Fix injection of server_id in internally-forwarded streamable HTTP requests

[kevalmahajan]

🐛 Bug-fix PR

Closes #3018

📌 Summary

When a Streamable HTTP POST request is forwarded between workers via the internal affinity mechanism (x-forwarded-internally=true), the server_id from the URL path (/servers/{id}/mcp) was not injected into the JSON-RPC params before posting to /rpc. This caused /rpc routing to fall into the unscoped list_tools path instead of the server-scoped list_server_tools path, breaking multi-tenant isolation in multi-worker deployments.

Why this matters: In production deployments with multiple workers and session affinity enabled, clients would receive tools from ALL servers instead of just the requested server, violating tenant isolation.

🔁 Reproduction Steps

Prerequisites:

• Multi-worker deployment with MCPGATEWAY_SESSION_AFFINITY_ENABLED=true
• At least 2 registered MCP servers with different tools

Steps:

1. Establish a stateful MCP session on Worker A via /servers/{server_id}/mcp/
2. Send a tools/list request that gets routed to Worker B (cross-worker forward)
3. Worker B forwards the request internally with x-forwarded-internally: true
4. The forwarded request posts to /rpc without params.server_id
5. /rpc routes to unscoped handler → returns tools from all servers instead of just {server_id}

Expected: Only tools from the requested server
Actual: Tools from all servers (multi-tenant isolation broken)

🐞 Root Cause

The internally-forwarded branch (lines 1850-1873) was missing the server_id injection logic that was added to the local-owner branch in PR #2974.
Location: mcpgateway/transports/streamablehttp_transport.py:1850-1873
The match variable (containing the extracted server_id from the URL path) was available but not used in this branch.

💡 Fix Description

Added the same server_id injection logic to the internally-forwarded branch that already existed in the local-owner branch.

Key changes:

Inject server_id from URL path (lines 1861-1868):

# Inject server_id from URL path into params for /rpc routing
if match:
    server_id = match.group("server_id")
    if "params" not in json_body:
        json_body["params"] = {}
    if server_id:
        json_body["params"]["server_id"] = server_id
        # Re-serialize body with injected server_id
        body = orjson.dumps(json_body)
        logger.debug(
            f"[HTTP_AFFINITY_FORWARDED] Injected server_id {server_id} into /rpc params"
        )

Added comprehensive test coverage in test_streamablehttp_transport.py:

test_forwarded_post_injects_server_id_from_url - Verifies the fix
test_forwarded_post_no_server_id_in_url_no_injection - Edge case without server_id
test_forwarded_post_notification_no_server_id_injection - Notification handling
test_local_affinity_post_injects_server_id_regression - Regression test

Design points:

Mirrors the existing pattern in the local-owner branch (lines 2003-2010) for consistency
Uses the existing match variable captured at line 1776
Placed after notification handling (line 1859) and before httpx client call (line 1869)
Added debug logging for observability
All 251 transport tests pass with no regressions
Impact: Restores proper server-scoped routing and multi-tenant isolation in multi-worker deployments.

🧪 Verification

Check	Command	Status
Lint suite	make lint
Unit tests	make test
Coverage ≥ 80 %	make coverage
Manual regression no longer fails	steps / screenshots

📐 MCP Compliance (if relevant)

• Matches current MCP spec
• No breaking change to MCP clients

✅ Checklist

• Code formatted (make black isort pre-commit)
• No secrets/credentials committed

[crivetimihai]

Clean fix. The server_id injection from the URL path into JSON-RPC params is correctly guarded (if match and if server_id), and creates the params dict when missing. Comprehensive test coverage: injection with missing params, no-injection for non-server URLs, no-injection for notifications (202), and regression test for the local-owner path.

[crivetimihai]

Re-reviewed after the latest commits. The hardening looks good:

• isinstance(json_body.get("params"), dict) correctly handles null, [], and missing params — all coerced to a fresh dict before injection. Better than the previous "params" not in json_body check.
• The fix is now applied to both injection paths (forwarded branch + local-owner branch) — good consistency.
• 7 new tests with solid coverage: missing params, existing params, non-dict params (null/list), no-match URL, notification, and regression for local-owner path.

LGTM.