docs(migration): dual-role instanceof caveat in the Errors section

[felixweinberger]

Follow-up to #2382. The Errors section teaches e instanceof SdkHttpError && e.status === 401-style classification; in a process that uses both @modelcontextprotocol/client and @modelcontextprotocol/server (gateway, host, in-process test), each package bundles its own copy of the error classes, so an error constructed by one package fails instanceof against the class imported from the other — silently. With the runtime-identity fix (#2384) not proceeding, the guide should say so where the patterns are taught.

Motivation and Context

Four independent v1→v2 migrations hit silent cross-package instanceof misses. This adds one paragraph documenting the limitation and the cross-bundle-safe forms: error.code / field-presence matching, and ProtocolError.fromError for typed protocol errors.

How Has This Been Tested?

Docs-only; prettier clean.

Breaking Changes

None.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5f4bb54

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2385

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/@modelcontextprotocol/codemod@2385

@modelcontextprotocol/core

npm i https://pkg.pr.new/@modelcontextprotocol/core@2385

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2385

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/@modelcontextprotocol/server-legacy@2385

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2385

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2385

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2385

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2385

commit: 5f4bb54

[claude]

LGTM — docs-only, one paragraph in the migration guide; the cross-package instanceof claim and the ProtocolError.fromError signature both check out against the code.

Extended reasoning...

Overview

This PR adds a single paragraph to the Errors section of docs/migration/upgrade-to-v2.md, documenting that instanceof checks on SDK error classes do not work across the @modelcontextprotocol/client / @modelcontextprotocol/server package boundary in dual-role processes, and recommending field-based matching (error.code, presence checks) or ProtocolError.fromError instead. No code, schema, or example changes.

Verification of the claims

• The bundling claim is accurate: packages/client/tsdown.config.ts (and the server package) lists @modelcontextprotocol/core-internal under noExternal, so each published package ships its own copy of the error classes and cross-package instanceof indeed fails.
• ProtocolError.fromError(code, message, data) exists with exactly that signature in packages/core-internal/src/types/errors.ts:26, and the guide already describes it as working across bundle boundaries in the Typed ProtocolError subclasses section — the new paragraph is consistent with that.
• The recommended cross-bundle-safe forms (string SdkErrorCode, numeric JSON-RPC codes, OAuthErrorCode strings, 'status' in e) match the rest of the Errors/Auth sections.

Security risks

None — documentation-only change with no executable content.

Level of scrutiny

Low. This is a one-paragraph docs addition in a migration guide, follow-up to #2382, with no API surface or behavioral impact. The main risk for docs PRs is prose contradicting the implementation, which I checked directly.

Other factors

No changeset is needed for a docs-only change (changeset-bot warning is expected). The bug-hunting system found no issues, and the new text fits the existing structure and tone of the Errors section.