Document initialize body protocolVersion is authoritative on Streamable HTTP

[koic]

Motivation and Context

When an initialize POST carries an MCP-Protocol-Version HTTP header that disagrees with params.protocolVersion in the JSON-RPC body, the Streamable HTTP server accepts the request and negotiates using the body value. The behavior was already encoded in handle_post (the header check is skipped on initialize) but it was not stated in the code and there was no regression test for the specific mismatch case.

MCP 2025-06-18 / 2025-11-25 only requires MCP-Protocol-Version on requests subsequent to initialize, and the spec does not require the header and body to agree on the initial initialize. All official MCP SDKs (TypeScript, Python, Rust, Java, Go, PHP) accept the mismatch and treat the JSON-RPC body as authoritative.

How Has This Been Tested?

Streamable HTTP tests: two new regression tests confirm that on an initialize POST with a supported but mismatched MCP-Protocol-Version header, the server returns HTTP 200 and the response's result.protocolVersion matches the JSON-RPC body value, in both mismatch directions (header older / body newer, and header newer / body older).

Breaking Changes

None. The behavior is unchanged: initialize requests with a mismatched MCP-Protocol-Version header are still accepted, and the JSON-RPC body params.protocolVersion continues to drive negotiation. This commit only adds an explanatory comment and regression tests.

Closes #351.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed