Implement Session Persistence #1164
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
MohanLaksh
requested review from
crivetimihai,
kevalmahajan and
madhav165
as code owners
* Add scale docs Signed-off-by: Mihai Criveti <[email protected]> * Add scale docs Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]>
…ort (IBM#1158) * test: Add TDD Red Phase tests for DCR and PKCE (RFC 7591, 7636) Add comprehensive test suite for OAuth Dynamic Client Registration and PKCE following Test-Driven Development (Red Phase). All tests will fail until implementation is complete. Tests Added: - test_oauth_manager_pkce.py (22 tests) * PKCE parameter generation (RFC 7636) * Authorization URL with code_challenge * State storage with code_verifier * Token exchange with PKCE validation * Security properties validation - test_dcr_service.py (35 tests) * AS metadata discovery (RFC 8414) * Client registration (RFC 7591) * Get-or-register pattern * Update/delete operations * Issuer validation and error handling - test_dcr_flow_integration.py (12 tests) * Complete PKCE flow with database * Complete DCR flow end-to-end * Security validations (replay prevention, expiry) * Error handling scenarios All tests use shared test_db fixture from tests/conftest.py. Related to IBM#979 Test Status: 🔴 RED - Tests will fail until implementation * feat: Implement PKCE and DCR core functionality (TDD Green Phase) Implement OAuth Dynamic Client Registration and PKCE support following RFCs 7591, 7636, and 8414. This is the TDD Green Phase implementation. Test Results: 27/45 tests passing (60%) - PKCE tests: 17/22 passing (77%) - DCR tests: 10/23 passing (43%) Changes: 1. PKCE Support (RFC 7636): - Add code_verifier column to oauth_states table - Implement _generate_pkce_params() for PKCE generation - Implement _create_authorization_url_with_pkce() - Update _store_authorization_state() to store code_verifier - Implement _validate_and_retrieve_state() to return state data - Update _exchange_code_for_tokens() to include code_verifier - Wire PKCE through initiate/complete authorization flows 2. DCR Service (RFC 7591): - Create DcrService with AS metadata discovery (RFC 8414) - Implement register_client() for dynamic registration - Implement get_or_register_client() pattern - Implement update_client_registration() - Implement delete_client_registration() - Add metadata caching for performance - Add DcrError exception class 3. Database Models: - Add RegisteredOAuthClient model for DCR storage - Add code_verifier to OAuthState model - Add relationship to Gateway model 4. Configuration: - Add 10 DCR configuration settings - Add oauth_discovery_enabled setting - Add oauth_preferred_code_challenge_method setting 5. Database Migrations: - Migration 61ee11c482d6: Add code_verifier column - Migration 2f67b12600b4: Add registered_oauth_clients table Remaining work: - Fix mocking issues in some tests (module-level variable patches) - Add admin DCR router (Phase 1.4) - Update OAuth router integration - Documentation updates Related to IBM#979 * fix: Fix unit test mocking issues for PKCE and DCR tests Fix failing unit tests by correcting mock setups: Test Results: 33/45 passing (73% - up from 60%) - PKCE tests: 22/22 passing (100%) ✅ - DCR tests: 11/23 passing (48%) Changes: - Fix _state_lock patching (module-level vs instance) - Fix aiohttp.ClientSession mocking for async context managers - Add token_storage mock for initiate_authorization_code_flow test - Fix issuer mismatch in discovery test mocks - Clear metadata cache in caching test All PKCE tests now passing. Remaining DCR test failures are due to mock setup complexity, not implementation bugs. Related to IBM#979 * fix: Fix remaining DCR test issues - ALL TESTS PASSING ✅ Fix final test issues to achieve 100% test pass rate: Test Results: 45/45 passing (100%) ✅✅✅ - PKCE tests: 22/22 passing (100%) - DCR tests: 23/23 passing (100%) Changes: - Fix aiohttp.ClientSession mocking for discovery tests - Clear metadata cache in tests for isolation - Use unique gateway_id and issuer for each test (avoid UNIQUE constraints) - Add Gateway objects to database before RegisteredOAuthClient - Fix Gateway model attributes (use slug/url instead of server_url/command) - Properly encrypt registration_access_token in update tests - Update encrypted secret assertions (check length instead of prefix) All unit tests for PKCE and DCR now passing! Related to IBM#979 * fix: Fix test_dcr_implementation.sh heredoc issues Fix script hanging by: - Remove 'set -e' to allow test counting instead of immediate exit - Replace problematic heredocs with single-line Python commands - Suppress stderr warnings (security warnings from config) - Use grep for file content checks instead of Python heredocs Script now runs to completion and reports: - 5 tests passed (PKCE, DCR service, database, config) - 2 tests failed (admin router not yet implemented) - Warnings for documentation (Phase 1.4 tasks) Related to IBM#979 * feat: Implement Phase 1.4 - Integrate DCR into OAuth router - Auto-detect missing client_id when gateway has issuer - Auto-trigger DCR client registration when DCR is enabled - Store registered credentials and update gateway oauth_config - Add admin endpoints for viewing/managing registered OAuth clients - Integrate with existing PKCE implementation in OAuthManager Endpoints added: - GET /oauth/registered-clients - List all registered clients - GET /oauth/registered-clients/{gateway_id} - Get client for gateway - DELETE /oauth/registered-clients/{client_id} - Delete registered client Closes IBM#979 Phase 1.4 * fix: Set auth_type=oauth when DCR auto-registers client When DCR automatically registers a client, we now also update the gateway's auth_type field to 'oauth' to ensure subsequent connections know to use OAuth authentication. This ensures the gateway initialization logic correctly skips immediate connection attempts for OAuth authorization code flows. * fix: Auto-detect OAuth and add OAuth option to UI - Added 'OAuth 2.0' option to auth_type dropdown in admin UI - Auto-detect auth_type='oauth' when oauth_config is present - Applied to both create and edit gateway endpoints - Users no longer need to manually select OAuth auth type This fixes the issue where OAuth-protected MCP servers (like Reddit MCP) would fail to register because auth_type wasn't automatically set. * feat: Assemble OAuth config from UI form fields + add issuer field Backend changes (admin.py): - Collect individual OAuth fields from UI form - Assemble into oauth_config object - Support both JSON string (API) and form fields (UI) - Applied to both create and edit endpoints UI changes (admin.html): - Added oauth_issuer field (required for DCR) - Updated Client ID placeholder for DCR - Added help text explaining DCR auto-registration - Applied to both Add and Edit gateway forms Now users can configure OAuth gateways via UI with proper DCR support. If client_id is empty but issuer is provided, DCR will auto-register the client. * feat: Add DCR help text and debug logging - Added blue help text to Client Secret field explaining DCR - Applied to both Add and Edit forms - Added debug logging to show complete oauth_config assembly - Made OAuth authorization code fields always visible This makes it clear to users that Client ID and Client Secret can be left empty when using DCR. * debug: Add form field debugging to trace oauth_config issue Added logging to see what oauth_config_json and individual OAuth fields are being received from the form submission. * fix: Disable JavaScript OAuth config assembly, let backend handle it The JavaScript in admin.js was intercepting the form submission and assembling oauth_config with incorrect field names (token_url instead of token_endpoint). This caused the backend to receive pre-assembled but incorrect OAuth configuration. Changes: - Commented out OAuth config assembly in handleAddGatewayFormSubmit - Commented out OAuth config assembly in handleEditGatewayFormSubmit - Individual OAuth form fields now pass through to backend - Backend (admin.py) correctly assembles with proper field names - Supports DCR when client_id/client_secret are empty This fixes the issue where grant_type was always 'client_credentials' instead of respecting the user's selection of 'authorization_code'. * fix: Make Authorization Code the default OAuth grant type Changed the default selection in the grant type dropdown from 'client_credentials' to 'authorization_code' since that's the most common use case for OAuth-protected MCP servers and the flow we're testing for DCR/PKCE. Users can still select Client Credentials if needed, but Authorization Code is now the default for both Add and Edit gateway forms. * fix: Accept HTTP 200 for DCR registration (RFC 7591 compatibility) Some OAuth servers (like systemprompt-mcp-server) return HTTP 200 OK instead of HTTP 201 Created for successful client registration, even though RFC 7591 specifies 201. Changed the DCR service to accept both 200 and 201 as successful responses to improve compatibility with real-world OAuth servers. This allows DCR to work with the Reddit MCP server (systemprompt) which registers public clients (no client_secret) and returns 200. * fix: Support public clients (no secret) and fix OAuth field names Two critical fixes for DCR with public clients: 1. Handle public clients without client_secret: - Check if client_secret_encrypted is None before decrypting - Only add client_secret to oauth_config if it exists - This supports PKCE-only flows (RFC 7636) 2. Fix OAuth field name inconsistency: - Changed 'token_endpoint' -> 'token_url' - Changed 'authorization_endpoint' -> 'authorization_url' - OAuthManager expects these field names - Applied to both admin.py (form assembly) and oauth_router.py (DCR) This allows DCR to work with public OAuth clients like the Reddit MCP server (systemprompt-mcp-server) which uses PKCE without secrets. * feat: Implement OAuth Dynamic Client Registration (DCR) and PKCE support Implements Phase 1 of RFC 7591 (DCR) and RFC 7636 (PKCE) support for OAuth-protected MCP servers, as specified in issue IBM#979. Core Implementation: - Added DcrService for AS metadata discovery (RFC 8414) and client registration (RFC 7591) - Implemented PKCE (Proof Key for Code Exchange) in OAuthManager for Authorization Code flows - Integrated DCR into oauth_router to auto-register when issuer present but client_id missing - Added RegisteredOAuthClient model to store DCR registrations with encrypted credentials - Added code_verifier field to OAuthState model for PKCE support - Created Alembic migrations for new database schema Configuration: - Added DCR settings: dcr_enabled, dcr_auto_register_on_missing_credentials, dcr_default_scopes - Added OAuth discovery settings: oauth_discovery_enabled, oauth_preferred_code_challenge_method - Added DCR security settings: dcr_allowed_issuers, dcr_token_endpoint_auth_method OAuth Enhancements: - Support for public OAuth clients (PKCE-only, no client_secret) - Accept both HTTP 200 and 201 for DCR registration responses - Fixed OAuth field name inconsistencies (authorization_url/token_url vs authorization_endpoint/token_endpoint) - Skip strict URL validation for OAuth-protected servers - Support both SSE and STREAMABLEHTTP transports for OAuth servers UI/UX Improvements: - Added OAuth 2.0 option to auth_type dropdown in admin UI - Added oauth_issuer field for DCR configuration - Made Authorization Code the default grant type - Added help text for Client ID and Client Secret fields explaining DCR - Backend now assembles oauth_config from individual form fields - Auto-detects auth_type="oauth" when OAuth config is present - Made OAuth authorization fields always visible when OAuth 2.0 is selected Testing: - 22 PKCE unit tests covering parameter generation, state storage, token exchange - 23 DCR unit tests covering AS discovery, client registration, error handling - 8 integration tests covering end-to-end DCR and PKCE flows - All 53 tests passing with proper database session isolation and aiohttp mocking - Imported OAuthState and RegisteredOAuthClient models in test conftest for schema creation Bug Fixes: - Fixed JavaScript in admin.js that was incorrectly assembling oauth_config - Handle missing client_secret for public clients in token exchange - Only decrypt client_secret if present (avoid NoneType errors) - Clear metadata cache in tests for proper isolation - Added debug logging for OAuth config assembly Validation: - Tested end-to-end with systemprompt-mcp-server (Reddit MCP) - Successfully completed DCR + PKCE + OAuth flow with real-world server - Verified token encryption/decryption works correctly - Confirmed PKCE code_challenge and code_verifier flow Closes IBM#979 (Phase 1.4 - Integration into OAuth router) * fix: Remove unused imports in dcr_service.py Removed unused imports to fix ruff and flake8 linting errors: - timedelta (not used in the file) - Optional (not used in the file) All other imports (datetime, timezone, Any, Dict, List) are used. * fix: Update existing OAuth tests for PKCE implementation Updated existing OAuth tests to match the new PKCE implementation: 1. test_initiate_authorization_code_flow_success: - Now expects PKCE parameters in authorization URL - Removed mocking of old _create_authorization_url method - Validates code_challenge and code_challenge_method presence 2. test_complete_authorization_code_flow_success: - Updated _exchange_code_for_tokens call to include code_verifier - Stores code_verifier with state for PKCE validation 3. test_complete_authorization_code_flow_no_token_storage: - Updated to use _validate_and_retrieve_state (returns state data) - Includes code_verifier in mocked state data - Updated _exchange_code_for_tokens assertion to include code_verifier 4. test_fetch_tools_after_oauth_success: - Updated to mock _connect_to_sse_server_without_validation - This is the new method used for OAuth servers (skips validation) These tests were written before PKCE was implemented and needed updates to match the new method signatures and flow. * fix: Mock get_settings in OAuth tests to provide proper SecretStr Fixed TypeError in OAuth tests where HMAC signature generation was receiving a MagicMock instead of bytes for the secret key. Changes: - Wrapped test_initiate_authorization_code_flow_success with get_settings mock - Wrapped test_complete_authorization_code_flow_no_token_storage with get_settings mock - Both tests now provide SecretStr for auth_encryption_secret - HMAC signature generation uses proper bytes This fixes the CI/CD failures: - TypeError: key: expected bytes or bytearray, but got 'MagicMock' * chore: Apply linter and formatter fixes for OAuth DCR implementation - Reformat code with black and isort - Fix trailing whitespace - Optimize imports and line length * fix: Resolve pylint warnings in OAuth DCR implementation - Fix import-outside-toplevel warning in oauth_manager.py - Remove unnecessary else-after-return statements - Fix singleton comparison for is_active boolean - Add pylint disable comments for intentional patterns - Suppress fixme warning for documented TODO * docs: Update OAuth and DCR documentation for PKCE and implementation details OAuth Documentation (oauth.md): - Add comprehensive PKCE section explaining RFC 7636 implementation - Update FAQ to reflect that PKCE is now implemented and automatic - Document PKCE flow: code_verifier generation, challenge computation, state storage DCR Documentation (dcr.md): - Expand from sparse overview to comprehensive implementation guide - Add all environment variables with defaults and descriptions - Document AS metadata discovery (RFC 8414) with caching details - Add client registration flow with request/response examples - Include configuration examples for auto-registration, manual, and public clients - Document database schema for registered_oauth_clients and oauth_states tables - Add security features: issuer allowlist, encryption, PKCE integration, validation - Add troubleshooting section for common DCR issues - Add monitoring section with log queries and SQL examples * fix: Improve cross-database compatibility and defensive checks in DCR migrations - Replace server_default='1' with sa.true() for PostgreSQL compatibility - Add table existence checks before ALTER operations - Handle fresh database installations gracefully - Follow existing migration patterns for conditional upgrades * docs: Update README and .env.example for OAuth DCR and PKCE features - Add comprehensive DCR configuration section to README.md with all environment variables and documentation links - Add DCR and PKCE configuration variables to .env.example with detailed descriptions and security notes - Update OAuth section to highlight DCR and PKCE as key features - Include references to DCR configuration guide, OAuth integration docs, and HyperMCP tutorial - Add formatting fixes to oauth_manager.py (isort) Enhances documentation for RFC 7591 (DCR) and RFC 7636 (PKCE) implementation to help users configure OAuth-protected MCP servers. Signed-off-by: Mihai Criveti <[email protected]> * security: Remove debug console.log exposing OAuth config Remove development debug console.log statements that were logging OAuth configuration including potentially sensitive data like client_id and issuer information to browser console. While client_id and issuer are not secrets, logging OAuth config violates defense-in-depth principles and could leak configuration details during development/debugging. Security Impact: Low (no secrets exposed, but reduces attack surface) Signed-off-by: Mihai Criveti <[email protected]> * chore: Remove outdated DCR validation script The test_dcr_implementation.sh script is a legacy development artifact with incorrect expectations (looks for admin_dcr_router.py which doesn't exist, wrong migration file patterns, wrong documentation paths). The comprehensive pytest suite (53 DCR/PKCE tests, 3,304 total tests) provides complete validation. This script is redundant and misleading. --------- Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]>
Signed-off-by: Madhav Kandukuri <[email protected]>
…BM#1162) * feat: implement dynamic environment variable injection for STDIO MCP servers Implements dynamic environment variable injection in mcpgateway.translate to extract HTTP headers from incoming requests and inject them as environment variables when starting STDIO MCP processes. Core changes: - Enhanced StdIOEndpoint class with environment variable support - Added CLI arguments --enable-dynamic-env and --header-to-env - New translate_header_utils.py for secure header processing - Comprehensive test coverage (unit, integration, e2e) - Full backward compatibility maintained Enables multi-tenant support for enterprise MCP deployments where different users need different tokens passed to STDIO MCP servers. Closes IBM#964 Signed-off-by: Manav Gupta <[email protected]> * fix: resolve test failures and linting errors - Remove unused imports and variables to fix ruff linting errors - Fix test expectations for process cleanup after stop() - Improve E2E test robustness with timeout handling for SSE streaming - All tests now pass consistently Fixes CI failures for PR IBM#1162 * fix: resolve remaining test failures and improve E2E test architecture - Fix req_id scope errors in main.py endpoints - Add missing returncode attributes to mock process classes - Enhance MockStdio class with required methods - Enable authentication settings for credential tests - Implement dynamic port allocation to prevent conflicts - Add proper MCP SSE flow with timeout handling - Fix hanging tests with timeout decorators - Update status code assertions to be flexible All tests now pass consistently without hanging. Signed-off-by: Manav Gupta <[email protected]> * fix: resolve event loop cleanup issue in E2E tests - Move asyncio.sleep outside httpx.AsyncClient context - Prevent event loop closure during health check retries - Fix CI/CD failures while maintaining local test compatibility Signed-off-by: Manav Gupta <[email protected]> * fixed 'Text file busy' errors that show up only on CI/CD Signed-off-by: Manav Gupta <[email protected]> * Increased timeout to 5s to fix timeout handling in tests Signed-off-by: Manav Gupta <[email protected]> * Fixed tests, and tested them with GitHub Actions Locally Signed-off-by: Manav Gupta <[email protected]> * fix: resolve pylint warnings in translate.py - Add is_running() public method to StdIOEndpoint to avoid accessing protected _proc attribute - Move parse_header_mappings import to top-level imports to avoid import-outside-toplevel warning - Apply code formatting with black to maintain consistency This improves code quality while maintaining all functionality. Signed-off-by: Mihai Criveti <[email protected]> * docs: document dynamic environment variable injection feature Add comprehensive documentation for the new dynamic environment variable injection feature in mcpgateway.translate: - Added new section in Configuration Options table - Documented --enable-dynamic-env and --header-to-env flags - Added multi-tenant GitHub Enterprise example with per-user tokens - Included security features and validation details - Updated Features table to highlight dynamic environment injection This enables users to understand and implement multi-tenant deployments where different users need different credentials passed to MCP servers. Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Manav Gupta <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]>
* feat: enable customization of OPA policy file path Signed-off-by: Frederico Araujo <[email protected]> * docs: update OPA plugin README Signed-off-by: Frederico Araujo <[email protected]> * chore: update manifest Signed-off-by: Frederico Araujo <[email protected]> * chore: update opa plugin .env template Signed-off-by: Frederico Araujo <[email protected]> * Update plugins/external/opa/run-server.sh Co-authored-by: Zhen Wang <[email protected]> Signed-off-by: Frederico Araujo <[email protected]> * fix: improve shell quoting and test mock completeness - Add proper quoting to shell variables in run-server.sh to prevent word splitting and globbing issues (SC2086) - Add missing is_running() method to MockStdio in test_concurrent_requests to match StdIOEndpoint interface - Remove trailing whitespace from .env.template Fixes test failure: test_concurrent_requests AttributeError Addresses shellcheck warnings in run-server.sh Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Frederico Araujo <[email protected]> Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Zhen Wang <[email protected]> Co-authored-by: Mihai Criveti <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
* Catalog docs Signed-off-by: Mihai Criveti <[email protected]> * Catalog docs Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]>
* Fix 1109: MCP Gateway UI OAuth2 Integration Fails with Keycloak Due to Missing x-www-form-urlencoded Support Signed-off-by: Mihai Criveti <[email protected]> * Fix 1109: MCP Gateway UI OAuth2 Integration Fails with Keycloak Due to Missing x-www-form-urlencoded Support Signed-off-by: Mihai Criveti <[email protected]> * Fix 1109: MCP Gateway UI OAuth2 Integration Fails with Keycloak Due to Missing x-www-form-urlencoded Support Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]>
* updates to readme for issue IBM#1159 * ARM64 builds are currently not available, *not* AMD64 Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]> Co-authored-by: Mihai Criveti <[email protected]>
* Update catalog Signed-off-by: Mihai Criveti <[email protected]> * Update catalog Signed-off-by: Mihai Criveti <[email protected]> * Update catalog Signed-off-by: Mihai Criveti <[email protected]> * Update catalog Signed-off-by: Mihai Criveti <[email protected]> * Update catalog Signed-off-by: Mihai Criveti <[email protected]> --------- Signed-off-by: Mihai Criveti <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
Signed-off-by: Mohan Lakshmaiah <[email protected]>
…xt-forge into session_persistence fix failing test cases
Fixed Rebase issues Signed-off-by: Mohan Lakshmaiah <[email protected]>
fix merge conflicts Signed-off-by: Mohan Lakshmaiah <[email protected]>
fix merge conflicts Signed-off-by: Mohan Lakshmaiah <[email protected]>
…xt-forge into session_persistence Fixing merge conflicts
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Session Pooling Implementation:
Introduced a session pooling mechanism to reuse SSE/WebSocket sessions for the same user and server.
Added the following methods:
Added _pooled_sessions and _pool_metrics to track pooled sessions and metrics.
Session Pooling for SSE and WebSocket:
Reduces redundant session creation by reusing existing sessions for the same user and server.
Improves performance and resource utilization for high-concurrency scenarios.
Automatically evicts idle sessions after a configurable timeout (SESSION_POOL_MAX_IDLE).
Ensures efficient memory and resource management.
Tracks and reports session pool usage metrics:
Hits: Number of times a valid pooled session was reused.
Misses: Number of times no valid pooled session was found.
Evictions: Number of idle sessions evicted from the pool.
Allows fine-grained control over session pooling via [.env] settings:
Enable/disable pooling globally or for specific servers.
Configure idle timeouts and user session limits.
Integrated pooling logic into both SSE and WebSocket workflows without disrupting existing functionality.
Ensures compatibility with existing session management and cleanup mechanisms.
These changes enhance the scalability and efficiency of the system, particularly for deployments with high user concurrency and frequent session reuse.
docs/docs/overview/session_pooling.mdanddocs/docs/overview/features.md