Skip to content

Commit 72f9da9

Browse files
authored
Add governance documentation for SEP-1730 (#808)
Add governance documentation required for SEP-1730 tier compliance: - DEPENDENCY_POLICY.md: Conservative update policy for Maven dependencies - VERSIONING.md: SemVer policy with breaking/non-breaking definitions - ROADMAP.md: 2025-11-25 spec implementation focus and v1.x development - .github/dependabot.yml: Monthly updates with frozen production dependencies This mirrors the TypeScript SDK PR structure while being adapted for the Java context. Signed-off-by: Dariusz Jędrzejczyk <dariusz.jedrzejczyk@broadcom.com>
1 parent 5b99cd6 commit 72f9da9

File tree

4 files changed

+139
-0
lines changed

4 files changed

+139
-0
lines changed

.github/dependabot.yml

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,22 @@
1+
version: 2
2+
updates:
3+
- package-ecosystem: 'github-actions'
4+
directory: '/'
5+
schedule:
6+
interval: monthly
7+
- package-ecosystem: 'maven'
8+
directory: '/'
9+
schedule:
10+
interval: monthly
11+
open-pull-requests-limit: 10
12+
ignore:
13+
# Freeze production dependencies of mcp-core
14+
- dependency-name: 'org.slf4j:slf4j-api'
15+
- dependency-name: 'com.fasterxml.jackson.core:jackson-annotations'
16+
- dependency-name: 'tools.jackson.core:jackson-databind'
17+
- dependency-name: 'io.projectreactor:reactor-bom'
18+
- dependency-name: 'io.projectreactor:reactor-core'
19+
- dependency-name: 'jakarta.servlet:jakarta.servlet-api'
20+
# mcp-json-jackson2 and mcp-json-jackson3 dependencies
21+
- dependency-name: 'com.fasterxml.jackson.core:jackson-databind'
22+
- dependency-name: 'com.networknt:json-schema-validator'

DEPENDENCY_POLICY.md

Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
# Dependency Policy
2+
3+
As a library consumed by downstream projects, the MCP Java SDK takes a conservative approach to dependency updates. Dependencies are kept stable unless there is a specific reason to update, such as a security vulnerability, a bug fix, or a need for new functionality.
4+
5+
## Update Triggers
6+
7+
Dependencies are updated when:
8+
9+
- A **security vulnerability** is disclosed (via GitHub security alerts).
10+
- A bug in a dependency directly affects the SDK.
11+
- A new dependency feature is needed for SDK development.
12+
- A dependency drops support for a Java version the SDK still targets.
13+
14+
Routine version bumps without a clear motivation are avoided to minimize churn for downstream consumers.
15+
16+
## What We Don't Do
17+
18+
The SDK does not run scheduled version bumps for production Maven dependencies. Updating a dependency can force downstream consumers to adopt that update transitively, which can be disruptive for projects with strict dependency policies.
19+
20+
Dependencies are only updated when there is a concrete reason, not simply because a newer version is available.
21+
22+
## Automated Tooling
23+
24+
- **GitHub security updates** are enabled at the repository level and automatically open pull requests for Maven packages with known vulnerabilities. This is a GitHub repo setting, separate from the `dependabot.yml` configuration.
25+
- **GitHub Actions versions** are kept up to date via Dependabot on a monthly schedule (see `.github/dependabot.yml`).
26+
- **Maven dependencies** are monitored via Dependabot on a monthly schedule for non-production updates only (see `.github/dependabot.yml`).

ROADMAP.md

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,45 @@
1+
# Roadmap
2+
3+
## Spec Implementation Tracking
4+
5+
The SDK tracks implementation of MCP spec components via GitHub Projects, with a dedicated project board for each spec revision. For example, see the [2025-11-25 spec revision board](https://github.com/orgs/modelcontextprotocol/projects/26/views/1).
6+
7+
## Current Focus Areas
8+
9+
### 2025-11-25 Spec Implementation
10+
11+
The Java SDK is actively implementing the [2025-11-25 MCP specification revision](https://github.com/orgs/modelcontextprotocol/projects/26/views/1).
12+
13+
Key features in this revision include:
14+
15+
- **Tasks**: Experimental support for tracking durable requests with polling and deferred result retrieval
16+
- **Tool calling in sampling**: Support for `tools` and `toolChoice` parameters
17+
- **URL mode elicitation**: Client-side URL elicitation requests
18+
- **Icons metadata**: Servers can expose icons for tools, resources, resource templates, and prompts
19+
- **Enhanced schemas**: JSON Schema 2020-12 as default, improved enum support, default values for elicitation
20+
- **Security improvements**: Updated security best practices, enhanced authorization flows, enabling OAuth integrations
21+
22+
See the full [changelog](https://modelcontextprotocol.io/specification/2025-11-25/changelog) for details.
23+
24+
### Tier 1 SDK Support
25+
26+
Once we catch up on the most recent MCP specification revision we aim to fully support all the upcoming specification features on the day of its release.
27+
28+
### v1.x Development
29+
30+
The Java SDK is currently in active development as v1.x, following a recent stable 1.0.0 release. The SDK provides:
31+
32+
- MCP protocol implementation
33+
- Synchronous and asynchronous programming models
34+
- Multiple transport options (STDIO, HTTP/SSE, Servlet)
35+
- Pluggable JSON serialization (Jackson 2 and Jackson 3)
36+
37+
Development is tracked via [GitHub Issues](https://github.com/modelcontextprotocol/java-sdk/issues) and [GitHub Projects](https://github.com/orgs/modelcontextprotocol/projects).
38+
39+
### Future Versions
40+
41+
Major version updates will align with MCP specification changes and breaking API changes as needed. The SDK is designed to evolve with the Java ecosystem, including:
42+
43+
- Virtual Threads and Structured Concurrency support
44+
- Additional transport implementations
45+
- Performance optimizations

VERSIONING.md

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
# Versioning Policy
2+
3+
The MCP Java SDK (`io.modelcontextprotocol.sdk`) follows [Semantic Versioning 2.0.0](https://semver.org/).
4+
5+
## Version Format
6+
7+
`MAJOR.MINOR.PATCH`
8+
9+
- **MAJOR**: Incremented for breaking changes (see below).
10+
- **MINOR**: Incremented for new features that are backward-compatible.
11+
- **PATCH**: Incremented for backward-compatible bug fixes.
12+
13+
## What Constitutes a Breaking Change
14+
15+
The following changes are considered breaking and require a major version bump:
16+
17+
- Removing or renaming a public API (class, interface, method, or constant).
18+
- Changing the signature of a public method in a way that breaks existing callers (removing parameters, changing required/optional status, changing types).
19+
- Removing or renaming a public interface method or field.
20+
- Changing the behavior of an existing API in a way that breaks documented contracts.
21+
- Dropping support for a Java LTS version.
22+
- Removing support for a transport type.
23+
- Changes to the MCP protocol version that require client/server code changes.
24+
- Removing a module from the SDK.
25+
26+
The following are **not** considered breaking:
27+
28+
- Adding new methods with default implementations to interfaces.
29+
- Adding new public APIs, classes, interfaces, or methods.
30+
- Adding new optional parameters to existing methods (through method overloading).
31+
- Bug fixes that correct behavior to match documented intent.
32+
- Internal refactoring that does not affect the public API.
33+
- Adding support for new MCP spec features.
34+
- Changes to test dependencies or build tooling.
35+
- Adding new modules to the SDK.
36+
37+
## How Breaking Changes Are Communicated
38+
39+
1. **Changelog**: All breaking changes are documented in the GitHub release notes with migration instructions.
40+
2. **Deprecation**: When feasible, APIs are deprecated for at least one minor release before removal using `@Deprecated` annotations, which surface warnings through Java tooling and IDEs.
41+
3. **Migration guide**: Major version releases include a migration guide describing what changed and how to update.
42+
4. **PR labels**: Pull requests containing breaking changes are labeled with `breaking change`.
43+
44+
## Maven Coordinates
45+
46+
All SDK modules share the same version number and are released together. The BOM (`mcp-bom`) provides dependency management for all SDK modules to ensure version consistency.

0 commit comments

Comments
 (0)