security: Replace weak MD5 hash with SHA256 in MCPSessionManager

Replaces `hashlib.md5` with `hashlib.sha256` for session key generation
in `mcp_session_manager.py` to mitigate security risks associated with
weak cryptographic hashes. Updated the corresponding unit test to
expect SHA256 hashes.

Author: shivan4030

src/google/adk/tools/mcp_tool/mcp_session_manager.py

@@ -273,7 +273,7 @@ def _generate_session_key(
     # For SSE and StreamableHTTP connections, use merged headers
     if merged_headers:
       headers_json = json.dumps(merged_headers, sort_keys=True)
-      headers_hash = hashlib.md5(headers_json.encode()).hexdigest()
+      headers_hash = hashlib.sha256(headers_json.encode()).hexdigest()
       return f'session_{headers_hash}'
     else:
       return 'session_no_headers'

tests/unittests/tools/mcp_tool/test_mcp_session_manager.py

@@ -222,7 +222,7 @@ def test_generate_session_key_sse(self):
 
     # Should be deterministic hash
     headers_json = json.dumps(headers1, sort_keys=True)
-    expected_hash = hashlib.md5(headers_json.encode()).hexdigest()
+    expected_hash = hashlib.sha256(headers_json.encode()).hexdigest()
     assert key1 == f"session_{expected_hash}"
 
   def test_merge_headers_stdio(self):