fix(http-stream): prevent session destruction on transient errors#136
Merged
QuantGeekDev merged 1 commit intomainfrom Feb 5, 2026
Merged
fix(http-stream): prevent session destruction on transient errors#136QuantGeekDev merged 1 commit intomainfrom
QuantGeekDev merged 1 commit intomainfrom
Conversation
Two bugs in HttpStreamTransport caused 'Session not found' (-32001) errors for clients like Cline after a session was established and working: 1. onerror callback destroyed sessions on transient SDK errors The SDK fires onerror for non-fatal issues (parse errors on malformed requests, failed SSE writes during event replay). The framework's handler unconditionally deleted the session from the transport map, making all subsequent requests from that client fail with -32001. Fix: onerror now logs but preserves the session. Only onclose (explicit DELETE or server shutdown) removes sessions. 2. Re-initialization with a stale session ID was rejected After a session was lost (server restart, error, etc.), if the client sent a new initialize request while still including the old session ID header, the framework rejected it with 'Session not found' instead of creating a new session. Fix: detect initialize requests with stale session IDs and create a new session instead of rejecting. Also fixed: broadcast send() failures no longer remove sessions from the transport map. Includes 6 regression tests covering all three scenarios.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Clients using Streamable HTTP transport (like Cline with
vscode://protocol) experience"Session not found"(-32001) errors after a session is established and working briefly. Other IDEs are unaffected because they don't trigger the specific conditions that cause session destruction.{"jsonrpc":"2.0","error":{"code":-32001,"message":"Session not found"},"id":null}Root Cause
Three bugs in
HttpStreamTransportcause premature session destruction:1.
onerrorcallback destroys sessions on transient errors (Primary)The SDK fires
onerrorfor non-fatal issues (parse errors on a single malformed request, failed SSE writes during event replay). The framework's handler unconditionally deleted the session from_transports, permanently killing it. Any subsequent request →-32001.2. Re-initialization with a stale session ID is rejected (Secondary)
After a session is lost, if the client sends a new
initializerequest while still including the oldmcp-session-idheader, the framework rejects it with 404 instead of creating a new session. The client is stuck.3. Broadcast
send()failures remove sessionsIf
transport.send()throws during a broadcast (e.g., no open SSE stream for a request ID), the session is permanently removed from the map.Fix
onerror: Log the error but preserve the session. Onlyonclose(explicit DELETE or server shutdown) removes sessions.Re-initialization: Detect
initializerequests with stale/invalid session IDs and create a new session instead of rejecting with 404.Broadcast: Log failures but preserve sessions for future requests.
Tests
6 new regression tests in
server-session-resilience.test.ts:onerroreventonerroreventsonclosestill correctly removes sessions (DELETE behavior preserved)Full suite: 179 tests passing (14 suites)