Skip to content

fix(mcp): serve streamable HTTP statelessly#1717

Open
giladresisi wants to merge 1 commit into
mainfrom
fix/mcp-stateless
Open

fix(mcp): serve streamable HTTP statelessly#1717
giladresisi wants to merge 1 commit into
mainfrom
fix/mcp-stateless

Conversation

@giladresisi

Copy link
Copy Markdown
Collaborator

Replaces #1697, rebased onto main with the MCP_STATELESS env gate removed — stateless is now unconditional. Net diff: 3 insertions, 10 deletions.

Why

@mastra/mcp retains a transport per initialize request, each holding a per-session Server with the whole converted tool schema, released only on an explicit client DELETE that connectors never send. The MCP service climbs ~330 MB/h from a ~1 GB baseline and is killed at ~5 GB about twice a day.

Sessions hurt a second way. Any restart empties the map, and connected clients keep presenting a session id the new process has never seen. Mastra answers an unknown id with 400, where the spec requires 404 for a terminated session — and obliges the client to re-initialize on 404. Clients get no recovery signal, so they hang until restarted, and each reconnect leaks another session.

The 2026-07-28 spec removes protocol-level sessions outright, so this has to go regardless.

How

Swap sessionIdGenerator for serverless: true at the three startHTTP call sites (/mcp-oauth, /mcp, /mcp/:id). serverless: true routes startHTTP to handleServerlessRequest, which serves each request with a transient server and stores nothing.

Safe because nothing depends on session state: auth is bound per request through runWithContext (AsyncLocalStorage), and no tool uses sampling, elicitation, or server-initiated notifications.

Reproduced (session mode)

1000 initialize vs bare MCPServer 1000 transports retained, linear heap growth after forced GC
200 initialize vs real backend 200 sessions, +15 MB across a forced GC — ~76 KB each
One Claude Desktop connection 4 sessions retained in 49 s
Tool calls on an open session retain nothing — cost tracks reconnects, not traffic
Restart with Desktop attached every call 400 Bad Request: No valid session ID; fresh initialize returns 200; client never recovers

Validated (stateless)

Same 200 initialize 0 transports, +1 MB heap
Real toolset tools/list, integrationList, integrationSchema, uploadFromUrlTool, integrationSchedulePostTool identical; drafts same shape
Clients exercised curl, mcp-remote, Claude Desktop
initialize no longer returns mcp-session-id
tools/list without session id 200 (session mode: 400)
Stale session id from a previous boot ignored, served normally — the Desktop client stranded above recovered mid-flight, no reconnect, no re-adding the connector

Not related to the internal Postiz agent

The in-app agent never crosses this code. copilot.controller.ts runs mastra.getAgent('postiz') in-process via @ag-ui/mastra, calling plain createTool functions directly. It never sends initialize, never enters startHTTP, and cannot create or retain a session. No MCPClient exists anywhere in the repo.

Posts it creates are tagged CreationMethod.MCP only because integration.schedule.post.ts hardcodes that literal for any agent tool call — a naming artifact, not a code path. Only external clients (claude.ai, ChatGPT, mcp-remote) reach startHTTP, so only they leak, and only they are affected here.

Rollout

Deploy the MCP service, confirm a flat memory graph, then the backend service. Rollback is reverting this commit.

🤖 Generated with Claude Code

Why
---
`@mastra/mcp` stores one transport per `initialize` request in
`streamableHTTPTransports`, and each transport retains a per-session Server
holding the whole converted tool schema. The only removal path is
`transport.onclose`, which fires only on an explicit client DELETE. No idle
timeout exists, and connectors open a session per conversation and never
DELETE. The map therefore grows for the life of the process: the MCP service
climbs ~330 MB/h from a ~1 GB baseline and is killed at ~5 GB about twice a day.

Sessions hurt a second way. Any restart -- an OOM kill or an ordinary deploy --
empties the map, and every connected client keeps presenting a session id the
new process has never seen. Mastra answers an unknown id with 400, where the
spec requires 404 for a terminated session (and obliges the client to
re-initialize on 404). Clients get no recovery signal, so they hang until
restarted, and each reconnect leaves another permanently retained session.

The upcoming 2026-07-28 MCP specification removes `Mcp-Session-Id` and
protocol-level sessions entirely, so session-based serving has to go anyway.

How
---
Replace `sessionIdGenerator` with `serverless: true` at the three `startHTTP`
call sites (`/mcp-oauth`, `/mcp`, `/mcp/:id`). This routes `startHTTP` to
`handleServerlessRequest`, which serves each request with a transient server
and transport and stores nothing.

This is safe because nothing here depends on session state: auth is bound per
request through `runWithContext` (AsyncLocalStorage), and no tool uses
sampling, elicitation or server-initiated notifications.

Reproduction (session mode)
---------------------------
- 1000 `initialize` requests against a bare MCPServer retained 1000 transports,
  heap growing linearly, measured after a forced GC.
- 200 `initialize` requests against the real backend retained 200 sessions and
  +15 MB of heap across a forced GC: ~76 KB each. Tool calls reuse a session
  and retain nothing, so the cost tracks reconnects, not traffic.
- A single Claude Desktop connection retained 4 sessions within 49 seconds.
- Restarting the backend with Claude Desktop still attached broke every
  subsequent tool call with `400 Bad Request: No valid session ID provided`,
  while a fresh `initialize` on the same server returned 200. The client never
  recovered.

Validation (stateless)
----------------------
- Same 200 `initialize` requests: 0 transports retained, +1 MB of heap.
- Real toolset over the wire -- `tools/list`, `integrationList`,
  `integrationSchema`, `uploadFromUrlTool`, `integrationSchedulePostTool` --
  all behave identically; drafts are created with the same shape. Exercised
  via curl, via `mcp-remote`, and via Claude Desktop.
- `initialize` no longer returns `mcp-session-id`; `tools/list` sent without a
  session id returns 200 where session mode returns 400.
- A stale session id from a previous boot is ignored and served normally. The
  Claude Desktop client stranded by the session-mode restart above recovered
  mid-flight, with no reconnect and no re-adding the connector.

Not related to the internal Postiz agent
----------------------------------------
The in-app agent never crosses this code. `copilot.controller.ts` runs
`mastra.getAgent('postiz')` in process via `@ag-ui/mastra`; the tools are plain
`createTool` functions called directly. It never sends `initialize`, never
enters `startHTTP`, and cannot create or retain a session. No `MCPClient`
exists anywhere in the repo. (Posts it creates are tagged `CreationMethod.MCP`
because `integration.schedule.post.ts` hardcodes that literal for any agent
tool call -- a naming artifact, not a code path.) Only external clients --
claude.ai, ChatGPT, mcp-remote -- reach `startHTTP`, so only they leak, and
only they are affected by this change.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@postiz-contribution postiz-contribution Bot added the contribution:approved Approved contributor label Jul 14, 2026
@postiz-contribution

Copy link
Copy Markdown

Contribution-checker quality warning
Heuristic score: 0/100 (low). This is a non-blocking warning surfaced by the project's quality settings.

Heuristics that flagged:

  • Wall-of-text PR body: 3590 chars (>2500)
  • Excessive inline code references: 44 inline refs (>3)
  • PR doesn't use the repo's PR template: 5 required checkbox items missing (max 1, match ≥80%)
  • Body adds too many extra headers beyond the template: 6 extra headers (>1)
  • AI watermark phrase: Matched: "Generated with Claude Code"
  • Commit message too long: Longest: 3975 chars

If this is a genuine contribution, please add detail to your PR description and tighten the diff scope before reviewers look at it.

@postiz-agent

postiz-agent Bot commented Jul 14, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contribution:approved Approved contributor

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant