Upgrade go-sdk to v1.6.0 and consolidate session-missing detection (#6017)

This module is the core MCP dependency in `gh-aw-mcpg`, and the repo was
one minor version behind on `modelcontextprotocol/go-sdk`. This PR
updates the SDK and tightens a small MCP transport code path called out
in the review by removing duplicated session-not-found string matching.

- **Dependency refresh**
- Bumps `github.com/modelcontextprotocol/go-sdk` from `v1.5.0` to
`v1.6.0`.
- Updates transitive module metadata/checksums (including
`github.com/google/jsonschema-go`).

- **Session-not-found detection cleanup**
- Introduces a shared constant for the backend session-missing message
in `internal/mcp/http_transport.go`.
  - Reuses that constant in both helpers:
    - `isSessionNotFoundError`
    - `isSessionNotFoundHTTPResponse`
  - Keeps behavior unchanged while removing duplicated literals.

- **SDK contract annotation update**
- Updates the bypass-validation contract note in
`internal/server/tool_registry.go` to reflect verification against
go-sdk `v1.6.0`.

```go
const (
    HTTPTransportPlainJSON HTTPTransportType = "plain-json"
    sessionNotFoundMessage                   = "session not found"
)

func isSessionNotFoundError(err error) bool {
    if errors.Is(err, sdk.ErrSessionMissing) {
        return true
    }
    return strings.Contains(strings.ToLower(err.Error()), sessionNotFoundMessage)
}
```

Author: lpcox

go.mod

@@ -4,7 +4,7 @@ go 1.25.0
 
 require (
 	github.com/BurntSushi/toml v1.6.0
-	github.com/modelcontextprotocol/go-sdk v1.5.0
+	github.com/modelcontextprotocol/go-sdk v1.6.0
 	github.com/spf13/cobra v1.10.2
 	golang.org/x/term v0.41.0
 )
@@ -27,7 +27,7 @@ require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/go-logr/logr v1.4.3 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
-	github.com/google/jsonschema-go v0.4.2 // indirect
+	github.com/google/jsonschema-go v0.4.3 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect

go.sum

@@ -18,8 +18,8 @@ github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/jsonschema-go v0.4.2 h1:tmrUohrwoLZZS/P3x7ex0WAVknEkBZM46iALbcqoRA8=
-github.com/google/jsonschema-go v0.4.2/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
+github.com/google/jsonschema-go v0.4.3 h1:/DBOLZTfDow7pe2GmaJNhltueGTtDKICi8V8p+DQPd0=
+github.com/google/jsonschema-go v0.4.3/go.mod h1:r5quNTdLOYEz95Ru18zA0ydNbBuYoo9tgaYcxEYhJVE=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/grpc-ecosystem/grpc-gateway/v2 v2.28.0 h1:HWRh5R2+9EifMyIHV7ZV+MIZqgz+PMpZ14Jynv3O2Zs=
@@ -34,8 +34,8 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/modelcontextprotocol/go-sdk v1.5.0 h1:CHU0FIX9kpueNkxuYtfYQn1Z0slhFzBZuq+x6IiblIU=
-github.com/modelcontextprotocol/go-sdk v1.5.0/go.mod h1:gggDIhoemhWs3BGkGwd1umzEXCEMMvAnhTrnbXJKKKA=
+github.com/modelcontextprotocol/go-sdk v1.6.0 h1:PPLS3kn7WtOEnR+Af4X5H96SG0qSab8R/ZQT/HkhPkY=
+github.com/modelcontextprotocol/go-sdk v1.6.0/go.mod h1:kzm3kzFL1/+AziGOE0nUs3gvPoNxMCvkxokMkuFapXQ=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=

internal/mcp/connection.go

@@ -364,7 +364,7 @@ func (c *Connection) reconnectSDKTransport() error {
 			HTTPClient: headerClient,
 			// MaxRetries: -1 disables SDK-level reconnect retries (0 = SDK default 5 retries;
 			// negative = 0 retries). The gateway handles reconnection itself, so we set -1 to
-			// prevent double-retry behaviour. Verified against go-sdk v1.5.0 streamable.go:1547-1552.
+			// prevent double-retry behaviour. Verified against go-sdk v1.6.0 streamable.go:1547-1552.
 			// See TestMaxRetriesSentinelCanary for an automated guard against SDK changes.
 			MaxRetries:           -1,
 			DisableStandaloneSSE: true,

internal/mcp/http_transport.go

@@ -34,6 +34,8 @@ const (
 	HTTPTransportPlainJSON HTTPTransportType = "plain-json"
 )
 
+const sessionNotFoundMessage = "session not found"
+
 // MCPProtocolVersion is the MCP protocol version used only by the plain JSON-RPC
 // fallback path in this package. Streamable and SSE transports are SDK-managed
 // and negotiate protocol versions internally.
@@ -86,7 +88,7 @@ func isSessionNotFoundError(err error) bool {
 	// TODO(tech-debt): remove this string-matching fallback once the plain JSON-RPC
 	// transport (HTTPTransportPlainJSON) is retired. The plain JSON-RPC path exists
 	// only for compatibility with backends that predate the 2024-11-05 MCP spec.
-	return strings.Contains(strings.ToLower(err.Error()), "session not found")
+	return strings.Contains(strings.ToLower(err.Error()), sessionNotFoundMessage)
 }
 
 // isSessionNotFoundHTTPResponse checks if an HTTP response indicates the backend session was not found.
@@ -95,7 +97,7 @@ func isSessionNotFoundHTTPResponse(statusCode int, body []byte) bool {
 	if statusCode != http.StatusNotFound {
 		return false
 	}
-	return strings.Contains(strings.ToLower(string(body)), "session not found")
+	return strings.Contains(strings.ToLower(string(body)), sessionNotFoundMessage)
 }
 
 // parseSSEResponse extracts JSON data from SSE-formatted response
@@ -457,7 +459,7 @@ func tryStreamableHTTPTransport(ctx context.Context, cancel context.CancelFunc,
 				HTTPClient: httpClient,
 				// MaxRetries: -1 disables SDK-level reconnect retries (0 = SDK default 5 retries;
 				// negative = 0 retries). We fall through to SSE or plain JSON-RPC on failure.
-				// Verified against go-sdk v1.5.0 streamable.go:1547-1552.
+				// Verified against go-sdk v1.6.0 streamable.go:1547-1552.
 				// See TestMaxRetriesSentinelCanary for an automated guard against SDK changes.
 				MaxRetries: -1,
 				// DisableStandaloneSSE prevents the SDK from issuing a GET request for a

internal/mcp/http_transport_test.go

@@ -1296,7 +1296,7 @@ func TestOIDCRoundTripper_ErrorPropagation(t *testing.T) {
 // gateway's reconnect logic would silently permit extra retries and this test
 // would fail to alert.
 //
-// SDK source: streamable.go:1547-1552 (verified against go-sdk v1.5.0):
+// SDK source: streamable.go:1547-1552 (verified against go-sdk v1.6.0):
 //
 //	maxRetries := t.MaxRetries
 //	if maxRetries == 0 {

internal/server/tool_registry.go

@@ -50,7 +50,7 @@ type launchResult struct {
 // does require that InputSchema is non-nil and has type "object" (enforced since v1.5.0), but
 // it does not validate the argument values — that responsibility belongs to the caller.
 // This distinction relies on internal SDK behaviour and must be re-verified on every SDK upgrade.
-// Verified correct for go-sdk v1.5.0 (see server.go:Server.AddTool vs AddTool[In,Out]).
+// Verified correct for go-sdk v1.6.0 (see server.go:Server.AddTool vs AddTool[In,Out]).
 func registerToolWithoutValidation(server *sdk.Server, tool *sdk.Tool, handler func(context.Context, *sdk.CallToolRequest, interface{}) (*sdk.CallToolResult, interface{}, error)) {
 	server.AddTool(tool, func(ctx context.Context, req *sdk.CallToolRequest) (*sdk.CallToolResult, error) {
 		result, _, err := handler(ctx, req, nil)