Epistates/TurboMCP

[3.1.2]

• MCP 2025-11-25 gaps closed: resources/{subscribe,unsubscribe}, logging/setLevel, completion/complete now route; notifications/cancelled actually cancels in-flight handlers (server) and is auto-emitted on
  timeout (client); Tasks API (SEP-1686) wired into typed routing; ProgressNotification aligned to string|number token + f64 values.
• Security hardening across frontends: HTTP bearer-token redirect leak, SSE/decompression bombs, WebSocket max_message_size, origin-validation starts_with bypass, X-Forwarded-For spoofing behind proxies,
  telemetry PII/cardinality leaks, Prometheus binding to 0.0.0.0, OAuth token-store silently in-memory on WASM, proxy bearer-token logged at INFO, proxy frontends missing Origin allowlist.
• Hand-rolled → battle-tested: governor (rate limiting), backon (retry/backoff), serde_norway (YAML), which (cross-platform binary lookup).
• Bug fix: bidirectional correlation was matching on a fresh local UUID instead of the JSON-RPC id — every server-initiated request was timing out on healthy connections.
• Deprecated: turbomcp-transport::axum subtree (use turbomcp-server::transport::http), WebSocket enable_compression/tls_config no-op fields.
• Dep refresh: tokio 1.52, axum 0.8.9, hyper 1.9, tokio-tungstenite 0.29, sha2 0.11, msgpacker 0.7, cryptoki 0.10, getrandom 0.4.

One public-API break to know: RichContextExt::report_progress* now takes f64 instead of u64 — callers pass 50.0 instead of 50.

Full Changelog: https://github.com/Epistates/turbomcp/compare/v3.1.1...v3.1.2