Fix serverless crashes (socket hang up) and 60s idle invocations in MCP function

[JakeSCahill]

Problem

The MCP function was logging two distinct serverless-vs-long-lived-connection failures:

1. socket hang up / ECONNRESET → Unhandled Promise Rejection → LAMBDA_RUNTIME Failed to post handler success response … Invalid request ID. The upstream MCP clients (kapaClient, bumpClient) are module-global and hold persistent connections reused across warm invocations. When the Lambda container freezes between requests, the idle upstream socket is dropped; on thaw, Node emits the socket error inside the transport's background read loop — a rejection with no awaiter. The existing isTransientError retry only catches errors during a tool call, so this slips through as an unhandled rejection and the runtime kills the invocation.

2. Duration: 60000 ms invocations. Every connected client opens Streamable HTTP's optional GET server→client SSE stream. This server is request/response only (it never pushes server-initiated messages), so on serverless that stream just idles open until the function hits its max duration — a wasted full-length invocation per connected client.

Fix

• Transport onerror/onclose on both Kapa and Bump transports → reset the cached connection at the source, so a dropped socket reconnects on the next request instead of bubbling up.
• Process-level safety net (unhandledRejection / uncaughtException, registered once per cold start) → log and reset the cached connections rather than letting the runtime crash the invocation. Errors are logged clearly, so real bugs stay visible.
• Decline the idle GET SSE with 405 — the MCP spec explicitly allows 405 Method Not Allowed on GET when the server doesn't offer an SSE stream there, and clients fall back to POST. Eliminates the 60s invocations.

Bumps SERVER_VERSION → 1.1.3.

Risk / notes

• The 405 on GET is spec-compliant and our supported clients (ChatGPT, Claude, Cursor, VS Code) handle it — sessions initialize over POST, which is unchanged. If any client unexpectedly depends on the GET stream, reverting just that hunk restores the old behavior.
• No behavior change to POST/DELETE/OPTIONS or rate limiting.
• Independent of the OAuth (DOC-2262: Add OAuth authentication to the docs MCP server (Redpanda Cloud IdP) #181) and Neon (Move OAuth state to Neon Postgres (atomic one-time-use) behind STORE_BACKEND flag #184) work — this is a base mcp.mjs fix targeting main so it can ship to production quickly.

[netlify]

✅ Deploy Preview for redpanda-documentation ready!

Name	Link
🔨 Latest commit	e0a1cb2
🔍 Latest deploy log	https://app.netlify.com/projects/redpanda-documentation/deploys/6a39878e98a1190008b17119
😎 Deploy Preview	https://deploy-preview-185--redpanda-documentation.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
Lighthouse	1 paths audited Performance: 82 (🟢 up 19 from production) Accessibility: 92 (🔴 down 2 from production) Best Practices: 92 (no change from production) SEO: 83 (no change from production) PWA: - View the detailed breakdown and full score reports

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[micheleRP]

Approving — the serverless fixes are well-reasoned and the implementation is sound. I verified the one thing that could have undermined the transport-level handlers: in @modelcontextprotocol/sdk@1.17.0, Protocol.connect() (dist/esm/shared/protocol.js) assigns this._transport = transport and then captures and chains the existing onerror/onclose (_onerror?.(error); this._onerror(error)) rather than overwriting them. So the handlers you set before kapaClient.connect(...) / bumpClient.connect(...) do fire. The reconnect-after-reset path is also already exercised by the existing catch blocks, and the 405 on GET is spec-compliant and trivially revertable.

One non-blocking discussion point for your consideration:

• Breadth of the uncaughtException guard. The unhandledRejection handler is well-targeted at exactly the described failure (a background-read-loop rejection with no awaiter that the runtime treats as fatal). The uncaughtException handler is broader: swallowing it and continuing leaves the process in a state Node's own docs flag as unsafe, and it catches all exceptions process-wide, not just upstream socket drops. The mitigation is real — the only recovery action is nulling cached connection promises (cheap and safe), and everything is logged so real bugs stay visible. Might be worth scoping it to known socket errors (ECONNRESET / socket hang up) and rethrowing otherwise, vs. keeping the broad catch for serverless robustness. Your call — not a blocker.

[JakeSCahill]

Thanks @micheleRP — and thanks for verifying the SDK connect() chains (rather than overwrites) onerror/onclose; that was the load-bearing assumption.

Addressed the uncaughtException note in e0a1cb2: it now recovers only from known upstream socket drops (ECONNRESET / socket hang up / EPIPE / ECONNREFUSED) and re-throws everything else so genuine bugs surface normally (re-throwing inside the handler terminates the process). Left unhandledRejection as a recover-all, since that's the actual incident path you flagged as well-targeted.