fix(mcp): restore stateless HTTP transport config and add code field validation

cursoragent · cursoragent · commit 1673508515d8 · 2026-02-17T17:48:02.000Z
- Restore sessionIdGenerator: undefined in StreamableHTTPServerTransport to maintain
  stateless behavior, matching the route design (POST only for MCP requests)
- Add validation for the 'code' field in execute handler to prevent TypeError when
  code is undefined or not a string, returning a controlled error response instead
diff --git a/packages/mcp-server/src/code-tool.ts b/packages/mcp-server/src/code-tool.ts
@@ -57,7 +57,10 @@ export function codeTool(params: { blockedMethods: SdkMethod[] | undefined }): M
     },
   };
   const handler = async (client: Dedalus, args: any): Promise<ToolCallResult> => {
-    const code = args.code as string;
+    const code = args.code;
+    if (typeof code !== 'string') {
+      return asErrorResult('The "code" field is required and must be a string.');
+    }
     const intent = args.intent as string | undefined;
 
     // Do very basic blocking of code that includes forbidden method names.
diff --git a/packages/mcp-server/src/http.ts b/packages/mcp-server/src/http.ts
@@ -53,7 +53,10 @@ const post =
     const server = await newServer({ ...options, req, res });
     // If we return null, we already set the authorization error.
     if (server === null) return;
-    const transport = new StreamableHTTPServerTransport();
+    const transport = new StreamableHTTPServerTransport({
+      // Stateless server
+      sessionIdGenerator: undefined,
+    });
     await server.connect(transport as any);
     await transport.handleRequest(req, res, req.body);
   };
