feat: add client conformance testing CI

[pcarleton]

Summary

Add client conformance testing as a CI step in the typescript-sdk repo, starting non-blocking.

Changes

1. Copied files from conformance repo:

   • src/conformance/everything-client.ts - Single conformance test client that handles all scenarios
   • src/conformance/helpers/withOAuthRetry.ts - OAuth retry middleware
   • src/conformance/helpers/ConformanceOAuthProvider.ts - OAuth provider for conformance tests
   • src/conformance/helpers/logger.ts - Simple logger utility

2. Updated imports to use @modelcontextprotocol/client workspace package (the monorepo's client package re-exports everything from core)

3. Added npm script conformance:client to run the initialize scenario

4. Added GitHub Actions workflow .github/workflows/conformance.yml with continue-on-error: true for non-blocking initial rollout

Testing

• Local test passes: pnpm run conformance:client
• CI green path verification (this PR)
• CI red path verification (break something, verify failure shows)

Available Scenarios

The everything-client supports these scenarios:

• initialize - Basic MCP initialization (currently tested)
• tools-call - Tool invocation
• elicitation-defaults - Elicitation with defaults
• Auth scenarios (10 total)

Notes

• Non-blocking initially with continue-on-error: true to avoid blocking PRs while we stabilize
• Using npx @modelcontextprotocol/conformance (no devDependency needed)
• Added @modelcontextprotocol/client as devDependency at root to make workspace package available to tsx

[changeset-bot]

⚠️ No Changeset found

Latest commit: eb7d860

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/client@1359

npm i https://pkg.pr.new/modelcontextprotocol/typescript-sdk/@modelcontextprotocol/server@1359

commit: eb7d860

In general, to fix this issue you add an explicit permissions block either at the top level of the workflow (applies to all jobs that don’t override it) or inside each job, granting only the scopes actually needed. For this workflow, the client-conformance job only checks out code and runs Node/pnpm commands, so it only needs read access to repository contents.

The best minimal fix without changing existing functionality is to define permissions: contents: read at the workflow root, just under name: or under the on: block. This will apply to the client-conformance job and limit the GITHUB_TOKEN to read-only repo contents, which is sufficient for actions/checkout and other steps shown. No other permissions appear necessary based on the snippet.

Concretely, edit .github/workflows/conformance.yml and insert:

permissions:
  contents: read

between the name: Conformance Tests line and the on: block (or equivalently between on: and jobs:). No imports, methods, or other definitions are needed since this is purely a YAML configuration change.