fix: reject initialize protocol version conflicts

[he-yufeng]

Summary

• reject initialize requests when the mcp-protocol-version header conflicts with initialize.params.protocolVersion
• keep initialize requests without the protocol-version header on the existing compatibility path
• move existing initialize session-id validation behind a small helper to keep the POST handler readable

Fixes #2618

To verify

• .\.venv\Scripts\python.exe -m pytest tests\shared\test_streamable_http.py -q -k "protocol_version"
• .\.venv\Scripts\python.exe -m ruff check src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• .\.venv\Scripts\python.exe -m ruff format --check src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• .\.venv\Scripts\pyright.exe src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• git diff --check upstream/main..HEAD

[he-yufeng]

Pushed a test-only follow-up for the coverage gate. The HTTP mismatch path was already covered through the live server test, but that path runs out of process, so I added an in-process regression test for the 400 response branch.

Verified locally:

• .\.venv\Scripts\python.exe -m pytest tests\shared\test_streamable_http.py -q -k "protocol_version_mismatch"
• .\.venv\Scripts\python.exe -m ruff check src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• .\.venv\Scripts\python.exe -m ruff format --check src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• .\.venv\Scripts\pyright.exe src\mcp\server\streamable_http.py tests\shared\test_streamable_http.py
• git diff --check upstream/main..HEAD

[he-yufeng]

Rebased this onto current upstream/main and resolved the StreamableHTTP in-process transport test refactor conflict.

The mismatch coverage is now in the current async in-process style, so the old socket/requests test shape was not brought back.

Validated locally on Windows:

• PYTHONUTF8=1 uv run pytest tests/shared/test_streamable_http.py -q -k "protocol_version_header or initialize_protocol_version_mismatch or backwards_compatibility_no_protocol_version" (5 passed)
• PYTHONUTF8=1 uv run ruff check src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run ruff format --check src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run pyright src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run python -m py_compile src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• git diff --check upstream/main..HEAD

[he-yufeng]

Follow-up after the Ubuntu matrix failure: the tests themselves passed, but strict-no-cover caught an old pragma: no cover on the request-header validation branch that is now covered by the updated in-process tests.

I removed that stale pragma and revalidated locally on Windows:

• PYTHONUTF8=1 uv run pytest tests/shared/test_streamable_http.py -q -k "protocol_version_header or initialize_protocol_version_mismatch or backwards_compatibility_no_protocol_version" (5 passed)
• PYTHONUTF8=1 uv run ruff check src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run ruff format --check src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run pyright src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• PYTHONUTF8=1 uv run python -m py_compile src/mcp/server/streamable_http.py tests/shared/test_streamable_http.py
• git diff --check upstream/main..HEAD