refactor: relocate misplaced functions to their natural homes (#5006)

Four findings from semantic function clustering analysis: session
lifecycle helpers in the wrong file, feature-specific constructors
buried in `unified.go`, a zero-logic passthrough wrapper, and two tiny
tracing files that should be one.

## Changes

- **Finding 1 — Session helpers → `session.go`**  
Moved `extractAndValidateSession`, `injectSessionContext`,
`setupSessionCallback`, `logHTTPRequestBody` out of `http_helpers.go`
into `session.go`. `http_helpers.go` shrinks ~100 lines; all session
lifecycle logic is now in one file.

- **Finding 2 — Feature constructors → their owning files**  
  - `buildCircuitBreakers`: `unified.go` → `circuit_breaker.go`  
- `buildAllowedToolSets` + `hasWildcard`: `unified.go` →
`tool_registry.go`
  Added `config` import to both destination files.

- **Finding 3 — Remove `writeErrorResponse` wrapper**  
Deleted the one-line passthrough and replaced all call sites with
`httputil.WriteErrorResponse` directly:
  ```go
  // before
func writeErrorResponse(w http.ResponseWriter, statusCode int, code,
message string) {
      httputil.WriteErrorResponse(w, statusCode, code, message)
  }

  // after — call sites use httputil directly
  httputil.WriteErrorResponse(w, status, code, msg)
  ```

- **Finding 4 — Merge tracing CLI files**  
`cmd/tracing_helpers.go` + `cmd/flags_tracing.go` (75 lines combined) →
`cmd/tracing.go`.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build3872797525/b513/launcher.test
/tmp/go-build3872797525/b513/launcher.test
-test.testlogfile=/tmp/go-build3872797525/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 8043��
olang.org/grpc@v1.80.0/internal/idle/idle.go cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet -I 8043057/b418/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3399420040/b509/launcher.test
/tmp/go-build3399420040/b509/launcher.test
-test.testlogfile=/tmp/go-build3399420040/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/tmp/go-build2509960937/b173/vet/run/containerd/io.containerd.runtime.v2.task/moby/db2aa2a60d29ftail
64/pkg/tool/linu-buildtags bash g_.a -trimpath &#34;REQUESTS_CA_B--root
/opt/hostedtoolc/var/run/docker/runtime-runc/moby -uns�� y x_amd64/vet
e-handler @v1.43.0/propaga/usr/libexec/docker/cli-plugins/docker-compose
@v1.43.0/propagadocker-cli-plugin-metadata x_amd64/vet e-handler` (dns
block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3872797525/b495/config.test
/tmp/go-build3872797525/b495/config.test
-test.testlogfile=/tmp/go-build3872797525/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I g_.a NbAn/6jVna5QQyS18CrolNbAn
x_amd64/vet --gdwarf-5
resolver/delegat/tmp/go-build2509960937/b300/vet.cfg -o x_amd64/vet
8043�� qzhGZjM5u cfg 64/pkg/tool/linux_amd64/vet (compatibility issue
with Go 1.25.0). Continuing with other checks...&#34;; \
elif command -v golan -imultiarch` (dns block)
> - Triggering command: `/tmp/go-build3399420040/b491/config.test
/tmp/go-build3399420040/b491/config.test
-test.testlogfile=/tmp/go-build3399420040/b491/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
88635552ec0a846ca0962f57bea95f938934c2423396c1fa129 x_amd64/compile
ateway_with_pipe.sh cdc8770c07c851b4aae2b041e8136bb0e9e/log.json
pc_health_v1/hea--prefix=/net/ipv4/conf/vethe00a9b0 x_amd64/compile
ateway_with_pipe--prefix=/net/ipv6/conf/vethe00a9b0 -uns��
3c2c91bb777a34fa x_amd64/compile
by/db2aa2a60d29f83ac692768d36051d3e54950f8b5453b528136881dc8dce1cff/log.json
g_.a -trimpath x_amd64/vet
dCQFD9yY_0oeD/ar--prefix=/net/ipv6/conf/vethdaded9f` (dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build3872797525/b513/launcher.test
/tmp/go-build3872797525/b513/launcher.test
-test.testlogfile=/tmp/go-build3872797525/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 8043��
olang.org/grpc@v1.80.0/internal/idle/idle.go cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet -I 8043057/b418/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3399420040/b509/launcher.test
/tmp/go-build3399420040/b509/launcher.test
-test.testlogfile=/tmp/go-build3399420040/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/tmp/go-build2509960937/b173/vet/run/containerd/io.containerd.runtime.v2.task/moby/db2aa2a60d29ftail
64/pkg/tool/linu-buildtags bash g_.a -trimpath &#34;REQUESTS_CA_B--root
/opt/hostedtoolc/var/run/docker/runtime-runc/moby -uns�� y x_amd64/vet
e-handler @v1.43.0/propaga/usr/libexec/docker/cli-plugins/docker-compose
@v1.43.0/propagadocker-cli-plugin-metadata x_amd64/vet e-handler` (dns
block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build3872797525/b513/launcher.test
/tmp/go-build3872797525/b513/launcher.test
-test.testlogfile=/tmp/go-build3872797525/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 8043��
olang.org/grpc@v1.80.0/internal/idle/idle.go cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet -I 8043057/b418/_pkg_.a -I x_amd64/vet --gdwarf-5
g/grpc/internal//usr/bin/runc -o x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3399420040/b509/launcher.test
/tmp/go-build3399420040/b509/launcher.test
-test.testlogfile=/tmp/go-build3399420040/b509/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true
/tmp/go-build2509960937/b173/vet/run/containerd/io.containerd.runtime.v2.task/moby/db2aa2a60d29ftail
64/pkg/tool/linu-buildtags bash g_.a -trimpath &#34;REQUESTS_CA_B--root
/opt/hostedtoolc/var/run/docker/runtime-runc/moby -uns�� y x_amd64/vet
e-handler @v1.43.0/propaga/usr/libexec/docker/cli-plugins/docker-compose
@v1.43.0/propagadocker-cli-plugin-metadata x_amd64/vet e-handler` (dns
block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3872797525/b522/mcp.test
/tmp/go-build3872797525/b522/mcp.test
-test.testlogfile=/tmp/go-build3872797525/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -I 8043057/b414/_pkg_.a -fPIC
x_amd64/vet -pthread g/grpc/internal//usr/bin/runc
-fmessage-length--version x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3399420040/b518/mcp.test
/tmp/go-build3399420040/b518/mcp.test
-test.testlogfile=/tmp/go-build3399420040/b518/testlog.txt
-test.paniconexit0 -test.timeout=10m0s -test.v=true -I
by/eca09d10600f3--log-format ker/docker-init
by/eca09d10600f3/usr/libexec/docker/cli-plugins/docker-compose
b1a7041eaee94398docker-cli-plugin-metadata x_amd64/vet 91e/log.json
/tmp�� tes.crt x_amd64/vet /usr/sbin/bash by/b7068f2c73a9cbash
/interface.go x_amd64/vet bash` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

internal/cmd/flags_tracing.go

@@ -1,15 +1,35 @@
 package cmd
 
+// Tracing-related flags and helpers for OpenTelemetry OTLP trace export.
+
 import (
 	"context"
 	"time"
 
+	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"
+
 	"github.com/github/gh-aw-mcpg/internal/config"
 	"github.com/github/gh-aw-mcpg/internal/envutil"
 	"github.com/github/gh-aw-mcpg/internal/tracing"
-	"github.com/spf13/pflag"
 )
 
+// Tracing flag variables
+var (
+	otlpEndpoint    string
+	otlpServiceName string
+	otlpSampleRate  float64
+)
+
+func init() {
+	RegisterFlag(func(cmd *cobra.Command) {
+		registerTracingFlags(cmd.Flags(), &otlpEndpoint, &otlpServiceName, &otlpSampleRate,
+			"OTLP HTTP endpoint for trace export (e.g. http://localhost:4318). Defaults from OTEL_EXPORTER_OTLP_ENDPOINT when set. Tracing is disabled when empty.",
+			"Service name reported in traces. Defaults from OTEL_SERVICE_NAME when set.",
+			"Fraction of traces to sample and export (0.0–1.0). Default 1.0 samples everything.")
+	})
+}
+
 func registerTracingFlags(flags *pflag.FlagSet, endpoint *string, serviceName *string, sampleRate *float64, endpointUsage string, serviceUsage string, sampleUsage string) {
 	flags.StringVar(endpoint, "otlp-endpoint", envutil.GetEnvString("OTEL_EXPORTER_OTLP_ENDPOINT", ""),
 		endpointUsage)

internal/cmd/tracing_helpers.go internal/cmd/tracing.gointernal/cmd/tracing_helpers.go renamed to internal/cmd/tracing.go

@@ -7,6 +7,7 @@ import (
 	"sync"
 	"time"
 
+	"github.com/github/gh-aw-mcpg/internal/config"
 	"github.com/github/gh-aw-mcpg/internal/logger"
 	"github.com/github/gh-aw-mcpg/internal/strutil"
 )
@@ -233,6 +234,22 @@ func formatResetAt(t time.Time) string {
 	return fmt.Sprintf("%s (in %s)", t.UTC().Format(time.RFC3339), strutil.FormatDuration(time.Until(t).Round(time.Second)))
 }
 
+// buildCircuitBreakers creates per-backend circuit breakers from the configuration.
+func buildCircuitBreakers(cfg *config.Config) map[string]*circuitBreaker {
+	cbs := make(map[string]*circuitBreaker)
+	if cfg == nil {
+		return cbs
+	}
+	for serverID, serverCfg := range cfg.Servers {
+		threshold := serverCfg.RateLimitThreshold
+		cooldown := time.Duration(serverCfg.RateLimitCooldown) * time.Second
+		cbs[serverID] = newCircuitBreaker(serverID, threshold, cooldown)
+		logCircuitBreaker.Printf("Created circuit breaker for server %s: threshold=%d, cooldown=%s",
+			serverID, threshold, cooldown)
+	}
+	return cbs
+}
+
 // extractRateLimitErrorText extracts the text content from a raw tool result
 // that has been identified as a rate-limit error. Returns the original backend
 // message so agents see the actual upstream error rather than a synthetic one.

internal/server/circuit_breaker.go

@@ -42,7 +42,7 @@ func handleClose(unifiedServer *UnifiedServer) http.Handler {
 		// Only accept POST requests
 		if r.Method != http.MethodPost {
 			logHandlers.Printf("Close request rejected: invalid method=%s", r.Method)
-			writeErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed", "method not allowed")
+			httputil.WriteErrorResponse(w, http.StatusMethodNotAllowed, "method_not_allowed", "method not allowed")
 			return
 		}
 

internal/server/handlers.go

@@ -2,7 +2,6 @@ package server
 
 import (
 	"bytes"
-	"context"
 	"encoding/json"
 	"io"
 	"log"
@@ -14,7 +13,6 @@ import (
 	oteltrace "go.opentelemetry.io/otel/trace"
 
 	"github.com/github/gh-aw-mcpg/internal/auth"
-	"github.com/github/gh-aw-mcpg/internal/guard"
 	"github.com/github/gh-aw-mcpg/internal/httputil"
 	"github.com/github/gh-aw-mcpg/internal/logger"
 	"github.com/github/gh-aw-mcpg/internal/logger/sanitize"
@@ -45,13 +43,6 @@ func logRuntimeError(errorType, detail string, r *http.Request, serverName *stri
 		timestamp, server, requestID, errorType, detail, r.URL.Path, r.Method)
 }
 
-// writeErrorResponse writes a JSON error response with a consistent shape.
-// All HTTP error paths in the server package should use this helper to ensure
-// clients always receive application/json rather than text/plain.
-func writeErrorResponse(w http.ResponseWriter, statusCode int, code, message string) {
-	httputil.WriteErrorResponse(w, statusCode, code, message)
-}
-
 // rejectRequest logs a structured error, records a runtime error, and writes an
 // HTTP error response. This consolidates the 3-step rejection pattern that was
 // previously duplicated across auth and handler code paths.
@@ -64,7 +55,7 @@ func writeErrorResponse(w http.ResponseWriter, statusCode int, code, message str
 func rejectRequest(w http.ResponseWriter, r *http.Request, status int, code, msg, logCategory, runtimeErrType, runtimeDetail string) {
 	logger.LogErrorMd(logCategory, "Request rejected: %s, remote=%s, path=%s", msg, r.RemoteAddr, r.URL.Path)
 	logRuntimeError(runtimeErrType, runtimeDetail, r, nil)
-	writeErrorResponse(w, status, code, msg)
+	httputil.WriteErrorResponse(w, status, code, msg)
 }
 
 // withResponseLogging wraps an http.Handler to log response bodies
@@ -79,24 +70,6 @@ func withResponseLogging(handler http.Handler) http.Handler {
 	})
 }
 
-// extractAndValidateSession extracts the session ID from the Authorization header
-// and logs connection details. Returns empty string if validation fails.
-func extractAndValidateSession(r *http.Request) string {
-	logHelpers.Printf("Extracting session from request: remote=%s, path=%s", r.RemoteAddr, r.URL.Path)
-
-	authHeader := r.Header.Get("Authorization")
-	sessionID := auth.ExtractSessionID(authHeader)
-
-	if sessionID == "" {
-		logHelpers.Printf("Session extraction failed: no Authorization header, remote=%s", r.RemoteAddr)
-		logger.LogError("client", "Rejected MCP client connection: no Authorization header, remote=%s, path=%s", r.RemoteAddr, r.URL.Path)
-		return ""
-	}
-
-	logHelpers.Printf("Session extracted successfully: sessionID=%s, remote=%s", auth.TruncateSessionID(sessionID), r.RemoteAddr)
-	return sessionID
-}
-
 // peekRequestBody reads all bytes from a POST request body and restores it
 // so downstream handlers can read it again.
 // Returns nil, nil for non-POST requests or requests with no body.
@@ -124,78 +97,6 @@ func peekRequestBody(r *http.Request) ([]byte, error) {
 	return b, nil
 }
 
-// logHTTPRequestBody logs the request body for debugging purposes.
-// It reads the body, logs it, and restores it so it can be read again.
-// The backendID parameter is optional and can be empty for unified mode.
-func logHTTPRequestBody(r *http.Request, sessionID, backendID string) {
-	logHelpers.Printf("Checking request body: method=%s, hasBody=%v, sessionID=%s", r.Method, r.Body != nil, sessionID)
-
-	bodyBytes, err := peekRequestBody(r)
-	if err != nil {
-		logHelpers.Printf("Body read failed: err=%v", err)
-		return
-	}
-	if len(bodyBytes) == 0 {
-		logHelpers.Printf("Skipping body logging: not a POST request, no body present, or empty body")
-		return
-	}
-
-	logHelpers.Printf("Request body read: size=%d bytes, sessionID=%s, backendID=%s", len(bodyBytes), auth.TruncateSessionID(sessionID), backendID)
-
-	// Sanitize the body before logging
-	sanitizedBody := sanitize.SanitizeString(string(bodyBytes))
-
-	// Log with backend context if provided (routed mode)
-	if backendID != "" {
-		logger.LogDebug("client", "MCP client request body, backend=%s, body=%s", backendID, sanitizedBody)
-	} else {
-		logger.LogDebug("client", "MCP request body, session=%s, body=%s", auth.TruncateSessionID(sessionID), sanitizedBody)
-	}
-	logHelpers.Print("Request body logged for debugging")
-}
-
-// injectSessionContext stores the session ID and optional backend ID into the request context.
-// If backendID is empty, only session ID is injected (unified mode).
-// Returns the modified request with updated context.
-func injectSessionContext(r *http.Request, sessionID, backendID string) *http.Request {
-	logHelpers.Printf("Injecting session context: sessionID=%s, backendID=%s", auth.TruncateSessionID(sessionID), backendID)
-
-	ctx := context.WithValue(r.Context(), SessionIDContextKey, sessionID)
-	ctx = guard.SetAgentIDInContext(ctx, sessionID)
-
-	if backendID != "" {
-		logHelpers.Printf("Adding backend ID to context: backendID=%s", backendID)
-		ctx = context.WithValue(ctx, mcp.ContextKey("backend-id"), backendID)
-	}
-
-	logHelpers.Print("Session context injected successfully")
-	return r.WithContext(ctx)
-}
-
-// setupSessionCallback extracts the session ID, logs the new connection, injects
-// the session into the request context, and returns the session ID.
-// Used by both routed and unified StreamableHTTP session establishment callbacks.
-func setupSessionCallback(r *http.Request, backendID string) (string, bool) {
-	sessionID := extractAndValidateSession(r)
-	if sessionID == "" {
-		return "", false
-	}
-
-	if backendID != "" {
-		logger.LogInfo("client", "New MCP client connection, remote=%s, method=%s, path=%s, backend=%s, session=%s",
-			r.RemoteAddr, r.Method, r.URL.Path, backendID, auth.TruncateSessionID(sessionID))
-	} else {
-		logger.LogInfo("client", "MCP connection established, remote=%s, method=%s, path=%s, session=%s",
-			r.RemoteAddr, r.Method, r.URL.Path, auth.TruncateSessionID(sessionID))
-	}
-
-	logHTTPRequestBody(r, sessionID, backendID)
-
-	*r = *injectSessionContext(r, sessionID, backendID)
-
-	return sessionID, true
-}
-
 // WithOTELTracing wraps an http.Handler with an OpenTelemetry span for each request.
 // The span covers the full HTTP handler lifecycle and includes session ID, HTTP path,
 // and method as span attributes. The span context is propagated into the request context

internal/server/http_helpers.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/github/gh-aw-mcpg/internal/config"
 	"github.com/github/gh-aw-mcpg/internal/guard"
+	"github.com/github/gh-aw-mcpg/internal/httputil"
 	"github.com/github/gh-aw-mcpg/internal/mcp"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -732,7 +733,7 @@ func stringPtr(s string) *string {
 	return &s
 }
 
-// TestWriteErrorResponse verifies that writeErrorResponse writes a JSON error
+// TestWriteErrorResponse verifies that httputil.WriteErrorResponse writes a JSON error
 // body with "error" and "message" fields and the correct status code and Content-Type.
 func TestWriteErrorResponse(t *testing.T) {
 	tests := []struct {
@@ -782,7 +783,7 @@ func TestWriteErrorResponse(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			w := httptest.NewRecorder()
-			writeErrorResponse(w, tt.statusCode, tt.code, tt.message)
+			httputil.WriteErrorResponse(w, tt.statusCode, tt.code, tt.message)
 
 			assert.Equal(t, tt.statusCode, w.Code, "status code should match")
 			assert.Equal(t, "application/json", w.Header().Get("Content-Type"), "Content-Type should be application/json")

internal/server/http_helpers_test.go

@@ -3,12 +3,16 @@ package server
 import (
 	"context"
 	"fmt"
+	"net/http"
 	"os"
 	"path/filepath"
 	"time"
 
 	"github.com/github/gh-aw-mcpg/internal/auth"
+	"github.com/github/gh-aw-mcpg/internal/guard"
 	"github.com/github/gh-aw-mcpg/internal/logger"
+	"github.com/github/gh-aw-mcpg/internal/logger/sanitize"
+	"github.com/github/gh-aw-mcpg/internal/mcp"
 	"github.com/github/gh-aw-mcpg/internal/syncutil"
 )
 
@@ -110,3 +114,95 @@ func (us *UnifiedServer) getSessionKeys() []string {
 	logSession.Printf("Active sessions: count=%d", len(keys))
 	return keys
 }
+
+// extractAndValidateSession extracts the session ID from the Authorization header
+// and logs connection details. Returns empty string if validation fails.
+func extractAndValidateSession(r *http.Request) string {
+	logSession.Printf("Extracting session from request: remote=%s, path=%s", r.RemoteAddr, r.URL.Path)
+
+	authHeader := r.Header.Get("Authorization")
+	sessionID := auth.ExtractSessionID(authHeader)
+
+	if sessionID == "" {
+		logSession.Printf("Session extraction failed: missing or invalid Authorization header, remote=%s", r.RemoteAddr)
+		logger.LogError("client", "Rejected MCP client connection: missing or invalid Authorization header, remote=%s, path=%s", r.RemoteAddr, r.URL.Path)
+		return ""
+	}
+
+	logSession.Printf("Session extracted successfully: sessionID=%s, remote=%s", auth.TruncateSessionID(sessionID), r.RemoteAddr)
+	return sessionID
+}
+
+// injectSessionContext stores the session ID and optional backend ID into the request context.
+// If backendID is empty, only session ID is injected (unified mode).
+// Returns the modified request with updated context.
+func injectSessionContext(r *http.Request, sessionID, backendID string) *http.Request {
+	logSession.Printf("Injecting session context: sessionID=%s, backendID=%s", auth.TruncateSessionID(sessionID), backendID)
+
+	ctx := context.WithValue(r.Context(), SessionIDContextKey, sessionID)
+	ctx = guard.SetAgentIDInContext(ctx, sessionID)
+
+	if backendID != "" {
+		logSession.Printf("Adding backend ID to context: backendID=%s", backendID)
+		ctx = context.WithValue(ctx, mcp.ContextKey("backend-id"), backendID)
+	}
+
+	logSession.Print("Session context injected successfully")
+	return r.WithContext(ctx)
+}
+
+// setupSessionCallback extracts the session ID, logs the new connection, injects
+// the session into the request context, and returns the session ID.
+// Used by both routed and unified StreamableHTTP session establishment callbacks.
+func setupSessionCallback(r *http.Request, backendID string) (string, bool) {
+	sessionID := extractAndValidateSession(r)
+	if sessionID == "" {
+		return "", false
+	}
+
+	if backendID != "" {
+		logger.LogInfo("client", "New MCP client connection, remote=%s, method=%s, path=%s, backend=%s, session=%s",
+			r.RemoteAddr, r.Method, r.URL.Path, backendID, auth.TruncateSessionID(sessionID))
+	} else {
+		logger.LogInfo("client", "MCP connection established, remote=%s, method=%s, path=%s, session=%s",
+			r.RemoteAddr, r.Method, r.URL.Path, auth.TruncateSessionID(sessionID))
+	}
+
+	logHTTPRequestBody(r, sessionID, backendID)
+
+	*r = *injectSessionContext(r, sessionID, backendID)
+
+	return sessionID, true
+}
+
+// logHTTPRequestBody logs the request body for debugging purposes.
+// It reads the body, logs it, and restores it so it can be read again.
+// The backendID parameter is optional and can be empty for unified mode.
+// It calls peekRequestBody (defined in http_helpers.go) which is a shared
+// HTTP utility also used by WithSDKLogging.
+func logHTTPRequestBody(r *http.Request, sessionID, backendID string) {
+	logSession.Printf("Checking request body: method=%s, hasBody=%v, sessionID=%s", r.Method, r.Body != nil, auth.TruncateSessionID(sessionID))
+
+	bodyBytes, err := peekRequestBody(r)
+	if err != nil {
+		logSession.Printf("Body read failed: err=%v", err)
+		return
+	}
+	if len(bodyBytes) == 0 {
+		logSession.Printf("Skipping body logging: not a POST request, no body present, or empty body")
+		return
+	}
+
+	logSession.Printf("Request body read: size=%d bytes, sessionID=%s, backendID=%s", len(bodyBytes), auth.TruncateSessionID(sessionID), backendID)
+
+	// Sanitize the body before logging
+	sanitizedBody := sanitize.SanitizeString(string(bodyBytes))
+
+	// Log with backend context if provided (routed mode)
+	if backendID != "" {
+		logger.LogDebug("client", "MCP client request body, backend=%s, body=%s", backendID, sanitizedBody)
+	} else {
+		logger.LogDebug("client", "MCP request body, session=%s, body=%s", auth.TruncateSessionID(sessionID), sanitizedBody)
+	}
+	logSession.Print("Request body logged for debugging")
+}