docs: correctness and coverage pass for the 2026-07-28 revision

[felixweinberger]

Verifies every claim in docs/ (server and client guides, both quickstarts, FAQ) against the SDK surface on main and fills the coverage gaps for the 2026-07-28 revision. Every code sample in the guides is now synced from a type-checked source.

Motivation and Context

The guides predate the 2026-07-28 implementation landing on main, and the costliest errors were silent ones: docs teaching APIs that now throw.

• The Sampling / Elicitation / Roots sections presented ctx.mcpReq.requestSampling(), ctx.mcpReq.elicitInput(), and server.server.listRoots() as fully functional with no era caveat. On a connection pinned to 2026-07-28 (serveStdio / createMcpHandler) all three throw SdkError(MethodNotSupportedByProtocolVersion) before anything reaches the wire; the "MCP is bidirectional" framing had the same problem.
• The replacement the SDK's own error messages steer to (returning inputRequired(...)) had no guide coverage at all: no inputRequired builder, no acceptedContent, no requestState, no client-side auto-fulfilment or manual mode.
• The client quickstart's tool-calling loop was broken for responses with more than one tool_use block: it re-sent the full assistant content per tool call and issued the follow-up request without tools, so multi-tool turns produced malformed conversations and dead-end follow-ups.
• createMcpHandler was used in examples but never introduced, and HTTP had no 2026-07-28 serving section (stdio did).

Highlights:

• server.md: era-scoped notes on every push-style API pointing at the in-band replacement; new sections for serving 2026-07-28 over HTTP (createMcpHandler + toNodeHandler), input_required / multi-round trips (including requestState integrity guidance and a worked example), change notifications in both eras (handler.notify, the event bus, capability gating), cache hints (SEP-2549), and an OAuth resource-server setup (requireBearerAuth, metadata router, WWW-Authenticate challenge); serveStdio options; stale source links fixed.
• client.md: response caching (cacheMode, responseCacheStore, cachePartition, defaultCacheTtlMs), subscription streams (listen(), honoredFilter, close reasons, a watch loop) with era notes on subscribeResource() and listChanged, input_required auto-fulfilment defaults plus the manual mode, the per-request log level on 2026-07-28 (LOG_LEVEL_META_KEY) versus setLoggingLevel(), RFC 8707 resource indicators and issuer validation (RFC 9207 / RFC 8414 §3.3), SdkHttpError and the ClientHttp* codes, listMaxPages, and version-negotiation details (supportedProtocolVersions, connect({ prior }) semantics).
• Quickstarts: the weather server now runs through serveStdio from a createServer() factory (the current serving entry; it owns the transport and serves current hosts and the 2026-07-28 revision from the same factory) instead of hand-wiring a StdioServerTransport; the client tool loop rewritten to the Messages API shape (one assistant turn, one user turn carrying every tool_result, is_error propagated, loop until no tool calls remain); weather-server failure returns set isError: true; dropped the unneeded as const casts, dead bin entries, and the chmod build step; both example packages renamed to the @mcp-examples/* scope used by every other example (changeset ignore list updated); READMEs note the manifests are monorepo-internal.
• Guide snippets: 16 new //#region blocks in examples/guides/*.examples.ts, so every new code sample is type-checked and kept in sync by pnpm sync:snippets (two previously inline fences converted along the way).
• FAQ / pins: stale paths fixed (authExtensions.ts, vitest.setup.js, hostHeaderValidation.ts), the @modelcontextprotocol/server-legacy/sse escape hatch noted, a missing row added to the behavior-surface-pins inventory.

How Has This Been Tested?

Docs and examples only. pnpm sync:snippets --check, the examples typecheck and lint, and pnpm docs:check (typedoc, warnings as errors) all pass; relative links and anchors were checked. Every behavioral claim was verified against the SDK source on current main before being written, and the quickstart apps type-check against the workspace packages.

Breaking Changes

None. The two example packages are private and on the changeset ignore list, so the @mcp-examples/* rename publishes nothing.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

#2381 merged while this was in flight, so alongside the native 2026-07-28 input_required documentation this also adds the one-paragraph note that on 2025-era connections the default-on legacy shim fulfils input_required returns over the session, linking the shim section of the support guide for its options. The docs index still omits the migration guides on purpose: now that they declare children:, adding them to documents.md pulls them into the typedoc document tree and turns on anchor validation whose heading slugs differ from GitHub's for inline-code headings (typedoc drops the code spans), which fails the build for GitHub-correct links — including two of the existing migration-internal ones. Reconciling the two sluggers belongs to the docs-site work.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1c4ce9a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@modelcontextprotocol/client

npm i https://pkg.pr.new/@modelcontextprotocol/client@2389

@modelcontextprotocol/codemod

npm i https://pkg.pr.new/@modelcontextprotocol/codemod@2389

@modelcontextprotocol/core

npm i https://pkg.pr.new/@modelcontextprotocol/core@2389

@modelcontextprotocol/server

npm i https://pkg.pr.new/@modelcontextprotocol/server@2389

@modelcontextprotocol/server-legacy

npm i https://pkg.pr.new/@modelcontextprotocol/server-legacy@2389

@modelcontextprotocol/express

npm i https://pkg.pr.new/@modelcontextprotocol/express@2389

@modelcontextprotocol/fastify

npm i https://pkg.pr.new/@modelcontextprotocol/fastify@2389

@modelcontextprotocol/hono

npm i https://pkg.pr.new/@modelcontextprotocol/hono@2389

@modelcontextprotocol/node

npm i https://pkg.pr.new/@modelcontextprotocol/node@2389

commit: 1c4ce9a

[claude]

Thanks for addressing the earlier feedback — the scratch/ working files are gone and the resource-template completion note now sits at the end of the Completions section. I didn't find any new issues on this revision, but given the volume of behavioral claims this docs pass makes about the 2026-07-28 surface (defaults, error codes, era-gating semantics), it's worth a maintainer's read before merge.

Extended reasoning...

Overview

This PR is a docs-and-examples-only pass: it rewrites large portions of docs/server.md and docs/client.md to cover the 2026-07-28 revision (input_required / requestState, subscription streams, response caching, cache hints, per-request log level, OAuth resource-server setup, createMcpHandler/serveStdio serving entries), reworks both quickstarts (serveStdio factory pattern, fixed multi-tool-use Anthropic loop), adds 16 type-checked snippet regions in examples/guides/.examples.ts, renames the two quickstart example packages to the @mcp-examples/ scope, and fixes stale paths in the FAQ and behavior-surface-pins docs. No SDK source code is touched.

Prior feedback

Both issues from my earlier review rounds are addressed in the current revision: the accidentally committed scratch/ directory (17 triage/working files) is no longer tracked on the branch, and the resource-template completions sentence has been moved to the end of the Completions section where the 'instead' has its antecedent.

Security risks

None direct — no runtime code changes. The main risk surface is documentation that teaches insecure patterns; the new auth and requestState sections actually do the opposite (HMAC codec guidance, attacker-controlled-input warnings, cachePartition isolation note, sensitive-data elicitation caveats). Spot-checks of behavioral claims (e.g. listMaxPages default 64) match the source, and every new code sample is synced from type-checked example files covered by CI typecheck/lint and pnpm sync:snippets --check.

Level of scrutiny

This is not a simple/mechanical change: it makes a large number of specific prose claims about SDK defaults, error codes, and era-gating behavior that type-checking cannot validate, and it changes what the quickstarts teach newcomers (serveStdio factory, isError on failures, the corrected tool-use loop). Per the repo's own review conventions (verify every claim against the SDK surface), a maintainer familiar with the 2026-07-28 implementation should give the prose a pass; I'm not in a position to certify all of it without much deeper verification, so I'm deferring rather than approving.

Other factors

The bug-hunting pass on this revision found no issues, the changeset-ignore update for the @mcp-examples/* rename is consistent with the existing wildcard entry, and the example package renames are private/ignored so nothing publishes. The only outstanding automated finding is the CodeQL rate-limiting note on the auth example snippet, which is expected for illustrative example code.