sep-2243.yaml: spec-first rewrite + move to src/seps/

Regenerated from the SEP-2243 spec diff (transports.mdx + tools.mdx) rather
than from the scenario implementations: 21 check rows + 4 excluded vs the
previous 46 + 2. Differences:

- one check id per spec sentence (test variants go in 'details', not new ids)
- 'text:' quotes the spec sentence verbatim instead of paraphrasing
- '-reject-status' (MUST 400) split from '-reject-error-code' (SHOULD -32001
  for standard headers, MUST for custom)
- rows with no spec backing dropped (whitespace, base64-padding/chars, prefix/
  suffix-literal, control-char-name)
- two more SHOULD excludes (log-warning, no-sensitive-params)
- check ids use sep-2243-<slug> convention
- check: key first, excludes grouped at bottom (matches sep-2164)

Moved to src/seps/ to match #272 layout (this branch predates it; will
reconcile cleanly on rebase).

Author: pcarleton

src/scenarios/sep-2243.yaml

@@ -0,0 +1,59 @@
+sep: 2243
+spec_url: https://modelcontextprotocol.io/specification/draft/basic/transports#standard-mcp-request-headers
+requirements:
+  - check: sep-2243-client-includes-standard-headers
+    text: 'The client MUST include the standard MCP request headers on each POST request. These headers are REQUIRED for compliance.'
+  - check: sep-2243-header-name-case-insensitive
+    text: 'Clients and servers MUST use case-insensitive comparisons for header names.'
+  - check: sep-2243-server-reject-mismatch
+    text: 'Servers that process the request body MUST reject requests where the values specified in the headers do not match the corresponding values in the request body.'
+  - check: sep-2243-server-reject-status
+    text: 'When rejecting a request due to header validation failure, servers MUST return HTTP status 400 Bad Request.'
+  - check: sep-2243-server-reject-error-code
+    text: 'When rejecting a request due to header validation failure, servers SHOULD include a JSON-RPC error response using error code -32001.'
+  - check: sep-2243-client-supports-custom-headers
+    text: 'MCP clients MUST support this feature [custom headers via x-mcp-header].'
+  - check: sep-2243-client-mirrors-designated-params
+    text: 'When a client invokes a tool whose definition includes such designations, conforming clients MUST mirror the designated parameter values into HTTP headers as described below.'
+  - check: sep-2243-x-mcp-header-not-empty
+    text: 'The x-mcp-header value MUST NOT be empty.'
+    url: https://modelcontextprotocol.io/specification/draft/server/tools#custom-headers
+  - check: sep-2243-x-mcp-header-charset
+    text: 'The x-mcp-header value MUST contain only ASCII characters (excluding space and `:`).'
+    url: https://modelcontextprotocol.io/specification/draft/server/tools#custom-headers
+  - check: sep-2243-x-mcp-header-unique
+    text: 'The x-mcp-header value MUST be case-insensitively unique within a single tool definition.'
+    url: https://modelcontextprotocol.io/specification/draft/server/tools#custom-headers
+  - check: sep-2243-x-mcp-header-primitive-only
+    text: 'x-mcp-header MUST only be applied to parameters with primitive types (number, string, or boolean).'
+    url: https://modelcontextprotocol.io/specification/draft/server/tools#custom-headers
+  - check: sep-2243-client-reject-invalid-tool
+    text: 'Clients MUST reject tool definitions where any x-mcp-header value violates these constraints. Rejection means the client MUST exclude the invalid tool from the set of tools returned by tools/list.'
+    url: https://modelcontextprotocol.io/specification/draft/server/tools#custom-headers
+  - check: sep-2243-client-encode-values
+    text: 'Clients MUST encode parameter values before including them in HTTP headers: number values MUST be converted to their decimal string representation; boolean values MUST be converted to the lowercase strings "true" or "false".'
+  - check: sep-2243-client-base64-unsafe
+    text: 'When a value cannot be safely represented as plain ASCII (e.g., contains non-ASCII characters, control characters, or leading/trailing whitespace), clients MUST use Base64 encoding of the UTF-8 representation, wrapped as =?base64?{encoded}?=.'
+  - check: sep-2243-server-decode-base64
+    text: 'Servers and intermediaries that need to inspect these values MUST decode them accordingly.'
+  - check: sep-2243-client-omit-null
+    text: 'Parameter value is null or omitted: Client MUST omit the header.'
+  - check: sep-2243-server-not-expect-null
+    text: 'Parameter value is null or omitted: Server MUST NOT expect the header.'
+  - check: sep-2243-server-reject-missing-required
+    text: 'Required parameter is omitted: Server MUST reject with JSON-RPC error.'
+  - check: sep-2243-server-reject-invalid-param-chars
+    text: 'Servers MUST reject requests with a recognized Mcp-Param-{Name} header that contain invalid characters.'
+  - check: sep-2243-server-validate-param-match
+    text: 'Any server that processes the message body MUST validate that encoded header values, after decoding if Base64-encoded, match the corresponding parameter values in the body.'
+  - check: sep-2243-server-reject-param-mismatch
+    text: 'Servers MUST reject requests with a 400 Bad Request HTTP status and JSON-RPC error code -32001 if any validation fails.'
+
+  - text: 'Clients SHOULD log a warning when rejecting a tool definition due to invalid x-mcp-header, including the tool name and the reason.'
+    excluded: 'Log output is not wire-observable.'
+  - text: 'Server developers SHOULD NOT mark sensitive parameters (such as passwords, API keys, tokens, or PII) with x-mcp-header.'
+    excluded: 'Design guidance to humans; not protocol-observable.'
+  - text: 'Intermediaries MUST return an appropriate HTTP error status for validation failures.'
+    excluded: 'Intermediary requirement; conformance harness tests clients and servers, not intermediaries.'
+  - text: 'Intermediate servers that do not recognize an Mcp-Param-{Name} header MUST forward it and otherwise ignore it.'
+    excluded: 'Intermediary requirement; conformance harness tests clients and servers, not intermediaries.'