deps(deps): bump github.com/modelcontextprotocol/go-sdk from 0.3.0 to 0.4.0

[dependabot]

Bumps github.com/modelcontextprotocol/go-sdk from 0.3.0 to 0.4.0.

Release notes

Sourced from github.com/modelcontextprotocol/go-sdk's releases.

v0.4.0

This release fixes several bugs, and expands on OAuth support and examples. It also makes a few (hopefully minor) API changes as we approach a release candidate (see #328).

For more details, see the v0.4.0 milestone.

Thank you to all who tested the SDK, filed bugs, and contributed.

API Changes

This release includes the following incompatible changes:

• mcp.CallToolRequest now holds an mcp.CallToolParamsRaw, to avoid confusion about the raw state of Arguments (see proposal #377)
• mcp.ToolFor is unexported, as it was also a footgun: modifying the resulting schema was ineffective (see proposal #401).
• auth.TokenVerifier is changed from func(context.Context, string) (*TokenInfo, error) to func(context.Context, string, *net/http.Request) (*TokenInfo, error), to allow access to the HTTP request (see proposal #403).

Additionally, it includes the following additions:

• mcp.StreamableServerTransport.JSONResponse and mcp.StreamableHTTPOptions.JSONResponse are exported, to configure serving responses as application/json rather than text/event-stream (#397).
• auth.ErrOAuth is added.

New Examples

Several new examples are added to demonstrate different ways to use the SDK. We will continue to expand on these examples and other documentation as we approach the release.

• examples/server/auth-middleware provides an example of server-side auth middleware.
• examples/http provides an example of HTTP logging middleware.
• examples/server/distributed provides an example of an MCP server distributed across multiple subprocesses.
• examples/server/toolschemas provides several examples of configuring tool schemas.

Bug fixes

Several notable bugs or misbehaviors are addressed:

• Typed tool handlers now verify against their output schema (#301).
• The streamable hanging GET now sends HTTP headers immediately, to avoid client timeouts (#410).
• Strictness around notifications/initialized is relaxed, to fix flaky initialization with Claude (#395).
• Mcp-Session-Id response headers are now sent only for the Initialize request, per the spec (#416).

New Contributors

• @​bradhoekstra made their first contribution in modelcontextprotocol/go-sdk#392
• @​CCpro10 made their first contribution in modelcontextprotocol/go-sdk#397
• @​KasonBraley made their first contribution in modelcontextprotocol/go-sdk#420

Full Changelog: modelcontextprotocol/go-sdk@v0.3.1...v0.4.0

v0.3.1

This release fixes some bugs in v0.3.0:

• A jsonschema caching bug leading to potentially incorrect inference (modelcontextprotocol/go-sdk#366)
• A panic in ClientSession.Complete (modelcontextprotocol/go-sdk#375)

... (truncated)

Commits

• 4656930 mcp: avoid "null" when tools fail to return content
• 46e767e Update README for v0.4.0 (#422)
• 2a00640 mcp/internal/oauthex: auth server metadata (#294)
• 40b6bd3 all: add examples of customizing tool schemas, and clarify documentation (#421)
• 5ccd97f mcp: allow requests before notifications/initialized
• b774809 examples: Update and fix outdated (#420)
• 9d34aff mcp: avoid "null" in structuredContent
• ee51416 mcp: be strict about returning the Mcp-Session-Id header
• 2c40bdc mcp: systematically improve streamable client errors
• a4313f9 mcp: refactor the streamable client test to be more flexible
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, go. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Superseded by #12.