Bug: nil panic in SSE session lookup for /mcp requests

[bandrade]

Bug Summary

POST /mcp?sessionId=... can panic with runtime error: invalid memory address or nil pointer dereference in internal/server/mcp.go.

Impact

This crashes request handling for SSE-backed MCP flows in staging and returns HTTP 500 to clients after successful /mcp/sse session bootstrap.

Reproduction

1. GET /mcp/sse and capture sessionId from event: endpoint.
2. POST /mcp?sessionId=<id>.
3. Observe panic in logs from (*sseManager).get around mcp.go:64.

Proposed Fix

• Make sseManager.get nil-safe (treat nil map entries as unavailable).
• Return HTTP 400 when sessionId is provided but session is unavailable, instead of continuing.
• Add a regression test for nil session map values.

[anubhav756]

Thanks for bringing this up @bandrade!

Hi @Yuan325

Assuming that the POST /mcp?sessionId=<id> could potentially crash request handling with an invalid memory address or nil pointer dereference during the SSE-backed MCP flow.

Do you think this line could trigger panic because the map entry exists but potentially the actual session pointer happens to be nil?

Also, in httpHandler, if sseManager.get returns that the session is unavailable, the server just seems to log a debug message and continue processing the request. Should we perhaps be returning an error here instead to explicitly reject it?

Could you take a look when you have a chance? Any pointers or thoughts on this would be greatly appreciated!

Thanks! 🙂