Reject POST requests without session ID in stateful mode

[koic]

Motivation and Context

Per the MCP specification (Streamable HTTP > Session Management):

Servers that require a session ID SHOULD respond to requests without an Mcp-Session-Id header
(other than initialization) with HTTP 400 Bad Request.

https://modelcontextprotocol.io/specification/2025-11-25/basic/transports#session-management

Previously, non-initialize POST requests without Mcp-Session-Id in stateful mode were processed with HTTP 200 (for regular requests) or HTTP 202 (for notifications/responses).

This change adds an explicit check in handle_post to return HTTP 400 Bad Request when the session ID is missing in stateful mode for all non-initialize requests, aligning with the specification.

How Has This Been Tested?

Added a regression test and passed.

Breaking Changes

This is not a breaking change, as it is a bug fix to align with the MCP specification.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed