Severity: Medium
`GET /mcp` returns `400 Bad Request` with `{"error":"Missing mcp-session-id header"}` instead of the semantically correct `405 Method Not Allowed`.
Current behavior
```
GET /mcp → 400 {"error":"Missing mcp-session-id header"}
```
Expected behavior
```
GET /mcp → 405 {"error":"Method Not Allowed"}
Allow: POST, DELETE
```
Fix
Add a method check before the session-id check in `src/server-http.ts`:
```typescript
if (url.pathname === '/mcp' && req.method !== 'POST' && req.method !== 'DELETE') {
res.writeHead(405, { 'Content-Type': 'application/json', 'Allow': 'POST, DELETE' });
res.end(JSON.stringify({ error: 'Method Not Allowed' }));
return;
}
```
Files to modify
- `src/server-http.ts` — add method check for `/mcp` route
- `tests/server-http.test.ts` — add test: GET /mcp returns 405 with Allow header
Severity: Medium
`GET /mcp` returns `400 Bad Request` with `{"error":"Missing mcp-session-id header"}` instead of the semantically correct `405 Method Not Allowed`.
Current behavior
```
GET /mcp → 400 {"error":"Missing mcp-session-id header"}
```
Expected behavior
```
GET /mcp → 405 {"error":"Method Not Allowed"}
Allow: POST, DELETE
```
Fix
Add a method check before the session-id check in `src/server-http.ts`:
```typescript
if (url.pathname === '/mcp' && req.method !== 'POST' && req.method !== 'DELETE') {
res.writeHead(405, { 'Content-Type': 'application/json', 'Allow': 'POST, DELETE' });
res.end(JSON.stringify({ error: 'Method Not Allowed' }));
return;
}
```
Files to modify