feat: include W3C trace context headers

DaleSeo · DaleSeo · commit ea774ce248de · 2025-09-23T15:19:32.000-04:00
diff --git a/crates/apollo-mcp-server/src/cors.rs b/crates/apollo-mcp-server/src/cors.rs
@@ -52,9 +52,15 @@ impl Default for CorsConfig {
                 "content-type".to_string(),
                 "mcp-protocol-version".to_string(), // https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#protocol-version-header
                 "mcp-session-id".to_string(), // https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management
+                "traceparent".to_string(), // https://www.w3.org/TR/trace-context/#traceparent-header
+                "tracestate".to_string(),  // https://www.w3.org/TR/trace-context/#tracestate-header
             ],
-            expose_headers: vec!["mcp-session-id".to_string()], // https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management
-            max_age: Some(7200),                                // 2 hours
+            expose_headers: vec![
+                "mcp-session-id".to_string(), // https://modelcontextprotocol.io/specification/2025-06-18/basic/transports#session-management
+                "traceparent".to_string(), // https://www.w3.org/TR/trace-context/#traceparent-header
+                "tracestate".to_string(),  // https://www.w3.org/TR/trace-context/#tracestate-header
+            ],
+            max_age: Some(7200), // 2 hours
         }
     }
 }
@@ -225,6 +231,16 @@ mod tests {
                 "content-type".to_string(),
                 "mcp-protocol-version".to_string(),
                 "mcp-session-id".to_string(),
+                "traceparent".to_string(),
+                "tracestate".to_string(),
+            ]
+        );
+        assert_eq!(
+            config.expose_headers,
+            vec![
+                "mcp-session-id".to_string(),
+                "traceparent".to_string(),
+                "tracestate".to_string(),
             ]
         );
         assert_eq!(config.max_age, Some(7200));
diff --git a/crates/apollo-mcp-server/src/runtime.rs b/crates/apollo-mcp-server/src/runtime.rs
@@ -158,9 +158,13 @@ mod test {
                         "content-type",
                         "mcp-protocol-version",
                         "mcp-session-id",
+                        "traceparent",
+                        "tracestate",
                     ],
                     expose_headers: [
                         "mcp-session-id",
+                        "traceparent",
+                        "tracestate",
                     ],
                     max_age: Some(
                         7200,
diff --git a/docs/source/_sidebar.yaml b/docs/source/_sidebar.yaml
@@ -28,7 +28,7 @@ items:
         href: "./deploy"
       - label: "Health Checks"
         href: "./health-checks"
-      - label: "CORS Support"
+      - label: "CORS"
         href: "./cors"
   - label: "Authorization"
     href: "./auth"
diff --git a/docs/source/config-file.mdx b/docs/source/config-file.mdx
@@ -45,17 +45,17 @@ These fields are under the top-level `graphos` key and define your GraphOS graph
 
 These fields are under the top-level `cors` key and configure Cross-Origin Resource Sharing (CORS) for browser-based MCP clients.
 
-| Option              | Type           | Default                             | Description                                                                                              |
-| :------------------ | :------------- | :---------------------------------- | :------------------------------------------------------------------------------------------------------- |
-| `enabled`           | `bool`         | `false`                             | Enable CORS support                                                                                      |
-| `origins`           | `List<string>` | `[]`                                | List of allowed origins (exact matches). Use `["*"]` to allow any origin (not recommended in production) |
-| `match_origins`     | `List<string>` | `[]`                                | List of regex patterns to match allowed origins (e.g., `"^https://localhost:[0-9]+$"`)                   |
-| `allow_any_origin`  | `bool`         | `false`                             | Allow requests from any origin. Cannot be used with `allow_credentials: true`                            |
-| `allow_credentials` | `bool`         | `false`                             | Allow credentials (cookies, authorization headers) in CORS requests                                      |
-| `allow_methods`     | `List<string>` | `["GET", "POST", "OPTIONS"]`        | List of allowed HTTP methods                                                                             |
-| `allow_headers`     | `List<string>` | `["content-type", "authorization"]` | List of allowed request headers                                                                          |
-| `expose_headers`    | `List<string>` | `[]`                                | List of response headers exposed to the browser (e.g., `["mcp-session-id"]`)                             |
-| `max_age`           | `number`       | `86400`                             | Maximum age (in seconds) for preflight cache                                                             |
+| Option              | Type           | Default                                                                                   | Description                                                                                              |
+| :------------------ | :------------- | :---------------------------------------------------------------------------------------- | :------------------------------------------------------------------------------------------------------- |
+| `enabled`           | `bool`         | `false`                                                                                   | Enable CORS support                                                                                      |
+| `origins`           | `List<string>` | `[]`                                                                                      | List of allowed origins (exact matches). Use `["*"]` to allow any origin (not recommended in production) |
+| `match_origins`     | `List<string>` | `[]`                                                                                      | List of regex patterns to match allowed origins (e.g., `"^https://localhost:[0-9]+$"`)                   |
+| `allow_any_origin`  | `bool`         | `false`                                                                                   | Allow requests from any origin. Cannot be used with `allow_credentials: true`                            |
+| `allow_credentials` | `bool`         | `false`                                                                                   | Allow credentials (cookies, authorization headers) in CORS requests                                      |
+| `allow_methods`     | `List<string>` | `["GET", "POST", "OPTIONS"]`                                                              | List of allowed HTTP methods                                                                             |
+| `allow_headers`     | `List<string>` | `["content-type", "mcp-protocol-version", "mcp-session-id", "traceparent", "tracestate"]` | List of allowed request headers                                                                          |
+| `expose_headers`    | `List<string>` | `["mcp-session-id", "traceparent", "tracestate"]`                                         | List of response headers exposed to the browser (includes MCP and W3C Trace Context headers)             |
+| `max_age`           | `number`       | `86400`                                                                                   | Maximum age (in seconds) for preflight cache                                                             |
 
 ### Health checks
 
diff --git a/docs/source/cors.mdx b/docs/source/cors.mdx
@@ -113,18 +113,23 @@ cors:
     - POST
 
   # The headers to allow.
-  # These are the default headers required for MCP protocol
+  # These are the default headers required for MCP protocol and trace context
   allow_headers:
     - accept
     - content-type
     - mcp-protocol-version
     - mcp-session-id
+    - traceparent # W3C Trace Context
+    - tracestate # W3C Trace Context
 
   # Which response headers are available to scripts running in the
   # browser in response to a cross-origin request.
   # The mcp-session-id header should be exposed for MCP session management.
+  # Trace context headers are exposed for distributed tracing.
   expose_headers:
     - mcp-session-id
+    - traceparent # W3C Trace Context
+    - tracestate # W3C Trace Context
 
   # Adds the Access-Control-Max-Age header
   # Maximum age (in seconds) for preflight cache
