From e450f1b30fb47ec1b9662f70f488fd3d4c39bc76 Mon Sep 17 00:00:00 2001
From: Wazir Ahmed <wazirahmedf@gmail.com>
Date: Tue, 20 Jan 2026 13:43:23 +0530
Subject: [PATCH] MCP: Handle DELETE method

- Respond with 405 Method Not Allowed, when clients send DELETE
  request for session termination.

Signed-off-by: Wazir Ahmed <wazir@proxysql.com>
---
 include/MCP_Endpoint.h | 18 +++++++++++++++++-
 lib/MCP_Endpoint.cpp   | 21 +++++++++++++++++++++
 2 files changed, 38 insertions(+), 1 deletion(-)

diff --git a/include/MCP_Endpoint.h b/include/MCP_Endpoint.h
index 1c0c54b43..b1bd98948 100644
--- a/include/MCP_Endpoint.h
+++ b/include/MCP_Endpoint.h
@@ -150,7 +150,7 @@ public:
 	 *
 	 * Returns HTTP 405 Method Not Allowed for GET requests.
 	 *
-	 * According to the MCP specification (Streamable HTTP transport):
+	 * According to the MCP specification 2025-06-18 (Streamable HTTP transport):
 	 * "The server MUST either return Content-Type: text/event-stream in response to
 	 * this HTTP GET, or else return HTTP 405 Method Not Allowed, indicating that
 	 * the server does not offer an SSE stream at this endpoint."
@@ -174,6 +174,22 @@ public:
 		const httpserver::http_request& req
 	) override;
 
+	/**
+	 * @brief Handle DELETE requests
+	 *
+	 * Returns HTTP 405 Method Not Allowed for DELETE requests.
+	 *
+	 * According to the MCP specification 2025-06-18 (Streamable HTTP transport):
+	 * "The server MAY respond to this request with HTTP 405 Method Not Allowed,
+	 * indicating that the server does not allow clients to terminate sessions."
+	 *
+	 * @param req The HTTP request
+	 * @return HTTP 405 response with Allow header
+	 */
+	const std::shared_ptr<httpserver::http_response> render_DELETE(
+		const httpserver::http_request& req
+	) override;
+
 	/**
 	 * @brief Handle POST requests
 	 *
diff --git a/lib/MCP_Endpoint.cpp b/lib/MCP_Endpoint.cpp
index dd61a2bec..983978b84 100644
--- a/lib/MCP_Endpoint.cpp
+++ b/lib/MCP_Endpoint.cpp
@@ -147,6 +147,27 @@ const std::shared_ptr<http_response> MCP_JSONRPC_Resource::render_OPTIONS(
 	return response;
 }
 
+const std::shared_ptr<http_response> MCP_JSONRPC_Resource::render_DELETE(
+	const httpserver::http_request& req
+) {
+	std::string req_path = req.get_path();
+	proxy_debug(PROXY_DEBUG_GENERIC, 2, "Received MCP DELETE request on %s - returning 405 Method Not Allowed\n", req_path.c_str());
+
+	// ProxySQL doesn't support session termination
+	// Return 405 Method Not Allowed with Allow header indicating supported methods
+	auto response = std::shared_ptr<http_response>(new string_response(
+		"",
+		http::http_utils::http_method_not_allowed  // 405
+	));
+	response->with_header("Allow", "POST, OPTIONS");  // Tell client what IS allowed
+
+	if (handler) {
+		handler->status_variables.total_requests++;
+	}
+
+	return response;
+}
+
 std::string MCP_JSONRPC_Resource::create_jsonrpc_response(
 	const std::string& result,
 	const json& id