bug: Tools can be invoked without initialization

[esnible]

Description

Tools can be invoked without initialization -- the mcp-session-id is not checked.

For example, the following invokes the time tool, rather than returning 404 for invalid sessionID:

curl -v localhost:8081/mcp -H "mcp-session-id: mcp-session-ffffffff-ffff-ffff-ffff-ffffffffffff" -H "Content-Type: application/json" -H "Accept: application/json, text/event-stream" --data '
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "time"
  }
}
'

(From looking at the source code, perhaps I was supposed to use server.WithSessionIdManager(mgr) in my call to server.NewMCPServer(), but it wasn't obvious that none of the provided implementations check for a valid session.)

Code Sample

This is the minimal server I tested with:

package main

import (
	"context"
	"fmt"
	"net/http"
	"time"

	"github.com/mark3labs/mcp-go/mcp"
	"github.com/mark3labs/mcp-go/server"
)

func main() {
	s := server.NewMCPServer("MyMcpClock", "0.0.1", server.WithToolCapabilities(true))
	s.AddTools(server.ServerTool{
		Tool: mcp.NewTool("time",
			mcp.WithDescription("Get the current time")),
		Handler: func(_ context.Context, _ mcp.CallToolRequest) (*mcp.CallToolResult, error) {
			return mcp.NewToolResultText(time.Now().String()), nil
		},
	})
	mux := http.NewServeMux()
	httpServer := &http.Server{
		Addr:    ":8081",
		Handler: mux,
	}
	streamableHTTPServer := server.NewStreamableHTTPServer(
		s,
		server.WithStreamableHTTPServer(httpServer),
	)
	mux.Handle("/mcp", streamableHTTPServer)
	err := streamableHTTPServer.Start(":8081")
	fmt.Printf("Err = %v\n", err)
}

Environment

• Go version (see go.mod): go 1.25.0
• mcp-go version (see go.mod): v0.39.1
• Any other relevant environment details: MacOS