From 445ad2273c2b527fc98dd8c1e53b3108d6bd93ea Mon Sep 17 00:00:00 2001 From: Kazuhiro Sera Date: Wed, 20 May 2026 12:38:30 +0900 Subject: [PATCH 1/2] docs: add SECURITY.md in the same way with openai-agents-js repo --- SECURITY.md | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000000..f3ecd61a17 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,5 @@ +# Security Policy + +For a more in-depth look at our security policy, please check out our [Coordinated Vulnerability Disclosure Policy](https://openai.com/security/disclosure/#:~:text=Disclosure%20Policy,-Security%20is%20essential&text=OpenAI%27s%20coordinated%20vulnerability%20disclosure%20policy,expect%20from%20us%20in%20return.). + +Our PGP key can located [at this address.](https://cdn.openai.com/security.txt) From 9514473c234c8419b812b658157a5c3d4341713f Mon Sep 17 00:00:00 2001 From: Illia Oleksiuk <42911468+ioleksiuk@users.noreply.github.com> Date: Tue, 19 May 2026 23:14:47 -0700 Subject: [PATCH 2/2] fix: apply hardened http client default to MCP SSE transport (#3466) --- src/agents/mcp/server.py | 5 +++-- tests/mcp/test_mcp_auth_params.py | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/src/agents/mcp/server.py b/src/agents/mcp/server.py index be595f11c5..8d3bdd752a 100644 --- a/src/agents/mcp/server.py +++ b/src/agents/mcp/server.py @@ -1297,8 +1297,9 @@ def create_streams( } if "auth" in self.params: kwargs["auth"] = self.params["auth"] - if "httpx_client_factory" in self.params: - kwargs["httpx_client_factory"] = self.params["httpx_client_factory"] + kwargs["httpx_client_factory"] = ( + self.params.get("httpx_client_factory") or _create_default_streamable_http_client + ) return sse_client(**kwargs) @property diff --git a/tests/mcp/test_mcp_auth_params.py b/tests/mcp/test_mcp_auth_params.py index 14f52faf1e..ebc6c1934e 100644 --- a/tests/mcp/test_mcp_auth_params.py +++ b/tests/mcp/test_mcp_auth_params.py @@ -16,7 +16,7 @@ class TestMCPServerSseAuthAndFactory: @pytest.mark.asyncio async def test_sse_default_no_auth_no_factory(self): - """SSE create_streams passes only the four base params when no extras are set.""" + """SSE create_streams falls back to the hardened default httpx_client_factory.""" with patch("agents.mcp.server.sse_client") as mock_client: mock_client.return_value = MagicMock() server = MCPServerSse(params={"url": "http://localhost:8000/sse"}) @@ -26,11 +26,12 @@ async def test_sse_default_no_auth_no_factory(self): headers=None, timeout=5, sse_read_timeout=300, + httpx_client_factory=_create_default_streamable_http_client, ) @pytest.mark.asyncio async def test_sse_with_auth(self): - """SSE create_streams forwards the auth parameter when provided.""" + """SSE create_streams forwards auth and still applies the hardened default factory.""" auth = httpx.BasicAuth(username="user", password="pass") with patch("agents.mcp.server.sse_client") as mock_client: mock_client.return_value = MagicMock() @@ -42,6 +43,7 @@ async def test_sse_with_auth(self): timeout=5, sse_read_timeout=300, auth=auth, + httpx_client_factory=_create_default_streamable_http_client, ) @pytest.mark.asyncio