Move SupportedProtocolVersions to McpServer as instance member

Add abstract SupportedProtocolVersions property to McpServer, implemented
by McpServerImpl (delegating to McpSessionHandler.SupportedProtocolVersions)
and DestinationBoundMcpServer. Protocol version validation in
StreamableHttpHandler now occurs after session resolution, querying the
server instance directly. Remove private HashSet from handler.

Co-authored-by: stephentoub <2642209+stephentoub@users.noreply.github.com>

Author: Copilot

src/ModelContextProtocol.AspNetCore/StreamableHttpHandler.cs

@@ -26,28 +26,13 @@ internal sealed class StreamableHttpHandler(
     private const string McpProtocolVersionHeaderName = "MCP-Protocol-Version";
     private const string LastEventIdHeaderName = "Last-Event-ID";
 
-    /// <summary>All protocol versions supported by this implementation.</summary>
-    private static readonly HashSet<string> s_supportedProtocolVersions =
-    [
-        "2024-11-05",
-        "2025-03-26",
-        "2025-06-18",
-        "2025-11-25",
-    ];
-
     private static readonly JsonTypeInfo<JsonRpcMessage> s_messageTypeInfo = GetRequiredJsonTypeInfo<JsonRpcMessage>();
     private static readonly JsonTypeInfo<JsonRpcError> s_errorTypeInfo = GetRequiredJsonTypeInfo<JsonRpcError>();
 
     public HttpServerTransportOptions HttpServerTransportOptions => httpServerTransportOptions.Value;
 
     public async Task HandlePostRequestAsync(HttpContext context)
     {
-        if (!ValidateProtocolVersionHeader(context, out var errorMessage))
-        {
-            await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
-            return;
-        }
-
         // The Streamable HTTP spec mandates the client MUST accept both application/json and text/event-stream.
         // ASP.NET Core Minimal APIs mostly try to stay out of the business of response content negotiation,
         // so we have to do this manually. The spec doesn't mandate that servers MUST reject these requests,
@@ -67,6 +52,12 @@ await WriteJsonRpcErrorAsync(context,
             return;
         }
 
+        if (!ValidateProtocolVersionHeader(context, session.Server, out var errorMessage))
+        {
+            await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
+            return;
+        }
+
         await using var _ = await session.AcquireReferenceAsync(context.RequestAborted);
 
         var message = await ReadJsonRpcMessageAsync(context);
@@ -90,12 +81,6 @@ await WriteJsonRpcErrorAsync(context,
 
     public async Task HandleGetRequestAsync(HttpContext context)
     {
-        if (!ValidateProtocolVersionHeader(context, out var errorMessage))
-        {
-            await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
-            return;
-        }
-
         if (!context.Request.GetTypedHeaders().Accept.Any(MatchesTextEventStreamMediaType))
         {
             await WriteJsonRpcErrorAsync(context,
@@ -111,6 +96,12 @@ await WriteJsonRpcErrorAsync(context,
             return;
         }
 
+        if (!ValidateProtocolVersionHeader(context, session.Server, out var errorMessage))
+        {
+            await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
+            return;
+        }
+
         var lastEventId = context.Request.Headers[LastEventIdHeaderName].ToString();
         if (!string.IsNullOrEmpty(lastEventId))
         {
@@ -193,15 +184,15 @@ private static async Task HandleResumePostResponseStreamAsync(HttpContext contex
 
     public async Task HandleDeleteRequestAsync(HttpContext context)
     {
-        if (!ValidateProtocolVersionHeader(context, out var errorMessage))
-        {
-            await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
-            return;
-        }
-
         var sessionId = context.Request.Headers[McpSessionIdHeaderName].ToString();
         if (sessionManager.TryRemove(sessionId, out var session))
         {
+            if (!ValidateProtocolVersionHeader(context, session.Server, out var errorMessage))
+            {
+                await WriteJsonRpcErrorAsync(context, errorMessage!, StatusCodes.Status400BadRequest);
+                return;
+            }
+
             await session.DisposeAsync();
         }
     }
@@ -422,11 +413,11 @@ internal static Task RunSessionAsync(HttpContext httpContext, McpServer session,
     /// Validates the MCP-Protocol-Version header if present. A missing header is allowed for backwards compatibility,
     /// but an invalid or unsupported value must be rejected with 400 Bad Request per the MCP spec.
     /// </summary>
-    private static bool ValidateProtocolVersionHeader(HttpContext context, out string? errorMessage)
+    private static bool ValidateProtocolVersionHeader(HttpContext context, McpServer server, out string? errorMessage)
     {
         var protocolVersionHeader = context.Request.Headers[McpProtocolVersionHeaderName].ToString();
         if (!string.IsNullOrEmpty(protocolVersionHeader) &&
-            !s_supportedProtocolVersions.Contains(protocolVersionHeader))
+            !server.SupportedProtocolVersions.Contains(protocolVersionHeader))
         {
             errorMessage = $"Bad Request: The MCP-Protocol-Version header value '{protocolVersionHeader}' is not supported.";
             return false;

src/ModelContextProtocol.Core/Server/DestinationBoundMcpServer.cs

@@ -12,6 +12,7 @@ internal sealed class DestinationBoundMcpServer(McpServerImpl server, ITransport
     public override McpServerOptions ServerOptions => server.ServerOptions;
     public override IServiceProvider? Services => server.Services;
     public override LoggingLevel? LoggingLevel => server.LoggingLevel;
+    public override ICollection<string> SupportedProtocolVersions => server.SupportedProtocolVersions;
 
     public override ValueTask DisposeAsync() => server.DisposeAsync();
 

src/ModelContextProtocol.Core/Server/McpServer.cs

@@ -55,6 +55,11 @@ public abstract partial class McpServer : McpSession
     /// <summary>Gets the last logging level set by the client, or <see langword="null"/> if it's never been set.</summary>
     public abstract LoggingLevel? LoggingLevel { get; }
 
+    /// <summary>
+    /// Gets the protocol versions supported by this server implementation.
+    /// </summary>
+    public abstract ICollection<string> SupportedProtocolVersions { get; }
+
     /// <summary>
     /// Runs the server, listening for and handling client requests.
     /// </summary>

src/ModelContextProtocol.Core/Server/McpServerImpl.cs

@@ -155,6 +155,9 @@ void Register<TPrimitive>(McpServerPrimitiveCollection<TPrimitive>? collection,
     /// <inheritdoc />
     public override LoggingLevel? LoggingLevel => _loggingLevel?.Value;
 
+    /// <inheritdoc />
+    public override ICollection<string> SupportedProtocolVersions => McpSessionHandler.SupportedProtocolVersions;
+
     /// <inheritdoc />
     public override async Task RunAsync(CancellationToken cancellationToken = default)
     {

tests/ModelContextProtocol.Tests/Server/McpServerTests.cs

@@ -938,6 +938,7 @@ public override Task<JsonRpcResponse> SendRequestAsync(JsonRpcRequest request, C
         public override Implementation? ClientInfo => throw new NotImplementedException();
         public override IServiceProvider? Services => throw new NotImplementedException();
         public override LoggingLevel? LoggingLevel => throw new NotImplementedException();
+        public override ICollection<string> SupportedProtocolVersions => throw new NotImplementedException();
         public override Task SendMessageAsync(JsonRpcMessage message, CancellationToken cancellationToken = default) =>
             throw new NotImplementedException();
         public override Task RunAsync(CancellationToken cancellationToken = default) =>