| 180 | } |
| 181 | |
| 182 | func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { |
| 183 | inv, err := h.inventoryFactoryFunc(r) |
| 184 | if err != nil { |
| 185 | if errors.Is(err, inventory.ErrUnknownTools) { |
| 186 | w.WriteHeader(http.StatusBadRequest) |
| 187 | if _, writeErr := w.Write([]byte(err.Error())); writeErr != nil { |
| 188 | h.logger.Error("failed to write response", "error", writeErr) |
| 189 | } |
| 190 | return |
| 191 | } |
| 192 | |
| 193 | w.WriteHeader(http.StatusInternalServerError) |
| 194 | return |
| 195 | } |
| 196 | |
| 197 | invToUse := inv |
| 198 | if methodInfo, ok := ghcontext.MCPMethod(r.Context()); ok && methodInfo != nil { |
| 199 | invToUse = inv.ForMCPRequest(methodInfo.Method, methodInfo.ItemName) |
| 200 | } |
| 201 | |
| 202 | ghServer, err := h.githubMcpServerFactory(r, h.deps, invToUse, &github.MCPServerConfig{ |
| 203 | Version: h.config.Version, |
| 204 | Translator: h.t, |
| 205 | ContentWindowSize: h.config.ContentWindowSize, |
| 206 | Logger: h.logger, |
| 207 | RepoAccessTTL: h.config.RepoAccessCacheTTL, |
| 208 | // Explicitly set empty capabilities. inv.ForMCPRequest currently returns nothing for Initialize. |
| 209 | ServerOptions: []github.MCPServerOption{ |
| 210 | func(so *mcp.ServerOptions) { |
| 211 | so.Capabilities = &mcp.ServerCapabilities{ |
| 212 | Tools: &mcp.ToolCapabilities{}, |
| 213 | Resources: &mcp.ResourceCapabilities{}, |
| 214 | Prompts: &mcp.PromptCapabilities{}, |
| 215 | } |
| 216 | so.SchemaCache = h.schemaCache |
| 217 | }, |
| 218 | }, |
| 219 | }) |
| 220 | |
| 221 | if err != nil { |
| 222 | w.WriteHeader(http.StatusInternalServerError) |
| 223 | return |
| 224 | } |
| 225 | |
| 226 | // Cross-origin protection is intentionally left unset: this server |
| 227 | // authenticates via bearer tokens (not cookies), so Sec-Fetch-Site CSRF |
| 228 | // checks are unnecessary and would block browser-based MCP clients. As of |
| 229 | // go-sdk v1.6.0 a nil CrossOriginProtection disables the check by default; |
| 230 | // see also PR #2359. |
| 231 | mcpHandler := mcp.NewStreamableHTTPHandler(func(_ *http.Request) *mcp.Server { |
| 232 | return ghServer |
| 233 | }, &mcp.StreamableHTTPOptions{ |
| 234 | Stateless: true, |
| 235 | }) |
| 236 | |
| 237 | mcpHandler.ServeHTTP(w, r) |
| 238 | } |
| 239 | |