test0r
deb73d129e
v1.0.0-rc1: full MCP 2025-06-18 surface
...
Closes 14 issues; lmcp now implements the complete client-facing
surface of MCP spec 2025-06-18.
New primitives:
- fetch (#3 ) HTTP GET/HEAD with bounded body + render chain
- web_search (#4 ) pluggable backend (SearXNG/DDG/Tavily/Brave)
- Resources (#5 ) resources/list, /read, /templates/list + list_changed
- Prompts (#6 ) prompts/list, /get + list_changed
- Completion (#7 ) completion/complete for prompt/template args
- Logging (#8 ) logging/setLevel + notifications/message
- Sampling (#9 ) server-initiated sampling/createMessage
- Roots (#10 ) roots/list + cache + path_in_roots helper
Protocol / wire:
- Pagination (#12 ) cursor on tools|resources|prompts/list
- Structured tool output (#13 ) structuredContent + _meta + protoV bump to 2025-06-18
- Tool annotations (#14 ) readOnlyHint/destructive/idempotent/openWorld on all tools
- stdio transport (#15 ) LMCP_TRANSPORT=stdio for Claude Desktop / IDE clients
- Streamable HTTP (#16 ) select()-based event loop, sessions, persistent SSE,
DELETE, heartbeat, server-initiated request helper
- ping (#19 ) now emits result:{} not result:[] via json.empty_object
Cross-cutting fixes:
- json.lua: UTF-16 surrogate pair combination (emoji/non-BMP CJK round-trip)
- json.lua: json.empty_object sentinel for spec-correct {} emission
- handle_request: generic notification suppression (id==nil → return nil)
eliminates malformed -32601 with id:null on stdio and HTTP transports
Tool annotations backfilled across all registrations:
- server.lua: 10 tools (shell, shell_bg, read_file, write_file, edit_file,
list_dir, search_files, fetch, web_search, systeminfo)
- hub.lua: 8 remote_* tools
- example_server.lua: 4 demo tools + 3 sample resources + 1 sample prompt
+ 1 sample completer
Honest limits, filed as follow-up issues:
- #11 progress + cancellation — gated on #20 (handler concurrency)
- #18 windows/pkg sync — stale April-2026 snapshot, packaging decision
- #20 concurrent handler dispatch — select() loop concurrencies I/O, not
handler execution; synchronous tool
handlers still serialise (shell sleep 3
blocks a parallel ping)
Backwards compatible: every previously-deployed lmcp client (sessionless
POST, HTTP-only, no Mcp-Session-Id awareness) keeps working unchanged.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com >
2026-05-17 17:15:54 +00:00
test0r
6bf0f450dc
Security hardening: body size limit, JSON depth limit, timing-safe auth
...
- Add MAX_BODY_SIZE (64KB) check before reading body — prevents pre-auth
OOM on internet-facing deployments
- Add JSON nesting depth limit (64 levels) — prevents C stack overflow
that bypasses pcall and crashes the process
- Timing-safe token comparison via XOR accumulate — prevents timing
oracle on Bearer token
- Auth token from LMCP_TOKEN env var (highest priority) — avoids storing
token in a file readable by the read_file tool
- Silent handling of unknown JSON-RPC notifications (spec compliance)
- Exact path matching on /mcp endpoint (was prefix-based)
- Remove dead json.array() function
Findings from architecture review + security audit.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-11 20:45:16 +02:00
test0r
2bd661a8c9
Initial release: Lua MCP server library
...
Zero-dependency MCP (Model Context Protocol) server in pure Lua.
Only requires luasocket. 2MB RSS vs Python FastMCP's 97MB.
- json.lua: pure Lua JSON encoder/decoder (~150 lines)
- lmcp.lua: MCP server with streamable-http transport (~230 lines)
- example_server.lua: shell/file tools demo
Implements MCP 2025-03-26: initialize, tools/list, tools/call,
notifications/initialized, ping. JSON-RPC 2.0. SSE support. CORS.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com >
2026-04-05 15:54:25 +00:00
test0r
marfrit