fix: use Object.hasOwn in isRequestMethod/isNotificationMethod to avoid prototype-chain false positives

Author: felixweinberger

packages/core/src/types/schemas.ts

@@ -2213,14 +2213,14 @@ const notificationSchemas = buildSchemaMap([...ClientNotificationSchema.options,
  * Type predicate: returns true if `method` is a standard MCP request method.
  */
 export function isRequestMethod(method: string): method is RequestMethod {
-    return method in requestSchemas;
+    return Object.hasOwn(requestSchemas, method);
 }
 
 /**
  * Type predicate: returns true if `method` is a standard MCP notification method.
  */
 export function isNotificationMethod(method: string): method is NotificationMethod {
-    return method in notificationSchemas;
+    return Object.hasOwn(notificationSchemas, method);
 }
 
 /**

packages/core/test/shared/customMethods.test.ts

@@ -76,6 +76,13 @@ describe('custom request handlers', () => {
         expect(() => server.removeCustomRequestHandler('tools/list')).toThrow(/standard MCP request method/);
     });
 
+    test('collision guard: does NOT trigger on Object.prototype keys', () => {
+        for (const m of ['toString', 'constructor', 'hasOwnProperty', '__proto__']) {
+            expect(() => server.setCustomRequestHandler(m, z.object({}), () => ({}))).not.toThrow();
+            expect(() => server.setCustomNotificationHandler(m, z.object({}), () => {})).not.toThrow();
+        }
+    });
+
     test('removeCustomRequestHandler -> subsequent request fails MethodNotFound', async () => {
         server.setCustomRequestHandler('acme/search', SearchParams, () => ({ hits: [], total: 0 }));
         await client.sendCustomRequest('acme/search', { query: 'x' }, SearchResult);