fix(gateway): support Streamable HTTP MCP transport on loopback server

[anagnorisis2peripeteia]

Summary

The MCP loopback HTTP server generates a config with "type": "http" (Streamable HTTP transport), but only handled POST — a GET to /mcp returned 405. Claude Code's Streamable HTTP client opens an SSE notification channel by sending GET /mcp during initialization; the 405 left it hanging at "still connecting" indefinitely, so the agent got no OpenClaw MCP tools for the whole session.

This adds the missing transport surface, kept stateless (the loopback server owns no session lifecycle):

• GET /mcp → 200 text/event-stream — an auth-gated, browser-origin-rejected idle SSE notification channel (the actual fix for the hang). Closes cleanly when the client disconnects.
• DELETE /mcp → 200 — auth-gated no-op acknowledgement of Streamable HTTP session teardown, so clients that send DELETE on close get a clean 200 rather than 405.
• Stateless POST — POST responses advertise no Mcp-Session-Id. The server processes each request independently; advertising a session id it never validates, expires, or owns would be misleading and push clients to echo a session the server ignores. (Per the spec, a stateless server simply omits the session id.)
• Allow now advertises GET, POST, DELETE; other methods still 405.

Session semantics

Resolved the stateless-vs-sessionful question in favor of stateless: a single-purpose local loopback tool endpoint has no session state to manage, so it stays stateless rather than taking on a session lifecycle. (Maintainer can revisit if sessionful semantics are ever wanted.)

Tests

src/gateway/mcp-http.test.ts — added focused gateway transport tests, all passing:

• GET valid bearer → 200 + text/event-stream
• GET no auth → 401; GET browser Origin → 403
• DELETE valid bearer → 200; DELETE no auth → 401
• unsupported method → 405 with Allow: GET, POST, DELETE
• POST stays stateless → no Mcp-Session-Id header

Real behavior proof

• Behavior addressed: Streamable HTTP MCP clients now get the loopback notification channel they open during initialization. Before this patch, GET /mcp returned 405 even though OpenClaw generated an HTTP MCP server config, leaving clients stuck connecting without OpenClaw MCP tools.
• Real environment tested: Blacksmith Testbox through Crabbox, provider blacksmith-testbox, id tbx_01ktn2f64amve324y4w7fqn87c, GitHub Actions run 27179521692, Ubuntu runner with Node 24. The compiled smoke ran from the built OpenClaw dist output. The contributor also provided curl output from a built and running loopback MCP server.
• Exact steps or command run after this patch: Built the repo, started the compiled MCP loopback server from dist, hit the real HTTP endpoint with fetch/curl-equivalent requests for GET, DELETE, and unsupported methods, connected the official @modelcontextprotocol/sdk StreamableHTTPClientTransport client, called tools/list, opened an authenticated GET SSE stream, and closed the server while the SSE stream was active.
• Evidence after fix: Terminal output from the remote Testbox proof:

compiled MCP loopback smoke passed {"port":38599,"sdkTools":28}
blacksmith run summary sync=delegated command=10m36.118s total=10m45.557s exit=0
{"provider":"blacksmith-testbox","leaseId":"tbx_01ktn2f64amve324y4w7fqn87c","slug":"brisk-krill","commandPhases":[{"name":"format","ms":584},{"name":"lint-core","ms":384218},{"name":"tsgo-core","ms":9933},{"name":"tsgo-core-test","ms":47245},{"name":"focused-vitest","ms":35406},{"name":"build","ms":111519},{"name":"compiled-e2e","ms":13749}],"exitCode":0}

Contributor curl proof from a built and running loopback MCP server also showed GET with a valid bearer returning 200 and Content-Type: text/event-stream, GET without auth returning 401, browser-Origin GET returning 403, authenticated DELETE returning 200, unauthenticated DELETE returning 401, and PUT returning 405 with Allow: GET, POST, DELETE.

• Observed result after fix: The compiled loopback server accepted authenticated GET /mcp as a live SSE channel, rejected missing/wrong bearer tokens, rejected browser Origin requests before auth, acknowledged authenticated DELETE without creating session state, kept POST stateless with no Mcp-Session-Id, returned 405 with the updated Allow header for unsupported methods, allowed the MCP SDK client to list 28 tools, and closed an active SSE stream cleanly during server shutdown.
• What was not tested: A live Claude Code interactive session with real user credentials was not run in this proof. The transport contract, compiled OpenClaw loopback runtime, official MCP SDK client path, auth/origin edges, shutdown behavior, focused gateway/agent tests, type checks, lint, and build were tested remotely.

[clawsweeper]

Codex review: needs maintainer review before merge. Reviewed June 7, 2026, 5:07 AM ET / 09:07 UTC.

Summary
The PR adds GET /mcp SSE handling, DELETE /mcp teardown acknowledgement, stateless POST behavior, and focused gateway tests for the MCP loopback HTTP server.

PR surface: Source +57, Tests +87. Total +144 across 2 files.

Reproducibility: yes. Current main can be reproduced from source by starting the loopback MCP server and sending GET /mcp, which reaches the non-POST 405 path despite the generated type: "http" Streamable HTTP config.

Review metrics: 2 noteworthy metrics.

• MCP loopback HTTP methods: 2 added, 1 Allow header changed. GET and DELETE alter the protocol surface and security/session contract beyond ordinary test coverage.
• Session-id behavior: 0 session IDs advertised, 1 DELETE no-op added. The stateless choice is central to whether this is the right long-term loopback MCP contract.

Merge readiness
Overall: 🐚 platinum hermit
Proof: 🦞 diamond lobster
Patch quality: 🐚 platinum hermit
Result: ready for maintainer review.

Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch.

Rank-up moves:

• Have a gateway/MCP owner explicitly accept the stateless no-session and DELETE no-op contract.
• Run or rely on final-head src/gateway/mcp-http.test.ts or CI after rebasing onto current main.

Risk before merge

• [P1] The PR expands the bearer-authenticated loopback MCP surface from POST-only to a long-lived GET SSE stream; the code rejects browser Origin before bearer auth, but the security-boundary expansion still needs owner acceptance.
• [P1] The PR chooses stateless semantics: POST advertises no Mcp-Session-Id and DELETE is an auth-gated no-op, so maintainers should explicitly accept that loopback contract instead of expecting session lifecycle management.
• [P2] Current main moved under the same MCP loopback files after the PR branch; final merge-head CI or a rebase should prove the GET/DELETE additions compose with current body-timeout and cache behavior.

Maintainer options:

1. Accept the stateless loopback contract (recommended)
   A gateway/MCP owner can merge after confirming no session lifecycle is intended and the auth-gated DELETE no-op is the desired compatibility behavior.
2. Make the bridge sessionful before merge
   If maintainers want Mcp-Session-Id semantics, replace the no-session path with real session issuance, validation, expiry, and teardown tests before landing.
3. Pause the branch if the surface is too broad
   If owners do not want a long-lived SSE endpoint on the loopback server yet, keep the POST-only bridge and close or redesign this PR around a smaller approved contract.

Next step before merge

• [P2] The open PR should stay in human maintainer review because the remaining blocker is owner acceptance of protocol/session/security semantics, not a narrow automated repair.

Security
Cleared: No concrete security defect was found in the diff; GET and DELETE are bearer-gated and reject browser Origin before auth, while the broader loopback SSE surface remains a maintainer merge-risk decision.

Review details

Best possible solution:

Land the narrow GET SSE and stateless DELETE behavior only after a gateway/MCP owner accepts the stateless/security contract and final-head gateway tests or CI confirm it composes with current main.

Do we have a high-confidence way to reproduce the issue?

Yes. Current main can be reproduced from source by starting the loopback MCP server and sending GET /mcp, which reaches the non-POST 405 path despite the generated type: "http" Streamable HTTP config.

Is this the best way to solve the issue?

Yes for the missing GET SSE behavior; it is the narrowest fix for the reported hang. The stateless no-session and DELETE no-op parts are acceptable only if a gateway/MCP owner explicitly accepts that as the loopback contract.

AGENTS.md: found and applied where relevant.

Codex review notes: model gpt-5.5, reasoning high; reviewed against e06f6ffc3e87.

Label changes

Label justifications:

• P1: The PR targets a broken agent/tool workflow where Streamable HTTP clients can hang without receiving OpenClaw MCP tools.
• merge-risk: 🚨 session-state: The diff intentionally chooses no Mcp-Session-Id lifecycle while accepting DELETE as a no-op, which defines session behavior for the loopback bridge.
• merge-risk: 🚨 security-boundary: The diff adds a long-lived bearer-authenticated SSE response on the local loopback server, expanding the HTTP boundary even though Origin checks remain in place.
• rating: 🐚 platinum hermit: Overall readiness is 🐚 platinum hermit; proof is 🦞 diamond lobster and patch quality is 🐚 platinum hermit.
• status: 👀 ready for maintainer look: ClawSweeper has no concrete contributor-facing blocker left for this PR. Sufficient (terminal): The PR body and follow-up comment include after-fix curl output from a built, running loopback MCP server showing GET 200 text/event-stream, auth/Origin failures, DELETE 200, and updated 405 Allow behavior.
• proof: sufficient: Contributor real behavior proof is sufficient. The PR body and follow-up comment include after-fix curl output from a built, running loopback MCP server showing GET 200 text/event-stream, auth/Origin failures, DELETE 200, and updated 405 Allow behavior.

Evidence reviewed

PR surface:

Source +57, Tests +87. Total +144 across 2 files.

View PR surface stats

Area	Files	Added	Removed	Net
Source	1	58	1	+57
Tests	1	87	0	+87
Docs	0	0	0	0
Config	0	0	0	0
Generated	0	0	0	0
Other	0	0	0	0
Total	2	145	1	+144

What I checked:

• Current main behavior: Current main emits a loopback MCP config with type: "http" and /mcp, while validateMcpLoopbackRequest rejects every non-POST /mcp request with 405 and Allow: POST; this supports the reported Streamable HTTP GET gap. (src/gateway/mcp-http.loopback-runtime.ts:36, e06f6ffc3e87)
• PR implementation: The proposed head adds auth- and Origin-gated GET handling that returns text/event-stream, auth- and Origin-gated DELETE handling that returns 200, and updates the unsupported-method Allow header to GET, POST, DELETE. (src/gateway/mcp-http.request.ts:96, a4e3cedad5a1)
• Regression coverage: The PR adds focused loopback tests for GET SSE success, GET/DELETE auth and Origin rejection, DELETE 200, unsupported-method Allow, and no Mcp-Session-Id on POST. (src/gateway/mcp-http.test.ts:658, a4e3cedad5a1)
• Codex Streamable HTTP contract checked: Codex's Streamable HTTP adapter sends POST with optional Mcp-Session-Id, treats response Mcp-Session-Id as optional, tolerates DELETE 405 as unsupported, and has a GET SSE path requiring text/event-stream or JSON-compatible content type. (../codex/codex-rs/rmcp-client/src/http_client_adapter.rs:84, b89ce9a2bced)
• MCP transport spec checked: The 2025-06-18 MCP transport spec says clients may issue GET to open an SSE stream; the server must return text/event-stream or 405, session IDs are optional, and DELETE is the session-termination path when a session is in use.
• History and ownership: Gateway MCP loopback work is concentrated in prior commits restoring/splitting the bridge and recent current-main cleanup around request timeout/cache behavior. (src/gateway/mcp-http.ts:138, 6bfd47af38a4)

Likely related people:

• steipete: History shows Peter Steinberger restored the Claude CLI loopback MCP bridge and later split the MCP loopback transport helpers, which are the owner boundary this PR changes. (role: feature introducer and adjacent owner; confidence: high; commits: 3de09fbe74, 25b069a6f3, 19d8069aea; files: src/gateway/mcp-http.ts, src/gateway/mcp-http.request.ts, src/gateway/mcp-http.runtime.ts)
• vincentkoc: Current-main blame for the central MCP loopback files points to Vincent Koc's recent cleanup, including request timeout, runtime config, and test coverage now adjacent to this PR. (role: recent area contributor; confidence: high; commits: 6bfd47af38a4, 2e08f0f4221f, 84bcae95a0b7; files: src/gateway/mcp-http.ts, src/gateway/mcp-http.request.ts, src/gateway/mcp-http.test.ts)
• eleqtrizit: Agustin Rivera has recent history hardening MCP loopback request validation and related non-owner gateway behavior, which is relevant to the Origin/bearer boundary here. (role: adjacent security-boundary contributor; confidence: medium; commits: 62430d9f3a, fe0f686c92; files: src/gateway/mcp-http.request.ts, src/gateway/mcp-http.test.ts)

What the crustacean ranks mean

• 🦀 challenger crab: rare, exceptional readiness with strong proof, clean implementation, and convincing validation.
• 🦞 diamond lobster: very strong readiness with only minor maintainer review expected.
• 🐚 platinum hermit: good normal PR, likely mergeable with ordinary maintainer review.
• 🦐 gold shrimp: useful signal, but proof or patch confidence is still limited.
• 🦪 silver shellfish: thin signal; proof, validation, or implementation needs work.
• 🧂 unranked krab: not merge-ready because proof is missing/unusable or there are serious correctness or safety concerns.
• 🌊 off-meta tidepool: rating does not apply to this item.

Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics.

How this review workflow works

• ClawSweeper keeps one durable marker-backed review comment per issue or PR.
• Re-runs edit this comment so the latest verdict, findings, and automation markers stay together instead of adding duplicate bot comments.
• A fresh review can be triggered by eligible @clawsweeper re-review comments, exact-item GitHub events, scheduled/background review runs, or manual workflow dispatch.
• PR/issue authors and users with repository write access can comment @clawsweeper re-review or @clawsweeper re-run on an open PR or issue to request a fresh review only.
• Maintainers can also comment @clawsweeper review to request a fresh review only.
• Fresh-review commands do not start repair, autofix, rebase, CI repair, or automerge.
• Maintainer-only repair and merge flows require explicit commands such as @clawsweeper autofix, @clawsweeper automerge, @clawsweeper fix ci, or @clawsweeper address review.
• Maintainers can comment @clawsweeper explain to ask for more context, or @clawsweeper stop to stop active automation.

[anagnorisis2peripeteia]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26916110235
• Updated: 2026-06-03T22:15:49.199Z

[anagnorisis2peripeteia]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26916906287
• Updated: 2026-06-03T22:33:21.884Z

[anagnorisis2peripeteia]

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/26917425714
• Updated: 2026-06-03T22:49:52.454Z

[anagnorisis2peripeteia]

Addressed the review:

• Session semantics → stateless ([P1] "keep stateless or validate"): dropped the advertised Mcp-Session-Id. A single-purpose local loopback tool endpoint owns no session lifecycle, so advertising a session id clients would echo back (and the server would ignore) was misleading. POST responses are now stateless; per the spec a stateless server simply omits the session id.
• DELETE → 200 no-op (auth-gated): the body claimed DELETE teardown but the code returned 405; added a real auth-gated 200 acknowledgement so clients that DELETE on close get a clean 200. Allow now advertises GET, POST, DELETE.
• Focused gateway tests ([P1]): GET 200+text/event-stream, GET 401 (no auth), GET 403 (browser Origin), DELETE 200, DELETE 401, unsupported 405 with the correct Allow, and POST stays stateless (no Mcp-Session-Id) — all driving the real loopback HTTP server via fetch.

On the [P1] real-behavior proof: the transport (GET notification channel returning 200+SSE instead of the 405 that caused the hang) is exercised over real HTTP in the tests above. The full live Claude Code "MCP tools connect" run is contributor-setup proof — the agent runtime's private deps resolve only in the build environment, so it can't be produced from a plain source checkout — and will be attached from a patched OpenClaw + Claude Code session.

@clawsweeper re-review

[clawsweeper]

🦞🧹
ClawSweeper re-review requested.

I asked ClawSweeper to review this item again.
Action: item re-review queued (workflow sweep.yml, event repository_dispatch).
Result: the existing ClawSweeper review comment will be edited in place when the review finishes.

Re-review progress:

• State: Complete
• Detail: The targeted re-review finished, the durable review comment was updated, and the synced verdict was routed.
• Run: https://github.com/openclaw/clawsweeper/actions/runs/27071696498
• Updated: 2026-06-06T19:35:32.015Z

[anagnorisis2peripeteia]

Added real-behavior proof: built and started the patched loopback MCP server and hit it with curl — GET (valid bearer) returns 200 + text/event-stream (the SSE notification channel; curl then blocks on the open stream, not the old 405 that hung "still connecting"); GET no-auth → 401; GET browser-origin → 403; DELETE → 200; DELETE no-auth → 401; PUT → 405 with Allow: GET, POST, DELETE. Full curl transcript in the PR body, mirrored by the gateway tests. @clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[anagnorisis2peripeteia]

Addressed both code findings:

• Origin-before-auth ([P1]): reordered the new GET and DELETE branches so rejectsBrowserLoopbackRequest() runs before bearer auth, matching the POST path — a browser-Origin loopback request is now rejected (403) before auth, so the loopback Origin boundary holds for unauthenticated browser requests too. Added tests: browser-Origin GET and DELETE with no bearer → 403 (before auth).
• Test import ([P1]): the new transport tests now read the owner token from getActiveMcpLoopbackRuntime().ownerToken rather than resolveMcpLoopbackBearerToken, so they don't depend on that helper's import (current main's test file no longer carries it) — the added tests compile against current main.

84 gateway tests pass. The stateless no-Mcp-Session-Id choice + DELETE no-op remain as the maintainer-acceptance item. @clawsweeper re-review

[clawsweeper]

🦞👀
ClawSweeper picked this up.

Command router queued. I will update this comment with the next step.

[shakkernerd]

Merged using rebase.

What landed:

• Streamable HTTP MCP loopback support for GET SSE and stateless DELETE.
• Browser Origin rejection before bearer auth on GET/DELETE.
• Active SSE response cleanup during gateway shutdown so long-lived streams do not hang shutdown.
• Focused gateway coverage for auth, origin, stateless POST/DELETE behavior, unsupported methods, SDK transport interop, and shutdown.

Verification:

• Auto-review reran clean with no accepted/actionable findings.
• Crabbox/Testbox proof passed on blacksmith-testbox (tbx_01ktn2f64amve324y4w7fqn87c, run 27179521692): lint, type checks, focused gateway/agent tests, build, and compiled MCP loopback smoke.
• PR CI and Real behavior proof passed before merge.

Thanks @anagnorisis2peripeteia.