Merge branch 'main' into main

Author: themaherkhalil

.github/ISSUE_TEMPLATE/config.yml

@@ -1,5 +1,5 @@
 blank_issues_enabled: false
 contact_links:
   - name: Questions and Community Support
-    url: https://stackoverflow.com/questions/tagged/spring-ai-mcp
-    about: Please ask and answer questions on StackOverflow with the spring-ai tag
+    url: https://stackoverflow.com/questions/tagged/mcp-java-sdk
+    about: Please ask and answer questions on StackOverflow with the mcp-java-sdk tag

.github/dependabot.yml

@@ -0,0 +1,22 @@
+version: 2
+updates:
+    - package-ecosystem: 'github-actions'
+      directory: '/'
+      schedule:
+          interval: monthly
+    - package-ecosystem: 'maven'
+      directory: '/'
+      schedule:
+          interval: monthly
+      open-pull-requests-limit: 10
+      ignore:
+          # Freeze production dependencies of mcp-core
+          - dependency-name: 'org.slf4j:slf4j-api'
+          - dependency-name: 'com.fasterxml.jackson.core:jackson-annotations'
+          - dependency-name: 'tools.jackson.core:jackson-databind'
+          - dependency-name: 'io.projectreactor:reactor-bom'
+          - dependency-name: 'io.projectreactor:reactor-core'
+          - dependency-name: 'jakarta.servlet:jakarta.servlet-api'
+          # mcp-json-jackson2 and mcp-json-jackson3 dependencies
+          - dependency-name: 'com.fasterxml.jackson.core:jackson-databind'
+          - dependency-name: 'com.networknt:json-schema-validator'

.github/workflows/conformance.yml

@@ -57,6 +57,48 @@ jobs:
         uses: modelcontextprotocol/conformance@v0.1.11
         with:
           mode: client
-          command: 'java -jar conformance-tests/client-jdk-http-client/target/client-jdk-http-client-1.0.0-SNAPSHOT.jar'
+          command: 'java -jar conformance-tests/client-jdk-http-client/target/client-jdk-http-client-*-SNAPSHOT.jar'
           scenario: ${{ matrix.scenario }}
           expected-failures: ./conformance-tests/conformance-baseline.yml
+
+  auth:
+    name: Auth Conformance
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        scenario:
+        - auth/metadata-default
+        - auth/metadata-var1
+        - auth/metadata-var2
+        - auth/metadata-var3
+        - auth/basic-cimd
+        - auth/scope-from-www-authenticate
+        - auth/scope-from-scopes-supported
+        - auth/scope-omitted-when-undefined
+        - auth/scope-step-up
+        - auth/scope-retry-limit
+        - auth/token-endpoint-auth-basic
+        - auth/token-endpoint-auth-post
+        - auth/token-endpoint-auth-none
+        - auth/pre-registration
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up JDK 17
+        uses: actions/setup-java@v4
+        with:
+          java-version: '17'
+          distribution: 'temurin'
+          cache: 'maven'
+
+      - name: Build client
+        run: mvn clean install -DskipTests
+
+      - name: Run conformance test
+        uses: modelcontextprotocol/conformance@v0.1.15
+        with:
+          node-version: '22' # see https://github.com/modelcontextprotocol/conformance/pull/162
+          mode: client
+          command: 'java -jar conformance-tests/client-spring-http-client/target/client-spring-http-client-*-SNAPSHOT.jar'
+          scenario: ${{ matrix.scenario }}
+          expected-failures: ./conformance-tests/conformance-baseline.yml

DEPENDENCY_POLICY.md

@@ -0,0 +1,26 @@
+# Dependency Policy
+
+As a library consumed by downstream projects, the MCP Java SDK takes a conservative approach to dependency updates. Dependencies are kept stable unless there is a specific reason to update, such as a security vulnerability, a bug fix, or a need for new functionality.
+
+## Update Triggers
+
+Dependencies are updated when:
+
+- A **security vulnerability** is disclosed (via GitHub security alerts).
+- A bug in a dependency directly affects the SDK.
+- A new dependency feature is needed for SDK development.
+- A dependency drops support for a Java version the SDK still targets.
+
+Routine version bumps without a clear motivation are avoided to minimize churn for downstream consumers.
+
+## What We Don't Do
+
+The SDK does not run scheduled version bumps for production Maven dependencies. Updating a dependency can force downstream consumers to adopt that update transitively, which can be disruptive for projects with strict dependency policies.
+
+Dependencies are only updated when there is a concrete reason, not simply because a newer version is available.
+
+## Automated Tooling
+
+- **GitHub security updates** are enabled at the repository level and automatically open pull requests for Maven packages with known vulnerabilities. This is a GitHub repo setting, separate from the `dependabot.yml` configuration.
+- **GitHub Actions versions** are kept up to date via Dependabot on a monthly schedule (see `.github/dependabot.yml`).
+- **Maven dependencies** are monitored via Dependabot on a monthly schedule for non-production updates only (see `.github/dependabot.yml`).