fix(mcp-server): enforce session binding and response isolation in HTTP SSE transport

[monty-sei]

fix(mcp-server): enforce session binding and response isolation in HTTP SSE transport

• Validate sessionId on every POST and route to the correct transport instance

The HTTP SSE transport had two related failures that allowed cross-client request injection and response misrouting when multiple clients were connected simultaneously:

1. The POST handler always routed to Array.from(this.connections.values())[0], ignoring the sessionId query parameter entirely. A request with a fabricated or absent session ID was accepted and executed within another client's live session.

2. Session IDs were generated with Date.now() instead of transport.sessionId (the SDK-issued identifier), so the connections map key was never meaningfully tied to the transport that produced it.

Changes:

• POST handler now reads req.query.sessionId and rejects missing values (400) or unknown session IDs (404) before the request reaches any transport
• Each POST is routed to the specific transport instance that owns the matching session ID
• Session IDs now come from transport.sessionId (the MCP SDK's own identifier) rather than a local timestamp
• Updated existing tests to match new error responses and session ID shape, and added six new tests covering: SDK session ID as connections key, unique IDs per concurrent connection, 400 on missing sessionId, 404 on bogus sessionId, per-client message routing, and cross-client isolation under concurrent connections

[changeset-bot]

🦋 Changeset detected

Latest commit: dd88bdc

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sei-js/mcp-server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.75%. Comparing base (9168186) to head (dd88bdc).

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #312      +/-   ##
==========================================
+ Coverage   79.69%   79.75%   +0.06%     
==========================================
  Files          83       83              
  Lines        1305     1309       +4     
  Branches      158      160       +2     
==========================================
+ Hits         1040     1044       +4     
  Misses        265      265              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.