fix(mcp-server): Add defensive patches for Transport edge cases #17291

codyde · 2025-08-02T08:37:41Z

Problem

The Sentry MCP server instrumentation has several edge cases that can cause runtime errors when working with StreamableHTTPServerTransport and similar transport implementations. These issues occur during:

Transport initialization - when transport constructors are undefined/null
Session establishment - when sessionId is undefined during MCP initialization phases
Span correlation - when transport objects cannot be used as WeakMap keys
Type validation - when invalid transport objects are passed to correlation functions

Solution

This PR adds defensive patches to handle these edge cases gracefully while preserving existing functionality and maintaining backward compatibility.

Changes Made

1. Transport Constructor Null Checks (`attributeExtraction.ts`)

export function getTransportTypes(transport: MCPTransport): { mcpTransport: string; networkTransport: string } {
  // Handle undefined transport gracefully while preserving type detection
  if (\!transport || \!transport.constructor) {
    return { mcpTransport: 'unknown', networkTransport: 'unknown' };
  }
  const transportName = transport.constructor.name?.toLowerCase() || '';
  // ... rest of function
}

2. Graceful sessionId Handling (`attributeExtraction.ts`)

export function buildTransportAttributes(
  transport: MCPTransport,
  extra?: ExtraHandlerData,
): Record<string, string | number> {
  // Gracefully handle undefined sessionId during MCP initialization
  // Respects client-provided sessions and waits for proper session establishment
  const sessionId = transport && 'sessionId' in transport ? transport.sessionId : undefined;
  // ... rest of function
}

3. WeakMap Correlation Fallback System (`correlation.ts`)

const transportToSpanMap = new WeakMap<MCPTransport, Map<RequestId, RequestSpanMapValue>>();

/**
 * Fallback span map for invalid transport objects
 * @internal Used when transport objects cannot be used as WeakMap keys
 */
const fallbackSpanMap = new Map<RequestId, RequestSpanMapValue>();

function getOrCreateSpanMap(transport: MCPTransport): Map<RequestId, RequestSpanMapValue> {
  // Handle invalid transport values for WeakMap while preserving correlation
  if (\!transport || typeof transport \!== 'object') {
    // Return persistent fallback Map to maintain correlation across calls
    return fallbackSpanMap;
  }
  // ... rest of function
}

Testing

Added comprehensive test coverage for all edge cases:

attributeExtraction.test.ts: Tests undefined/null transports, constructor edge cases, sessionId handling
correlation.test.ts: Tests WeakMap fallback scenarios, invalid transport objects, correlation isolation

All tests pass and verify that the patches handle edge cases without breaking existing functionality.

Compatibility

✅ Backward compatible - No breaking changes to existing APIs
✅ Non-invasive - Only adds defensive checks, doesn't modify core logic
✅ Performance neutral - Minimal overhead with early returns for invalid cases
✅ Type safe - Maintains existing TypeScript contracts

Impact

This fix prevents runtime errors in production environments when:

MCP transports are not fully initialized
Session establishment is in progress
Invalid transport objects are passed to instrumentation functions
Edge case transport implementations are used

The patches ensure reliable instrumentation while maintaining full compatibility with existing MCP server implementations.

Testing Instructions

The existing test suite continues to pass
New edge case tests verify defensive behavior
Real-world StreamableHTTPServerTransport usage is now more robust

🤖 Generated with Claude Code

…ort edge cases This patch adds defensive handling for edge cases in MCP server instrumentation when working with StreamableHTTPServerTransport and similar transport implementations. Changes: - Add transport constructor null checks in getTransportTypes() - Graceful sessionId undefined handling in buildTransportAttributes() - WeakMap correlation fallback system for invalid transport objects - Type validation for WeakMap operations in correlation.ts The patches prevent runtime errors during MCP initialization and session establishment while maintaining backward compatibility and proper instrumentation functionality. Includes comprehensive test coverage for all edge cases and transport scenarios. Fixes edge cases where: - Transport objects have undefined/null constructors - sessionId is undefined during initialization phases - Transport objects cannot be used as WeakMap keys - Invalid transport objects are passed to correlation functions 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>

…patterns - Streamline sessionId handling with cleaner undefined checks - Use optional chaining for transport constructor validation - Maintain WeakMap fallback system for invalid transport objects - Align TypeScript patterns with working JavaScript build output These changes ensure compatibility with StreamableHTTPServerTransport while following current Sentry v10.0.0 defensive programming patterns. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>

…ation The defensive programming patterns are now the correct baseline implementation, not patches to be applied. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>

…ling

…e cases

betegon · 2025-08-04T07:36:13Z

I've changed a couple of thing, mostly agreed with @codyde . The description in his PR lines 5 items:

Transport initialization - when transport constructors are undefined/null.
Session establishment - when sessionId is undefined during MCP initialization phases.

These two first items are the main addition in this PR. So I haven't touch them much, just did a small refactor so it was easier to follow.

Now about these:

Span correlation - when transport objects cannot be used as WeakMap keys
Type validation - when invalid transport objects are passed to correlation functions

i've remove them as there aren't any code path that could put us in those situation as we have 1.) and 2.) in place.

I also added better transport name handling following @codyde addition of using

const transportName = transport.constructor.name?.toLowerCase() || 'unknown';

So now we get the name of the transport object used, which is handy when there could be more than one http and people can add their own transport and will be instrumenting those too.

…is unknown

packages/core/src/integrations/mcp-server/attributeExtraction.ts

mydea · 2025-08-05T11:13:25Z

packages/core/test/lib/integrations/mcp-server/semanticConventions.test.ts

@@ -61,7 +61,7 @@ describe('MCP Server Semantic Conventions', () => {
          'mcp.session.id': 'test-session-123',
          'client.address': '192.168.1.100',
          'client.port': 54321,
-          'mcp.transport': 'http',
+          'mcp.transport': 'streamablehttpservertransport',


hmm, should we maybe no lower-case the transport? I suppose this would be easier to read in camel case? 😅

totally right. fixing it

mydea

approved, LGTM - only one idea (but feel free to ignore) left, which is maybe we should not lowercase the transport name? but will happily defer to your perspective on this! nice work!

codyde requested a review from betegon August 2, 2025 08:38

codyde and others added 6 commits August 2, 2025 09:39

get custom transport names

ff7d1af

refactor(mcp-server): Remove fallback span map and simplify span hand…

00cd668

…ling

set network transport to pipe if MCP transport name includes "stdio"

2678e9f

refactor tests to use complete transport name and check transport edg…

fb40d64

…e cases

betegon requested review from AbhiPrasad and removed request for betegon August 4, 2025 07:36

betegon marked this pull request as ready for review August 4, 2025 07:36