Skip to content

feat(mcp): remove mcp-session-id header injection for HTTP transports #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stdrc merged 3 commits into from
Jan 26, 2026
Merged

feat(mcp): remove mcp-session-id header injection for HTTP transports #681

stdrc merged 3 commits into from
Jan 26, 2026
+6 −9

Conversation

@xiaoju111a
Copy link
Contributor

@xiaoju111a xiaoju111a commented Jan 22, 2026
edited
Loading

Related Issue

Resolves #677

Description

This PR fixes incorrect manual addition of Mcp-Session-Id header that violated the MCP protocol standard.

Problem

The previous implementation manually added Mcp-Session-Id header using kimi-cli's session ID, which violated the MCP protocol standard. According to MCP specification (2025-06-18), the Mcp-Session-Id must be:

  1. Generated by the MCP server (not the client)
  2. Returned in the HTTP response header of the initialize request
  3. Used in all subsequent requests

This caused connection failures with MCP servers like Linear and DeepWiki, which returned 400 Bad Request: Session not found because they didn't recognize the client-generated session ID.

Solution

Removed the incorrect manual Mcp-Session-Id header injection logic and let the fastmcp library handle session management automatically according to the MCP protocol standard:

  1. Client sends initialize request without Mcp-Session-Id
  2. Server returns Mcp-Session-Id in response header
  3. Client automatically includes the server-provided session ID in subsequent requests

Changes

Modified files:

  • src/kimi_cli/soul/toolset.py: Removed manual Mcp-Session-Id header injection logic (9 lines deleted)

Testing

Verified with both Linear (OAuth) and DeepWiki (non-OAuth) MCP servers:

  • ✅ Both servers connect successfully
  • ✅ No retry logic needed
  • ✅ Session management handled correctly by fastmcp library

Checklist

  • I have read the [CONTRIBUTING](https://github.com/MoonshotAI/kimi-cli/blob/main/CONTRIBUTING.md) document.
  • I have linked the related issue, if any.
  • All existing tests pass and the implementation is backward compatible.
  • I have updated the changelog (CHANGELOG.md). (Will be added in a separate commit)
  • I have updated the user documentation (English and Chinese). (No user-facing documentation changes needed - this is an internal fix)
Open with Devin

devin-ai-integration[bot]
devin-ai-integration bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 potential issue.

View issue and 3 additional flags in Devin Review.

Open in Devin Review

devin-ai-integration[bot]
devin-ai-integration bot reviewed Jan 22, 2026
View reviewed changes
Copy link

@devin-ai-integration devin-ai-integration bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Devin Review found 1 new potential issue.

View issue and 6 additional flags in Devin Review.

Open in Devin Review

@xiaoju111a xiaoju111a marked this pull request as draft January 23, 2026 11:08
@xiaoju111a xiaoju111a force-pushed the feat/mcp-skip-session-id branch from af1dd4f to f052b45 Compare January 23, 2026 11:52
@xiaoju111a xiaoju111a changed the title feat(mcp): add --skip-session-id option for HTTP servers that don't support session header feat(mcp): remove mcp-session-id header injection for HTTP transports Jan 23, 2026
@stdrc stdrc marked this pull request as ready for review January 26, 2026 05:01
Copilot AI review requested due to automatic review settings January 26, 2026 05:01
Copilot AI reviewed Jan 26, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes incorrect manual injection of the Mcp-Session-Id header for HTTP MCP transports, fixing connection failures with MCP servers like Linear and DeepWiki that were rejecting client-generated session IDs.

Changes:

  • Removed 9 lines of code that manually added Mcp-Session-Id header to non-OAuth HTTP MCP server configurations
  • Session management is now delegated entirely to the fastmcp library, which handles the MCP protocol correctly

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@stdrc
changelog
35fa76b 
Signed-off-by: Richard Chien <stdrc@outlook.com>
@stdrc stdrc merged commit c67a28c into MoonshotAI:main Jan 26, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Deepwiki mcp connect fail

2 participants

@xiaoju111a @stdrc