Upgrade go-sdk to v1.2.0 with enhanced observability and resource management (#590)

## Go SDK v1.2.0 Upgrade and Configuration Enhancements ✅

Based on the Go Fan report for modelcontextprotocol/go-sdk, successfully
implemented the following improvements:

### ✅ Priority 1 (Immediate) - Security & Observability
- [x] **Upgraded go-sdk from v1.1.0 to v1.2.0**
  - Security fixes including session hijacking prevention
  - Bug fixes: streamable transport improvements, Windows CRLF handling
  - MCP spec 2025-11-25 support (icons, metadata, tool name validation)
- [x] **Added Logger to StreamableHTTPOptions**
(`internal/server/transport.go`)
- Integrated SDK logging with project's logger framework via slog
adapter
  - Uses existing `logTransport` logger instance for consistency
- [x] **Added SessionTimeout to StreamableHTTPOptions**
(`internal/server/transport.go`)
  - Set to 30 minutes to prevent resource leaks from idle connections
  - Follows SDK maintainer best practices

### ✅ Priority 2 (Short-term) - Better Diagnostics
- [x] **Updated Implementation.Version** to use actual project version
(`internal/mcp/connection.go`)
  - Added `SetClientGatewayVersion` function with whitespace validation
  - Called from `cmd.SetVersion` to sync version across components
- Replaces hardcoded "1.0.0" with dynamic version from build-time
variables

### ℹ️ Priority 3 (Optional Optimization)
- [x] **Investigated DisableListening option**
  - Not exposed in public API for StreamableClientTransport in v1.2.0
  - Feature not available for implementation at this time

### ✅ Code Quality & Security
- [x] Code review completed - no issues found
- [x] CodeQL security scan - no vulnerabilities detected
- [x] Build verification successful
- [x] Lint errors fixed
- [x] Changes are minimal, focused, and backward-compatible

### 📊 Changes Summary
- **Files Modified**: 8 files (5 for SDK upgrade, 3 for lint fixes)
- **Lines Changed**: +36/-20
- **Security Improvements**: Session hijacking prevention, better error
handling
- **Observability**: Integrated SDK logging with project logger
- **Resource Management**: Session timeout prevents connection leaks

### 📝 Notes
- ClientOptions does not have a Logger field in SDK v1.2.0 (client-side
logging not available in current SDK version)
- All changes follow SDK best practices and project conventions
- Implementation is production-ready and safe to deploy

<!-- START COPILOT ORIGINAL PROMPT -->



<details>

<summary>Original prompt</summary>


----

*This section details on the original issue you should resolve*

<issue_title>[go-fan] Go Module Review:
modelcontextprotocol/go-sdk</issue_title>
<issue_description># 🐹 Go Fan Report: modelcontextprotocol/go-sdk

## Module Overview

The **official Go SDK for Model Context Protocol (MCP)** servers and
clients, maintained in collaboration with Google. This is the **core
dependency** that enables gh-aw-mcpg to function as an MCP gateway,
providing protocol implementation for stdio, HTTP, SSE, and streamable
transports.

**Repository**: https://github.com/modelcontextprotocol/go-sdk  
**Stars**: 3,745+ ⭐  
**Last Updated**: 2026-02-02T07:05:15Z (Updated TODAY! 🎉)

## Current Usage in gh-aw-mcpg

**Version**: v1.1.0 (from go.mod)  
**Files Using Module**: 20 files across the codebase  
**Key APIs Used**:
- Client creation: `sdk.NewClient()`, `sdk.ClientSession`
- Transports: `CommandTransport`, `StreamableClientTransport`,
`SSEClientTransport`
- Server: `NewStreamableHTTPHandler()`, `StreamableHTTPOptions`
- Session operations: `ListTools()`, `CallTool()`, `ListResources()`,
`ReadResource()`, `ListPrompts()`, `GetPrompt()`

### Usage Breakdown
- **Core Connection** (`internal/mcp/connection.go`): Client, session,
transport management
- **Server Transport** (`internal/server/transport.go`): Streamable HTTP
handler for MCP protocol
- **Server Logic** (`internal/server/routed.go`, `unified.go`): Server
initialization
- **Middleware** (`internal/middleware/jqschema.go`): Tool result
processing
- **Testing** (15 files): Comprehensive test coverage using SDK types

## Research Findings

### Recent Updates (Repository Updated TODAY!)

#### v1.2.0 (Latest Stable - 2025-12-22)
**Major Features**:
- ✅ Support for MCP Spec 2025-11-25 (icons, metadata, tool name
validation)
- ✅ Common error codes via `jsonrpc.Error` sentinel values
- ✅ OAuth 2.0 Protected Resource Metadata support
- ✅ Security: `UserID` in `TokenInfo` for session hijacking prevention
- ✅ Streamable transport improvements (SSE, context cancellation,
transient errors)
- ✅ Windows CRLF handling, connection reuse improvements

#### v1.3.0-pre.1 (Latest Pre-release - 2026-01-27)
**Performance Breakthrough** 🚀:
- **Schema Caching**: 132x faster tool registration (161µs → 1.2µs per
tool)
- 51x fewer allocations, 32x less memory per tool registration
- Critical for stateless server deployments with many tools

**New Features**:
- `DisableListening` option for `StreamableClientTransport` (reduce
resource usage)
- Exported `GetError` and `SetError` methods for error manipulation
- Fixed race condition in logging
- HTTP 405 responses now include Allow header per RFC 9110

### Best Practices from Maintainers

1. **Logging**: Use `ServerOptions.Logger` and `ClientOptions.Logger`
for integrated logging
2. **Timeouts**: Configure `StreamableHTTPOptions.SessionTimeout` to
prevent resource leaks
3. **Resource Optimization**: Use `DisableListening: true` if server
notifications aren't needed
4. **Error Handling**: Use standardized `jsonrpc.Error` codes for
interoperability
5. **Version Tracking**: Set meaningful `Implementation.Version` for
debugging
6. **Security**: Set `UserID` in `TokenInfo` to prevent session
hijacking (v1.2.0+)

## Improvement Opportunities

### 🏃 Quick Wins

#### 1. Upgrade to v1.2.0 (Stable Release) ⚡
**Location**: `go.mod`  
**Benefit**: Security fixes, bug fixes, MCP spec 2025-11-25 support  
**Risk**: Low (mostly additive changes, well-tested in production)  
**Action**: `go get -u github.com/modelcontextprotocol/go-sdk@v1.2.0`  
**Impact**: **HIGH** - Security and stability improvements

**Why Now**: v1.2.0 includes session hijacking prevention, streamable
transport bug fixes, and better error handling - all critical for a
production gateway.

#### 2. Add Logger to StreamableHTTPOptions ⚡
**Location**: `internal/server/transport.go:99`  
**Current**:
```go
&sdk.StreamableHTTPOptions{
    Stateless: false,
}
```

**Suggested**:
```go
&sdk.StreamableHTTPOptions{
    Stateless: false,
    Logger:    logTransport, // Use existing logger
}
```

**Benefit**: Integrate SDK logging with project's logger framework for
better debugging
**Impact**: **MEDIUM** - Improved observability and debugging

#### 3. Add SessionTimeout to StreamableHTTPOptions ⚡
**Location**: `internal/server/transport.go:99`  
**Suggested**:
```go
&sdk.StreamableHTTPOptions{
    Stateless: false,
    Logger:    logTransport,
    SessionTimeout: 30 * time.Minute, // Configurable timeout
}
```

**Benefit**: Prevent resource leaks from idle connections  
**Impact**: **MEDIUM** - Resource management and stability

#### 4. Add DisableListening to StreamableClientTransport 💡
**Location**: `internal/mcp/connection.go:362`  
**Suggested**:
```go
&sdk.StreamableClientTransport{
    URL:              url,
    HTTPClient:       httpClient,
    DisableListening: true, // Optional: disable if not needed
}
```

**Benefit**: Reduce resource usage if server notifications aren't needed
...

</details>



<!-- START COPILOT CODING AGENT SUFFIX -->

- Fixes #580

<!-- START COPILOT CODING AGENT TIPS -->
---

💬 We'd love your input! Share your thoughts on Copilot coding agent in
our [2 minute survey](https://gh.io/copilot-coding-agent-survey).

Author: lpcox

go.mod

@@ -4,7 +4,7 @@ go 1.25.0
 
 require (
 	github.com/BurntSushi/toml v1.6.0
-	github.com/modelcontextprotocol/go-sdk v1.1.0
+	github.com/modelcontextprotocol/go-sdk v1.2.0
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/term v0.38.0
 )

go.sum

@@ -3,6 +3,8 @@ github.com/BurntSushi/toml v1.6.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/golang-jwt/jwt/v5 v5.2.2 h1:Rl4B7itRWVtYIHFrSNd7vhTiz9UpLdi6gZhZ3wEeDy8=
+github.com/golang-jwt/jwt/v5 v5.2.2/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/jsonschema-go v0.3.0 h1:6AH2TxVNtk3IlvkkhjrtbUc4S8AvO0Xii0DxIygDg+Q=
@@ -13,8 +15,8 @@ github.com/itchyny/gojq v0.12.18 h1:gFGHyt/MLbG9n6dqnvlliiya2TaMMh6FFaR2b1H6Drc=
 github.com/itchyny/gojq v0.12.18/go.mod h1:4hPoZ/3lN9fDL1D+aK7DY1f39XZpY9+1Xpjz8atrEkg=
 github.com/itchyny/timefmt-go v0.1.7 h1:xyftit9Tbw+Dc/huSSPJaEmX1TVL8lw5vxjJLK4GMMA=
 github.com/itchyny/timefmt-go v0.1.7/go.mod h1:5E46Q+zj7vbTgWY8o5YkMeYb4I6GeWLFnetPy5oBrAI=
-github.com/modelcontextprotocol/go-sdk v1.1.0 h1:Qjayg53dnKC4UZ+792W21e4BpwEZBzwgRW6LrjLWSwA=
-github.com/modelcontextprotocol/go-sdk v1.1.0/go.mod h1:6fM3LCm3yV7pAs8isnKLn07oKtB0MP9LHd3DfAcKw10=
+github.com/modelcontextprotocol/go-sdk v1.2.0 h1:Y23co09300CEk8iZ/tMxIX1dVmKZkzoSBZOpJwUnc/s=
+github.com/modelcontextprotocol/go-sdk v1.2.0/go.mod h1:6fM3LCm3yV7pAs8isnKLn07oKtB0MP9LHd3DfAcKw10=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=

internal/cmd/root.go

@@ -16,6 +16,7 @@ import (
 
 	"github.com/githubnext/gh-aw-mcpg/internal/config"
 	"github.com/githubnext/gh-aw-mcpg/internal/logger"
+	"github.com/githubnext/gh-aw-mcpg/internal/mcp"
 	"github.com/githubnext/gh-aw-mcpg/internal/server"
 	"github.com/spf13/cobra"
 )
@@ -448,4 +449,5 @@ func SetVersion(v string) {
 	version = v
 	rootCmd.Version = v
 	config.SetGatewayVersion(v)
+	mcp.SetClientGatewayVersion(v)
 }

internal/mcp/connection.go

@@ -21,6 +21,17 @@ import (
 
 var logConn = logger.New("mcp:connection")
 
+// gatewayVersion stores the gateway version used in MCP client implementation
+// It defaults to "dev" and is set at startup via SetClientGatewayVersion
+var gatewayVersion = "dev"
+
+// SetClientGatewayVersion sets the gateway version for MCP client implementation reporting
+func SetClientGatewayVersion(version string) {
+	if strings.TrimSpace(version) != "" {
+		gatewayVersion = version
+	}
+}
+
 // parseSSEResponse extracts JSON data from SSE-formatted response
 // SSE format: "event: message\ndata: {json}\n\n"
 func parseSSEResponse(body []byte) ([]byte, error) {
@@ -76,7 +87,7 @@ type Connection struct {
 func newMCPClient() *sdk.Client {
 	return sdk.NewClient(&sdk.Implementation{
 		Name:    "awmg",
-		Version: "1.0.0",
+		Version: gatewayVersion,
 	}, nil)
 }
 

internal/server/transport.go

@@ -4,6 +4,7 @@ import (
 	"context"
 	"log"
 	"net/http"
+	"time"
 
 	"github.com/githubnext/gh-aw-mcpg/internal/logger"
 	sdk "github.com/modelcontextprotocol/go-sdk/mcp"
@@ -97,7 +98,9 @@ func CreateHTTPServerForMCP(addr string, unifiedServer *UnifiedServer, apiKey st
 
 		return unifiedServer.server
 	}, &sdk.StreamableHTTPOptions{
-		Stateless: false, // Support stateful sessions
+		Stateless:      false,                                         // Support stateful sessions
+		Logger:         logger.NewSlogLoggerWithHandler(logTransport), // Integrate SDK logging with project logger
+		SessionTimeout: 30 * time.Minute,                              // Prevent resource leaks from idle connections
 	})
 
 	// Wrap SDK handler with detailed logging for JSON-RPC translation debugging