Skip to content

Epistates/TurboMCP

v3.1.5 Feature

This release adds 3 notable features for engineering teams evaluating rollout.

Published 15d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

mcp mcp-client mcp-sdk mcp-server mcp-servers rust

Affected surfaces

auth rbac

Summary

AI summary

Streamable HTTP SSE startup no longer emits an empty data event, fixing rmcp/Codex client failures.

Changes in this release

Feature Medium

AI-friendly server visibility policy added with VisibilityLayer supporting exact allowed/disabled/hidden rules for tools, resources, templates, and prompts.

AI-friendly server visibility policy added with VisibilityLayer supporting exact allowed/disabled/hidden rules for tools, resources, templates, and prompts.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

Registry-backed visibility dispatch introduced using cached component registry populated by list responses or lazily on first direct use.

Registry-backed visibility dispatch introduced using cached component registry populated by list responses or lazily on first direct use.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

TurboMCP <-> RMCP Streamable HTTP dogfood interop checks added to benchmark suite validating two-way compatibility including initialization, tools, resources, prompts, and Codex SSE startup framing.

TurboMCP <-> RMCP Streamable HTTP dogfood interop checks added to benchmark suite validating two-way compatibility including initialization, tools, resources, prompts, and Codex SSE startup framing.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Feature Medium

RMCP comparison diligence notes added covering TurboMCP vs official Rust MCP SDK implementation strengths, feature gaps, compliance risks, and SOTA follow-ups.

RMCP comparison diligence notes added covering TurboMCP vs official Rust MCP SDK implementation strengths, feature gaps, compliance risks, and SOTA follow-ups.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Performance Medium

HTTP clients open SSE only after session establishment, deferring GET SSE connection until server issues Mcp-Session-Id.

HTTP clients open SSE only after session establishment, deferring GET SSE connection until server issues Mcp-Session-Id.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Standalone Streamable HTTP SSE startup no longer emits empty data event; TurboMCP server now sends SSE comment and reserves data events for real JSON-RPC messages.

Standalone Streamable HTTP SSE startup no longer emits empty data event; TurboMCP server now sends SSE comment and reserves data events for real JSON-RPC messages.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

Hidden-only visibility profiles still advertise operation capabilities; hidden-but-callable tools, resources, and prompts no longer disappear from initialize capability surface.

Hidden-only visibility profiles still advertise operation capabilities; hidden-but-callable tools, resources, and prompts no longer disappear from initialize capability surface.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Bugfix Medium

POST SSE primer events no longer break TurboMCP HTTP client; empty or whitespace-only POST-SSE events are ignored instead of parsed as JSON-RPC payloads.

POST SSE primer events no longer break TurboMCP HTTP client; empty or whitespace-only POST-SSE events are ignored instead of parsed as JSON-RPC payloads.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Post-initialize Streamable HTTP requests now tolerate missing protocol-version headers once a session has negotiated a version, matching rmcp/Codex startup behavior.

Post-initialize Streamable HTTP requests now tolerate missing protocol-version headers once a session has negotiated a version, matching rmcp/Codex startup behavior.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Bugfix Medium

Visibility clone/build patterns now behave correctly: cloning a VisibilityLayer before applying global tag filters does not mutate the original layer's profile.

Visibility clone/build patterns now behave correctly: cloning a VisibilityLayer before applying global tag filters does not mutate the original layer's profile.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Refactor Medium

Visibility config APIs now use explicit replacement semantics with builders for allowed/disabled/hidden rules; disabled components rejected on direct use, hidden omitted from list responses but remain usable, disabled rules win over others.

Visibility config APIs now use explicit replacement semantics with builders for allowed/disabled/hidden rules; disabled components rejected on direct use, hidden omitted from list responses but remain usable, disabled rules win over others.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: high
Refactor Medium

Registry-backed dispatch preserves first-listed duplicate metadata; malformed handlers with duplicate component identifiers keep previous first-match authorization behavior.

Registry-backed dispatch preserves first-listed duplicate metadata; malformed handlers with duplicate component identifiers keep previous first-match authorization behavior.

Source: granite4.1:8b-q6_K@2026-05-19

Confidence: low
Full changelog

[3.1.5] - 2026-05-11

Patch release: Streamable HTTP interoperability hardening for RMCP/Codex
clients, plus dogfood coverage for two-way Rust SDK compatibility.

Added

  • AI-friendly server visibility policyVisibilityLayer now supports
    exact allowed/disabled/hidden rules for tools, resources, resource templates,
    and prompts, plus a strict read-only tool profile. Consumers can load a
    VisibilityConfig from application config to reduce tools/list context
    load, keep niche tools callable but unlisted, and block disabled calls,
    including unlisted dynamic calls, as not found.
  • Registry-backed visibility dispatch — visibility authorization now uses a
    cached component registry populated by list responses or lazily on first
    direct use, with explicit refresh/clear hooks for dynamic servers whose
    advertised components change at runtime.
  • TurboMCP <-> RMCP Streamable HTTP dogfood interop checks — the dogfood
    benchmark suite now validates RMCP client to TurboMCP HTTP server and TurboMCP
    client to RMCP HTTP server flows, including initialization, tools, resources,
    prompts, and Codex-compatible standalone SSE startup framing.
  • RMCP comparison diligence notes — added a focused comparison of
    TurboMCP against the official Rust MCP SDK covering implementation strengths,
    feature gaps, compliance risks, and SOTA follow-ups.

Changed

  • Visibility config APIs now use explicit replacement semantics
    VisibilityConfig and VisibilityLayer expose with_allowed_*,
    with_disabled_*, and with_hidden_* builders for exact-name policy.
    Disabled components are rejected on direct use, hidden components are omitted
    from list responses but remain directly usable, and disabled rules win over
    hidden or allowed rules.
  • HTTP clients open SSE only after session establishment — Streamable HTTP
    clients now defer the GET SSE connection until the server has issued an
    Mcp-Session-Id, matching RMCP server expectations for session-scoped
    streams.
  • Release-facing metadata now targets 3.1.5 — workspace manifests, internal
    crate dependency pins, lockfile entries, and Cargo-facing demo snippets
    identify the patch release consistently.

Fixed

  • Standalone Streamable HTTP SSE startup no longer emits an empty data
    event     — TurboMCP server now opens GET streams with an SSE comment and
    reserves data: events for real JSON-RPC messages, avoiding rmcp/Codex
    startup failures on clients that parse empty primers as payloads.
  • POST SSE primer events no longer break the TurboMCP HTTP client — empty or
    whitespace-only POST-SSE events are ignored instead of being parsed as
    JSON-RPC payloads.
  • Post-initialize Streamable HTTP requests tolerate missing protocol-version
    headers     — once a session has negotiated a protocol version, TurboMCP keeps
    using that session version for later requests that omit
    MCP-Protocol-Version, matching tolerant rmcp/Codex startup behavior.
  • Hidden-only visibility profiles still advertise operation capabilities
    hidden-but-callable tools, resources, and prompts no longer disappear from the
    initialize capability surface just because they are omitted from list
    responses, including when visibility layers are wrapped by middleware or
    mounted into composite handlers.
  • Visibility clone/build patterns no longer share tag filter mutations
    cloning a VisibilityLayer before applying global tag filters now behaves
    like exact-name rules: builder mutations on the clone do not mutate the
    original layer's visibility profile.
  • Registry-backed dispatch preserves first-listed duplicate metadata
    malformed handlers that advertise duplicate component identifiers keep the
    previous first-match authorization behavior instead of letting the registry's
    map representation silently prefer the last duplicate.

What's Changed Summary

  • Fix/windows unix cfg guards by @ForrestThump in https://github.com/Epistates/turbomcp/pull/13

New Contributors

  • @ForrestThump made their first contribution in https://github.com/Epistates/turbomcp/pull/13

Full Changelog: https://github.com/Epistates/turbomcp/compare/v3.1.4...v3.1.5

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track Epistates/TurboMCP

Get notified when new releases ship.

Sign up free

About Epistates/TurboMCP

TurboMCP SDK: Enterprise MCP SDK in Rust

All releases →

Related context

Beta — feedback welcome: [email protected]