Internalize json_rpc_handler along with an XSS vulnerability fix

[atesgoral]

Motivation and Context

The ruby-sdk gem is the only popular gem that uses the json_rpc_handler gem. For tweaks around transport error handling, there is an ongoing awkwardness of working around the opinions of the json_rpc_handler gem or needing to extend that gem to make its API more flexible.

Just internalizing the JSON-RPC handling will alllow mcp gem development to move faster.

Incidentally, we also pick up an unreleased security fix on json_rpc_handler:

• ensure request ids contain alphanumerics,dashes,underscores Shopify/json-rpc-handler#23

Reviewers: Follow individual commits to see the incremental steps I took in copying things over, so you're not tasked with reviewing the entire internalized "new" code. Code copied from commit Shopify/json-rpc-handler@b41c412

How Has This Been Tested?

Existing unit tests pass.

Breaking Changes

The gem becomes stringent on the format of JSON-RPC call ids by default, to prevent an XSS vulnerability.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context

[atesgoral]

I preserved the name, but this could be moved to a nicer, json-rpc folder to follow suit with mcp.

[atesgoral]

As a follow up, we need to decide whether we want to keep this as configurable through the mcp gem, or allow developers to punch through layers to be able to directly override it at JSON-RPC module level, or simply make the mcp gem super opinionated about always having strict id validation. Heuristically this pattern should cover any non-pen-tester scenarios.

[koic]

Thank you!