Fix large MCP streamable HTTP payloads

[threepointone]

Summary

• Fixes MCP streamable-HTTP transport: large JSON-RPC payloads (>16 KB) fail with TLS record_overflow due to header-encoding #1433.
• Stops encoding streamable HTTP JSON-RPC POST bodies into the internal cf-mcp-message upgrade header.
• Keeps the existing Worker-to-Durable Object WebSocket bridge so long-lived streamable HTTP sessions continue to benefit from Durable Object hibernation.
• Sends the POST payload as the first internal WebSocket data frame, then lets the DO process it through the existing StreamableHTTPServerTransport path.

Why

The reported TLS Alert: record_overflow failure was caused by large MCP JSON-RPC payloads being base64-encoded into cf-mcp-message during the internal Worker-to-Durable Object WebSocket upgrade. That made the request body part of an HTTP header, where it could exceed Cloudflare's per-header limit before the Durable Object ever saw the request.

A direct HTTP forwarding path would avoid the header limit too, but it changes the lifecycle story for streamable HTTP: the current bridge uses WebSockets specifically so idle/long-lived streams can hibernate with the Durable Object runtime. This PR keeps that architecture and only moves the large data out of headers and into the WebSocket data channel, which is the smaller behavioral change for a published package bug fix.

Details

• cf-mcp-method remains as the small internal routing signal for POST vs GET upgrade requests.
• cf-mcp-message is no longer populated with the serialized payload and is stripped from forwarded request metadata.
• POST bridge state is recorded on connect, and the first WebSocket message is parsed as the JSON-RPC body.
• Notification/result/error-only POSTs still return 202; the internal bridge is closed after the DO receives and processes the frame.

Test plan

• npm run test:workers -- src/tests/mcp/transports/streamable-http.test.ts
• npm run typecheck
• npm run check

Made with Cursor

---

[changeset-bot]

🦋 Changeset detected

Latest commit: 37d3813

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
agents	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no bugs or issues to report.

[pkg-pr-new]

Open in StackBlitz

agents

npm i https://pkg.pr.new/agents@1434

@cloudflare/ai-chat

npm i https://pkg.pr.new/@cloudflare/ai-chat@1434

@cloudflare/codemode

npm i https://pkg.pr.new/@cloudflare/codemode@1434

hono-agents

npm i https://pkg.pr.new/hono-agents@1434

@cloudflare/shell

npm i https://pkg.pr.new/@cloudflare/shell@1434

@cloudflare/think

npm i https://pkg.pr.new/@cloudflare/think@1434

@cloudflare/voice

npm i https://pkg.pr.new/@cloudflare/voice@1434

@cloudflare/worker-bundler

npm i https://pkg.pr.new/@cloudflare/worker-bundler@1434

commit: 37d3813

[threepointone]

putting into draft till we get a repro