feat: add streamable http [MCP-42]

[fmenezes]

Proposed changes

Introduces Streamable HTTP transport; No authentication or authorization was implemented.

Note: this is a feature branch, every single individual change was approved on each PR.

Checklist

• I have signed the MongoDB CLA

[coveralls]

Pull Request Test Coverage Report for Build 16422846497

Details

• 238 of 402 (59.2%) changed or added relevant lines in 10 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-1.6%) to 80.243%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
src/server.ts	24	36	66.67%
src/transports/stdio.ts	8	21	38.1%
src/index.ts	0	28	0.0%
src/common/sessionStore.ts	51	92	55.43%
src/transports/streamableHttp.ts	88	158	55.7%

Totals
Change from base Build 16373544917:	-1.6%
Covered Lines:	3099
Relevant Lines:	3826

---

💛 - Coveralls

[Copilot]

Pull Request Overview

This PR introduces streamable HTTP transport functionality to the MongoDB MCP Server, allowing it to run as an HTTP server in addition to the existing stdio transport. The implementation includes session management with timeout handling and configurable logging options.

• Adds StreamableHttpRunner with Express-based HTTP server and session management
• Refactors transport layer with base class and configurable runner selection
• Introduces comprehensive timeout management for HTTP sessions with cleanup

Reviewed Changes

Copilot reviewed 24 out of 25 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
src/transports/streamableHttp.ts	New HTTP transport implementation with session management and Express server
src/transports/stdio.ts	Refactored stdio transport into runner pattern with base class
src/transports/base.ts	Abstract base class for transport runners
src/common/timeoutManager.ts	New timeout management utility for session cleanup
src/common/sessionStore.ts	HTTP session storage and lifecycle management
src/common/config.ts	Enhanced configuration with HTTP and logging options
src/server.ts	Refactored server initialization and validation logic
src/index.ts	Simplified main entry point with transport runner selection
tests/integration/transports/streamableHttp.test.ts	Integration tests for HTTP transport
tests/integration/transports/stdio.test.ts	Integration tests for stdio transport
tests/unit/common/timeoutManager.test.ts	Unit tests for timeout manager

[Copilot]

The runCallback method checks if 'this.callback' exists, but the callback is marked as 'readonly' and provided in the constructor, so this check is unnecessary and adds complexity.

Suggested change

	if (this.callback) {
	try {
	await this.callback();
	} catch (error: unknown) {
	this.onerror?.(error);
	}
	try {
	await this.callback();
	} catch (error: unknown) {
	this.onerror?.(error);

[Copilot]

Creating a new McpLogger instance for each notification is inefficient. Consider creating the logger once and reusing it, or passing it as a dependency.

Suggested change

	const logger = new McpLogger(session.mcpServer);
	logger.info(
	session.logger.info(

[gagik]

agreed, we should create a logger and store it inside the our session map

[Copilot]

Creating a new McpLogger instance inside the timeout callback is inefficient and could be problematic if called multiple times. Consider creating the logger once and reusing it.

Suggested change

	const logger = new McpLogger(mcpServer);
	logger.info(
	this.sessions[sessionId].logger.info(

[gagik]

agree

[gagik]

Going to be focused on some technical writing today but just some initial review on first part of the changes

[gagik]

nit: maybe we should log a warning here?

[gagik]

agreed, we should create a logger and store it inside the our session map

[gagik]

agree

[gagik]

Suggested change

	* Resets the timeout.
	*/
	reset() {
	* Restarts the timeout.
	*/
	restart() {

Just to better differentiate from clear as it's not clear that the initial state has the timeout started already

[gagik]

this.callback is always defined right? this is not needed

[gagik]

we should not have side-effects in constructors. I think this whole helper can be better represented as a single function.

type ManagedTimeout = {
     cancel: () => void;
     restart: () => void;
};

export function setManagedTimeout(
        callback: () => Promise<void> | void,
        timeoutMS: number,
        { onError }: { onError?: (error: unknown) => void }
) {
      const wrappedCallback = () => {
            try {
                await this.callback();
            } catch (error: unknown) {
                onError?.(error);
            }
      };
      let timeout = setTimeout(wrappedCallback, timeoutMS);
      const cancel = () => {
           cancelTimeout(timeout);
           timeout = undefined;
      };
      const restart = () => {
           cancel();
           timeout = setTimeout(wrappedCallback, timeoutMS);
      }
      return {
           cancel,
           restart
      };
}

[gagik]

are these type casts needed?

[fmenezes]

That is the way I've found to validate it.

The problem here is as far as we are concerned, the possible values are predefined, so the literal types make sense, but the inputs are cli args or env vars, which are basically strings that can contain any values.

[fmenezes]

@gagik I'm addressing all of these at #386, if you're happy with the changes, would you approve it?

thanks!

[fmenezes]

@gagik I've merged the PR according to your comments, would take another look?