Summary
Connection.check_capability() returns True when a client has URL-mode elicitation but the caller checks for form-mode elicitation — the sub-capability (ElicitationCapability.form / .url) is never inspected.
Root cause
In src/mcp/server/connection.py:340-341:
if capability.elicitation is not None and have.elicitation is None:
return FalseThis only returns False when the client has no elicitation at all. It does not check individual sub-capabilities (form / url). Compare with sampling, which correctly checks sub-capabilities:
if capability.sampling is not None:
if have.sampling is None:
return False
if capability.sampling.context is not None and have.sampling.context is None:
return False
if capability.sampling.tools is not None and have.sampling.tools is None:
return FalseReproduction
# Client supports URL elicitation only
have = ClientCapabilities(elicitation=ElicitationCapability(url=UrlElicitationCapability()))
# Check for form elicitation — should be False (client does not have form)
want = ClientCapabilities(elicitation=ElicitationCapability(form=FormElicitationCapability()))
Connection.from_envelope("2025-11-25", client_info, have).check_capability(want) # Returns True (BUG)Impact
check_capability is public API (via ServerSession.check_client_capability)- Currently no production callers use elicitation sub-capability checks — low immediate impact
- But once someone relies on it (e.g., checking if the client supports form elicitation before calling
elicit_form), it will return wrong results
Additional gaps (lower priority)
extensions — ClientCapabilities.extensions is not checked at alltasks — ClientCapabilities.tasks and sub-capabilities entirely unhandled
Proposed fix
Add form / url sub-capability checks, matching the sampling pattern:
if capability.elicitation is not None:
if have.elicitation is None:
return False
if capability.elicitation.form is not None and have.elicitation.form is None:
return False
if capability.elicitation.url is not None and have.elicitation.url is None:
return FalseAI assistance: Bug discovered and analyzed with AI assistance (opencode).
Summary
Connection.check_capability()returnsTruewhen a client has URL-mode elicitation but the caller checks for form-mode elicitation — the sub-capability (ElicitationCapability.form/.url) is never inspected.Root cause
In
src/mcp/server/connection.py:340-341:This only returns
Falsewhen the client has no elicitation at all. It does not check individual sub-capabilities (form/url). Compare withsampling, which correctly checks sub-capabilities:Reproduction
Impact
check_capabilityis public API (viaServerSession.check_client_capability)elicit_form), it will return wrong resultsAdditional gaps (lower priority)
extensions—ClientCapabilities.extensionsis not checked at alltasks—ClientCapabilities.tasksand sub-capabilities entirely unhandledProposed fix
Add
form/urlsub-capability checks, matching thesamplingpattern:AI assistance: Bug discovered and analyzed with AI assistance (opencode).