feat: add stateless mode to StreamableHttpServerTransport

OpenAI's MCP implementation terminates sessions after tool discovery in "never require approval" mode, causing subsequent tool calls to fail. This adds a stateless mode where each request is independent and sessions are auto-initialized when needed.

Author: CodeWithKyrian

src/Protocol.php

@@ -134,6 +134,12 @@ public function processMessage(Request|Notification|BatchRequest $message, strin
             return;
         }
 
+        if ($context['stateless'] ?? false) {
+            $session->set('initialized', true);
+            $session->set('protocol_version', self::LATEST_PROTOCOL_VERSION);
+            $session->set('client_info', ['name' => 'stateless-client', 'version' => '1.0.0']);
+        }
+
         $response = null;
 
         if ($message instanceof BatchRequest) {

src/Transports/StreamableHttpServerTransport.php

@@ -75,6 +75,7 @@ public function __construct(
         private string $mcpPath = '/mcp',
         private ?array $sslContext = null,
         private readonly bool $enableJsonResponse = true,
+        private readonly bool $stateless = false,
         ?EventStoreInterface $eventStore = null
     ) {
         $this->logger = new NullLogger();
@@ -171,9 +172,9 @@ private function createRequestHandler(): callable
 
             try {
                 return match ($method) {
-                    'GET' => $this->handleGetRequest($request)->then($addCors, fn ($e) => $addCors($this->handleRequestError($e, $request))),
-                    'POST' => $this->handlePostRequest($request)->then($addCors, fn ($e) => $addCors($this->handleRequestError($e, $request))),
-                    'DELETE' => $this->handleDeleteRequest($request)->then($addCors, fn ($e) => $addCors($this->handleRequestError($e, $request))),
+                    'GET' => $this->handleGetRequest($request)->then($addCors, fn($e) => $addCors($this->handleRequestError($e, $request))),
+                    'POST' => $this->handlePostRequest($request)->then($addCors, fn($e) => $addCors($this->handleRequestError($e, $request))),
+                    'DELETE' => $this->handleDeleteRequest($request)->then($addCors, fn($e) => $addCors($this->handleRequestError($e, $request))),
                     default => $addCors($this->handleUnsupportedRequest($request)),
                 };
             } catch (Throwable $e) {
@@ -184,6 +185,11 @@ private function createRequestHandler(): callable
 
     private function handleGetRequest(ServerRequestInterface $request): PromiseInterface
     {
+        if ($this->stateless) {
+            $error = Error::forInvalidRequest("GET requests (SSE streaming) are not supported in stateless mode.");
+            return resolve(new HttpResponse(405, ['Content-Type' => 'application/json'], json_encode($error)));
+        }
+
         $acceptHeader = $request->getHeaderLine('Accept');
         if (!str_contains($acceptHeader, 'text/event-stream')) {
             $error = Error::forInvalidRequest("Not Acceptable: Client must accept text/event-stream for GET requests.");
@@ -264,24 +270,29 @@ private function handlePostRequest(ServerRequestInterface $request): PromiseInte
         $isInitializeRequest = ($message instanceof Request && $message->method === 'initialize');
         $sessionId = null;
 
-        if ($isInitializeRequest) {
-            if ($request->hasHeader('Mcp-Session-Id')) {
-                $this->logger->warning("Client sent Mcp-Session-Id with InitializeRequest. Ignoring.", ['clientSentId' => $request->getHeaderLine('Mcp-Session-Id')]);
-                $error = Error::forInvalidRequest("Invalid request: Session already initialized. Mcp-Session-Id header not allowed with InitializeRequest.", $message->getId());
-                $deferred->resolve(new HttpResponse(400, ['Content-Type' => 'application/json'], json_encode($error)));
-                return $deferred->promise();
-            }
-
+        if ($this->stateless) {
             $sessionId = $this->generateId();
             $this->emit('client_connected', [$sessionId]);
         } else {
-            $sessionId = $request->getHeaderLine('Mcp-Session-Id');
+            if ($isInitializeRequest) {
+                if ($request->hasHeader('Mcp-Session-Id')) {
+                    $this->logger->warning("Client sent Mcp-Session-Id with InitializeRequest. Ignoring.", ['clientSentId' => $request->getHeaderLine('Mcp-Session-Id')]);
+                    $error = Error::forInvalidRequest("Invalid request: Session already initialized. Mcp-Session-Id header not allowed with InitializeRequest.", $message->getId());
+                    $deferred->resolve(new HttpResponse(400, ['Content-Type' => 'application/json'], json_encode($error)));
+                    return $deferred->promise();
+                }
+
+                $sessionId = $this->generateId();
+                $this->emit('client_connected', [$sessionId]);
+            } else {
+                $sessionId = $request->getHeaderLine('Mcp-Session-Id');
 
-            if (empty($sessionId)) {
-                $this->logger->warning("POST request without Mcp-Session-Id.");
-                $error = Error::forInvalidRequest("Mcp-Session-Id header required for POST requests.", $message->getId());
-                $deferred->resolve(new HttpResponse(400, ['Content-Type' => 'application/json'], json_encode($error)));
-                return $deferred->promise();
+                if (empty($sessionId)) {
+                    $this->logger->warning("POST request without Mcp-Session-Id.");
+                    $error = Error::forInvalidRequest("Mcp-Session-Id header required for POST requests.", $message->getId());
+                    $deferred->resolve(new HttpResponse(400, ['Content-Type' => 'application/json'], json_encode($error)));
+                    return $deferred->promise();
+                }
             }
         }
 
@@ -344,7 +355,7 @@ private function handlePostRequest(ServerRequestInterface $request): PromiseInte
                     'X-Accel-Buffering' => 'no',
                 ];
 
-                if (!empty($sessionId)) {
+                if (!empty($sessionId) && !$this->stateless) {
                     $headers['Mcp-Session-Id'] = $sessionId;
                 }
 
@@ -355,6 +366,8 @@ private function handlePostRequest(ServerRequestInterface $request): PromiseInte
             }
         }
 
+        $context['stateless'] = $this->stateless;
+
         $this->loop->futureTick(function () use ($message, $sessionId, $context) {
             $this->emit('message', [$message, $sessionId, $context]);
         });
@@ -364,6 +377,10 @@ private function handlePostRequest(ServerRequestInterface $request): PromiseInte
 
     private function handleDeleteRequest(ServerRequestInterface $request): PromiseInterface
     {
+        if ($this->stateless) {
+            return resolve(new HttpResponse(204));
+        }
+
         $sessionId = $request->getHeaderLine('Mcp-Session-Id');
         if (empty($sessionId)) {
             $this->logger->warning("DELETE request without Mcp-Session-Id.");
@@ -466,6 +483,12 @@ public function sendMessage(Message $message, string $sessionId, array $context
                     if ($this->activeSseStreams[$streamId]['context']['nResponses'] >= $this->activeSseStreams[$streamId]['context']['nRequests']) {
                         $this->logger->info("All expected responses sent for POST SSE stream. Closing.", ['streamId' => $streamId, 'sessionId' => $sessionId]);
                         $stream->end(); // Will trigger 'close' event.
+
+                        if ($context['stateless'] ?? false) {
+                            $this->loop->futureTick(function () use ($sessionId) {
+                                $this->emit('client_disconnected', [$sessionId, 'Stateless request completed']);
+                            });
+                        }
                     }
                 }
 
@@ -483,12 +506,19 @@ public function sendMessage(Message $message, string $sessionId, array $context
 
                 $responseBody = json_encode($message, JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
                 $headers = ['Content-Type' => 'application/json'];
-                if ($isInitializeResponse) {
+                if ($isInitializeResponse && !$this->stateless) {
                     $headers['Mcp-Session-Id'] = $sessionId;
                 }
 
                 $statusCode = $context['status_code'] ?? 200;
                 $deferred->resolve(new HttpResponse($statusCode, $headers, $responseBody . "\n"));
+
+                if ($context['stateless'] ?? false) {
+                    $this->loop->futureTick(function () use ($sessionId) {
+                        $this->emit('client_disconnected', [$sessionId, 'Stateless request completed']);
+                    });
+                }
+
                 return resolve(null);
 
             default:

tests/Fixtures/ServerScripts/StreamableHttpTestServer.php

@@ -27,10 +27,11 @@ public function log($level, \Stringable|string $message, array $context = []): v
 $mcpPath = $argv[3] ?? 'mcp_streamable_test';
 $enableJsonResponse = filter_var($argv[4] ?? 'true', FILTER_VALIDATE_BOOLEAN);
 $useEventStore = filter_var($argv[5] ?? 'false', FILTER_VALIDATE_BOOLEAN);
+$stateless = filter_var($argv[6] ?? 'false', FILTER_VALIDATE_BOOLEAN);
 
 try {
     $logger = new NullLogger();
-    $logger->info("Starting StreamableHttpTestServer on {$host}:{$port}/{$mcpPath}, JSON Mode: " . ($enableJsonResponse ? 'ON' : 'OFF'));
+    $logger->info("Starting StreamableHttpTestServer on {$host}:{$port}/{$mcpPath}, JSON Mode: " . ($enableJsonResponse ? 'ON' : 'OFF') . ", Stateless: " . ($stateless ? 'ON' : 'OFF'));
 
     $eventStore = $useEventStore ? new InMemoryEventStore() : null;
 
@@ -48,6 +49,7 @@ public function log($level, \Stringable|string $message, array $context = []): v
         port: $port,
         mcpPath: $mcpPath,
         enableJsonResponse: $enableJsonResponse,
+        stateless: $stateless,
         eventStore: $eventStore
     );