fix: intercept GET /mcp in session registry + request logger (#178)

[cmeans-claude-dev]

Summary

• Session registry now intercepts GET /mcp (SSE reconnect) with session IDs — previously only POST/DELETE were handled, causing stale GET requests to return 409 directly from FastMCP
• New McpRequestLogger middleware logs method, truncated session ID, client IP, and response status for every /mcp request
• 8 new tests: 4 for GET intercept (known session, no session, unknown session, owner mismatch) + 4 for request logger (POST with/without session, GET, non-MCP path skip)

Closes #178

QA

Prerequisites

• pip install -e ".[dev]"
• Deploy to test instance on alternate port (AWARENESS_PORT=8421)

Manual tests (via MCP tools)

1. • Request logger output visible — MCP POST /mcp lines with session ID and status in logs
2. • GET with stale session intercepted — middleware routes through _handle_subsequent (confirmed via log)
3. • GET without session passes through — returns 400 from FastMCP (no init handshake)
4. • Non-MCP paths not logged — /health produces zero MCP log lines

🤖 Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

[cmeans-claude-dev]

Additional commit (f9a60eb): Removed exact test count from README. The count went stale on every PR and QA flagged it multiple times this session. CI badge and Codecov reports are the authoritative source — no more manual maintenance.

[cmeans]

Adding QA Active — reviewing GET /mcp intercept fix.

[cmeans]

QA Review — Round 1

Code review

Session registry GET intercept — minimal, targeted fix. Two lines changed in session_registry.py: added "GET" to the method filter and to the _handle_subsequent routing. GET requests with session IDs now go through the same lookup → validate owner → pass through / re-init path as POST requests.

McpRequestLogger — clean ASGI middleware. Logs method, truncated session ID (12 chars + ellipsis), client IP, and response status. Placed outside the session registry (between session registry and SecretPathMiddleware) so it captures both intercepted and pass-through requests. Only logs /mcp requests — health checks and other paths skip.

README — replaced specific test count with "Comprehensive test suite". Prevents recurring test count drift.

Check	Result
GET now routed through _handle_subsequent	✅
GET without session passes through (no interception)	✅
Logger truncates session IDs > 12 chars	✅
Logger skips non-MCP paths	✅
Logger placed outside session registry in both MOUNT_PATH and plain transport paths	✅
CHANGELOG: both entries (Added + Fixed)	✅
README: "Comprehensive test suite" replaces count	✅
763/763 full suite pass	✅
CI all green	✅

Manual test results (Docker QA instance)

#	Test	Result
1	Request logger output	✅ MCP POST /mcp session=none/... visible in logs
2	GET with stale session intercepted	✅ Middleware intercepts, routes through _handle_subsequent
3	GET without session passes through	✅ Returns 400 from FastMCP (no handshake)
4	Non-MCP paths not logged	✅ Zero MCP log lines for /health

Test sufficiency

The 4 GET intercept tests cover the key cases: known session (pass through), no session (pass through), unknown session (404 from FastMCP), and owner mismatch (403). The 4 logger tests cover POST with/without session, GET, non-MCP skip, and non-HTTP scope. Solid coverage for both features.

Zero findings. Verdict: Pass — ready for signoff.

[cmeans]

Applying Ready for QA Signoff — GET intercept and request logger both verified on Docker QA instance, 763/763 tests pass, CI green, zero findings.

[cmeans]

LGTM