sgcWebSockets 2026.6: gRPC, OpenAPI Server, Kafka and Native TLS

· Releases
sgcWebSockets 2026.6: gRPC, OpenAPI Server, Kafka and Native TLS

sgcWebSockets 2026.6 is one of the largest releases in the library's history. It brings three brand-new clients (a native gRPC client, an Apache Kafka client and a standalone OpenAPI 3 server), two native operating-system TLS backends that let your mobile and desktop apps ship without OpenSSL, a classify-only bot detection engine in the firewall, an MCP stdio transport for AI agents, a set of post-quantum crypto primitives, and a broad security hardening pass across the WebSocket and HTTP servers.

This post is a guided tour of the highlights, with a short Delphi snippet for each and a link to the dedicated article where every feature is covered in depth.

gRPC client over HTTP/2

The new TsgcGRPCClient is a native gRPC client built on the existing TsgcHTTP2Client, with no external gRPC runtime to deploy. It supports the four RPC patterns (unary, server streaming, client streaming and bidirectional streaming), channel options for compression and content-type, default and per-call metadata, deadlines, automatic retries with exponential backoff, client-side load balancing (Pick First and Round Robin), gRPC Health Checking, Server Reflection, interceptors and OpenTelemetry metrics.

uses
  sgcHTTP2, sgcGRPC_Client, sgcGRPC_Classes, sgcGRPC_Types;

var
  HTTP2: TsgcHTTP2Client;
  GRPC: TsgcGRPCClient;
  oResponse: TsgcGRPCResponse;
begin
  HTTP2 := TsgcHTTP2Client.Create(nil);
  HTTP2.Host := 'grpc.example.com';
  HTTP2.Port := 443;
  HTTP2.TLS  := True;

  GRPC := TsgcGRPCClient.Create(nil);
  GRPC.Client := HTTP2;

  // metadata is sent on every call (auth, tracing...)
  GRPC.DefaultMetadata.Add('authorization', 'Bearer eyJ...');

  // unary call: the request is your serialized protobuf message as TBytes
  oResponse := GRPC.Call('helloworld.Greeter', 'SayHello', RequestBytes);
  if oResponse.StatusCode = grpcOK then
    Memo1.Text := oResponse.DataString
  else
    ShowMessage('gRPC error: ' + oResponse.StatusMessage);
end;

On top of the generic client, 2026.6 ships typed gRPC interfaces for eight Google Cloud services, each with protobuf request and response classes and service-account JWT authentication: Pub/Sub, Speech-to-Text, Translation, Vision, Natural Language, Cloud Storage, BigQuery Storage and Vertex AI. Full walkthrough: gRPC Client for Delphi.

Standalone OpenAPI 3 server

TsgcWSAPIServer_OpenAPI turns an OpenAPI 3 specification into a running REST server. Load a spec (or generate one from a Delphi class via RTTI attributes), attach it to a TsgcWebSocketHTTPServer, and you get routing, request validation, Swagger UI and CORS out of the box. Validation failures return RFC 7807 problem+json automatically.

uses
  sgcWebSocket, sgcWebSocket_Classes,
  sgcWebSocket_Server_API_OpenAPI,
  sgcHTTP_OpenAPI_Server;

var
  WSServer: TsgcWebSocketHTTPServer;
  FOpenAPI: TsgcWSAPIServer_OpenAPI;
begin
  WSServer := TsgcWebSocketHTTPServer.Create(nil);
  WSServer.Port := 8080;

  FOpenAPI := TsgcWSAPIServer_OpenAPI.Create(nil);
  FOpenAPI.OnRequest := OnOpenAPIRequest;
  FOpenAPI.OnValidationError := OnOpenAPIValidationError;

  FOpenAPI.OpenAPIOptions.Endpoint.ServeSpec := True;
  FOpenAPI.OpenAPIOptions.Endpoint.ServeSwaggerUI := True;
  FOpenAPI.OpenAPIOptions.CORS.Enabled := True;
  FOpenAPI.OpenAPIOptions.Validation.ValidateRequest := True;

  FOpenAPI.LoadFromFile('petstore.json');
  FOpenAPI.Server := WSServer;

  WSServer.Active := True;
  // Swagger UI:   http://localhost:8080/docs
  // Raw spec:     http://localhost:8080/openapi.json
end;

Read more: OpenAPI Server for Delphi.

Apache Kafka client

TsgcWSPClient_Kafka is a native Apache Kafka client that speaks the binary Kafka wire protocol over raw TCP, with no Java or librdkafka dependency. Produce and consume messages, subscribe and poll, and manage consumer groups, topics and offsets.

uses
  sgcWebSocket, sgcWebSocket_Protocols, sgcKafka_Classes;

var
  oClient: TsgcWebSocketClient;
  oKafka: TsgcWSPClient_Kafka;
begin
  oClient := TsgcWebSocketClient.Create(nil);
  oClient.Specifications.RFC6455 := False; // raw TCP, native Kafka protocol
  oClient.Host := '127.0.0.1';
  oClient.Port := 9092;

  oKafka := TsgcWSPClient_Kafka.Create(nil);
  oKafka.Client := oClient;
  oKafka.KafkaOptions.ClientId := 'my-delphi-app';
  oKafka.OnKafkaConnect := OnKafkaConnect;
  oKafka.OnKafkaMessage := OnKafkaMessage;
  oKafka.OnKafkaProduce := OnKafkaProduce;

  oClient.Active := True; // connect to the broker
end;

Read more: Apache Kafka Client for Delphi.

Native TLS on Android and Apple, no OpenSSL to deploy

Two new TLS backends run the handshake through the operating system instead of OpenSSL, so your app ships no libssl.so / libcrypto.so on Android and no .dylib on iOS and macOS. Both are selected per platform through TLSOptions.IOHandler and reuse the same TLSOptions API you already use (custom CA, client certificate, ALPN).

Android (iohAndroidTLS) runs TLS through the platform javax.net.ssl.SSLEngine via JNI, validates against the Android system trust store with hostname verification, negotiates TLS 1.3 and supports ALPN on Android 10 and later. Requires RAD Studio XE8+.

uses
  sgcWebSocket, sgcWebSocket_Types;

WSClient.TLS := True;
WSClient.TLSOptions.IOHandler := iohAndroidTLS;
WSClient.URL := 'wss://www.esegece.com:2053';
WSClient.Active := True;

Apple (iohAppleTLS) auto-selects Network.framework for TLS 1.3 on macOS 10.14+ and iOS 12+, and falls back to Secure Transport (TLS 1.2) on older systems. It uses the system trust store with SNI and hostname verification, and exposes the OnAppleTLSVerifyPeer event for custom validation. Requires RAD Studio XE6+.

uses
  sgcWebSocket, sgcWebSocket_Types;

WSClient.TLS := True;
WSClient.TLSOptions.IOHandler := iohAppleTLS;
WSClient.URL := 'wss://www.esegece.com:2053';
WSClient.Active := True;

Read more: Native Android TLS and Native Apple TLS.

Firewall bot detection

TsgcWebSocketFirewall gains an IP-based bot detection module that classifies a client as a verified search-engine crawler, a datacenter range or a blocklisted address, using known-bot CIDR lists, datacenter ASN ranges, forward-confirmed reverse DNS (FCrDNS) and DNSBL lookups. It is classify-only: the result is exposed through the new OnBotDetected event and the GetBotClassification method, so you decide what to do with it rather than the firewall blocking connections for you.

TsgcBotClassification = (bcUnknown, bcVerifiedCrawler, bcDatacenter,
  bcSuspectedBot, bcBlocklisted, bcHuman);

This release also brings full IPv6 to the firewall: blacklist and whitelist CIDR matching up to /128, GeoLite2 IPv6 country blocks, IPv6 bot ranges and ip6.arpa reverse DNS / DNSBL. A long-standing bug where an IPv6 CIDR was evaluated with 32-bit math (and so matched every IPv6 client) is fixed. Read more: Bot Detection in the Firewall.

MCP stdio transport

The Model Context Protocol server and client can now run over standard input/output through the new TsgcAI_MCP_Server_Stdio host, so your Delphi MCP server can be spawned as a local subprocess by AI agents such as Claude Code. Tools are registered exactly as they are on the HTTP server.

uses
  SysUtils, sgcAI_MCP_Server, sgcAI_MCP_Classes, sgcAI_MCP_Types;

var
  oServer: TsgcAI_MCP_Server_Stdio;
  oTool: TsgcAI_MCP_Tool;
begin
  oServer := TsgcAI_MCP_Server_Stdio.Create(nil);
  try
    oServer.ServerInfo.Name := 'MyDelphiServer';
    oServer.ServerInfo.Version := '1.0';

    oTool := oServer.MCPServer.Tools.AddTool('add', 'Adds two numbers');
    oTool.InputSchema.Properties.AddProperty('a', True, aimcpjtNumber);
    oTool.InputSchema.Properties.AddProperty('b', True, aimcpjtNumber);

    oServer.MCPServer.OnMCPRequestTool := OnRequestTool;

    // read JSON-RPC from stdin, write responses to stdout, blocks until EOF
    oServer.Run;
  finally
    oServer.Free;
  end;
end.

Read more: MCP stdio Transport for Server and Client.

Hardened by default

2026.6 closes a batch of denial-of-service and protocol-conformance issues in the servers, and surfaces the new limits as properties with safe defaults.

The WebSocket servers now bound message memory with MaxMessageSize (default 64 MB, 0 = unlimited), rejecting oversized messages, endless fragmentation and permessage-deflate "zip bombs" with close 1009. New SecurityOptions.EnforceWebSocketVersion and SecurityOptions.ValidateWebSocketKey validate the RFC 6455 handshake, both enabled by default.

oServer := TsgcWebSocketServer.Create(nil);
oServer.Port := 80;
// accept messages up to 16 MB, reject anything larger with close 1009
oServer.MaxMessageSize := 16 * 1024 * 1024;
oServer.Active := True;

The HTTP server adds MaxRequestBodySize (default 64 MB) and StrictRequestParsing (default True, rejecting a request that carries both Content-Length and Transfer-Encoding). Path traversal in static file serving is fixed, HTTP/2 Rapid Reset (CVE-2023-44487) is mitigated with per-connection RST_STREAM and control-frame limits, and DocumentRoot files are now streamed from disk with a shared TFileStream instead of being loaded fully into memory, so server RAM stays flat regardless of file size or connection count.

oServer := TsgcWebSocketHTTPServer.Create(nil);
oServer.Port := 80;
oServer.MaxRequestBodySize := 16 * 1024 * 1024;  // 16 MB, reject larger with 413
oServer.Active := True;

Read more: Hardening the WebSocket Server and Hardening the HTTP Server.

Post-quantum and AEAD crypto

For applications building hybrid post-quantum handshakes, 2026.6 adds ML-KEM-768 encapsulation and decapsulation (sgcKEM_MLKEM768_Encapsulate / Decapsulate, OpenSSL 3.5+) alongside a classical ECDH-as-KEM over P-256 (sgcKEM_ECDH_P256_Encapsulate / Decapsulate) that shares the same TBytes API shape, so you can switch between classical and post-quantum KEMs without changing your code.

A new sgcSSL_AEAD unit provides generic AEAD primitives (sgcAEAD_Encrypt / sgcAEAD_Decrypt) for AES-128-GCM, AES-256-GCM and ChaCha20-Poly1305, with a caller-supplied 12-byte nonce and arbitrary AAD. The sgcAEAD_EncryptPrefixed / sgcAEAD_DecryptPrefixed wrappers produce and consume the self-contained "nonce(12) || ciphertext || tag(16)" blob used by Bouncy Castle GCM, JOSE A256GCM, libsodium and most HPKE-style protocols.

uses
  sgcSSL_AEAD;

var
  vKey, vPlain, vBlob, vOut: TBytes;
begin
  // vKey: 32 bytes from KEM Decapsulate + HKDF
  vBlob := sgcAEAD_EncryptPrefixed(aeadAES256GCM, vKey, vPlain, nil);
  vOut  := sgcAEAD_DecryptPrefixed(aeadAES256GCM, vKey, vBlob, nil);
end;

Account download API

A new REST API on your eSeGeCe account lets you log in, list and download the files your subscription entitles you to, straight from scripts or CI. It is described with OpenAPI 3.0 and ships with a ready-to-use Delphi client built on sgcOpenAPI.

curl -X POST https://www.esegece.com/api/v1/login \
  -H "Content-Type: application/json" \
  -d '{"username":"YOUR_USERNAME","password":"YOUR_PASSWORD"}'

Read more: Automate Your Downloads with the Account API.

Also in this release

Upgrading

2026.6 is a drop-in upgrade for existing 2026.x projects. The server hardening ships with safe defaults, so the only thing to watch for is the 64 MB default MaxMessageSize / MaxRequestBodySize: if your application legitimately exchanges larger payloads, raise the limit (or set it to 0 for unlimited) to match your previous behaviour.

Customers with an active subscription can download the new build from the customer area, or from esegece.com/products/websockets/download.

Questions, feedback or migration help? Get in touch. You will get a reply from the people who wrote the code.