bug: NewHTTPHandler shares single mcp.Server across all SSE connections

[jonchun]

Summary

NewHTTPHandler creates a single mcp.Server instance and returns it for every incoming HTTP request. The mcp.NewSSEHandler callback pattern (accepting *http.Request and returning *mcp.Server) suggests per-connection server instantiation was intended.

Location

server/server.go:764-769

func NewHTTPHandler(core *Core, opts ...ServerOptions) http.Handler {
    srv := NewMCPServer(core, opts...)
    return mcp.NewSSEHandler(func(_ *http.Request) *mcp.Server {
        return srv
    }, nil)
}

Impact

If the MCP SDK maintains per-session state on the *mcp.Server instance (protocol negotiation, request IDs, etc.), sharing one instance across all SSE clients could cause cross-session state leakage or protocol errors.

Suggested Fix

Create a fresh server per connection:

return mcp.NewSSEHandler(func(_ *http.Request) *mcp.Server {
    return NewMCPServer(core, opts...)
}, nil)