</strong> with the session-based protocol (<code>2024-11-05</code> through <code>2025-11-25</code>). The dialect is selected per request (the client carries the protocol version in <code>params._meta</code> or calls <code>server/discover</code>), so existing clients are unaffected. Stateless core has no <code>Mcp-Session-Id</code> and no <code>initialize</code> handshake, so the server runs behind a plain round-robin load balancer with no session affinity.</li> <li><strong>MCP operability</strong> — <code>Mcp-Method</code> / <code>Mcp-Name</code> routing headers (validated against the body), <code>ttlMs</code> + <code>cacheScope</code> cache metadata on <code>tools/list</code> / <code>resources/list</code> / <code>resources/read</code>, and W3C Trace Context (<code>traceparent</code> / <code>tracestate</code> / <code>baggage</code>) read from <code>_meta</code> and bridged into the OpenTelemetry span.</li> <li><strong>MCP Tasks extension</strong> (<code>io.modelcontextprotocol/tasks</code>) and multi-round-trip input — <code>@McpTool(longRunning = true)</code> returns a task handle polled via <code>tasks/get</code>, and the stateless dialect can return <code>InputRequiredResult</code> with a base64 <code>requestState</code> to request more input mid-call and resume on any instance.</li> <li><strong>JSON Schema 2020-12</strong> dialect (<code>$schema</code>) on generated tool input schemas, and a standardized resource-not-found error (<code>-32602</code>) on the stateless dialect.</li> <li><strong>MCP Apps (SEP-1865)</strong> — <code>@McpTool(uiResource = "ui://…")</code> plus a <code>text/html;profile=mcp-app</code> resource makes a tool an MCP App. The Atmosphere console is a working host: it renders the app in a sandboxed iframe, runs a <strong>bidirectional App Bridge</strong> (apps call server tools through the host under the policy gateway; the host lists and calls the app's own <code>appCapabilities.tools</code>), and uses a <strong>separate-origin sandbox proxy</strong> for isolation (<code>atmosphere.mcp-sandbox-origin</code>, with a <code>localhost</code>↔</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/Atmosphere/atmosphere/commit/036662fbdce378e47db2e1dd9c70575352763dc8";><code>036662f</code></a> release: Atmosphere 4.0.52</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/d7af99e31a7e6f2b4e6da15bae3513ddc7133cd1";><code>d7af99e</code></a> docs(readme): move payment/commerce out-of-scope note from Scope cell to prose</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/75800db1454213509ec5f1323151cc23f926cbf9";><code>75800db</code></a> docs(readme): foreground the streaming transport as the foundation in the hero</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/ecea201f986e13650d0d8653fa3c7d9c4fd7f409";><code>ecea201</code></a> docs(mcp): correct auth docs to what exists (bearer TokenValidator, Quarkus JVM)</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/9ebf2394e29cf05a98125764431f4d32ce5376f6";><code>9ebf239</code></a> docs(harness): log the shipped quarkus-oidc auth-delegation doc drift</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/f019b9a0f827e064173a51d87862dbbb60ecd5c6";><code>f019b9a</code></a> fix(quarkus): gate agent/mcp indexing on <a href="https://github.com/Agent";><code>@Agent</code></a> presence to fix native image</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/4ef5b86f286a3bfdf22b5fe2976bdf92971dba02";><code>4ef5b86</code></a> chore: sync SKILLCARD versions to 4.0.52-SNAPSHOT after 4.0.51 release</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/9ef46299895bb7a1ff1a758c243b0d3ff1e53a34";><code>9ef4629</code></a> feat(mcp): close the 4.0.51 OAuth + statelessness gaps (auth E2E, sample, Qua...</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/49f0ab40200d25d38a41d2848179cb1cff07b87f";><code>49f0ab4</code></a> docs(harness): post-mortem + drift-log for the 4.0.51 MCP capability oversell</li> <li><a href="https://github.com/Atmosphere/atmosphere/commit/65f7bbc52c3b10484565733847d1efceb404ea94";><code>65f7bbc</code></a> chore(js): prepare next development version 5.0.30</li> <li>Additional commits viewable in <a href="https://github.com/Atmosphere/atmosphere/compare/atmosphere-project-3.1.0...atmosphere-4.0.52";>compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
