Add session ID visible ASCII check #197
Description
Summary
The spec requires that if a server assigns a session ID, it MUST only contain visible ASCII characters (0x21–0x7E). No existing scenario validates this. The server-initialize scenario is the natural home since the session ID is assigned at initialization time and the scenario already targets the Streamable HTTP transport.
Missing Coverage
Check: server-session-id-visible-ascii
Spec: "The session ID MUST only contain visible ASCII characters (ranging from 0x21 to 0x7E)."
After initialization, if the server returns an MCP-Session-Id header, validate that every character falls in the visible ASCII range. If no header is returned, report INFO (session ID is optional per spec).
Proposed Location
Add as an additional check within the existing ServerInitializeScenario in src/scenarios/server/lifecycle.ts, rather than a new standalone scenario. This follows the repo's "fewer scenarios, more checks" convention and avoids spinning up a separate HTTP connection for a single check.
Requires a raw fetch for the initialize request (the SDK connectToServer helper doesn't expose response headers), followed by parsing the mcp-session-id header.
Spec Requirements (Session Management)
| Keyword | Statement |
|---|---|
| MAY | A server using Streamable HTTP transport MAY assign a session ID at initialization time |
| SHOULD | The session ID SHOULD be globally unique and cryptographically secure |
| MUST | The session ID MUST only contain visible ASCII characters (ranging from 0x21 to 0x7E) |