Streamable HTTP accepts unsupported or malformed MCP-Protocol-Version headers instead of returning 400

[cclabadmin]

Describe the bug

After a normal Streamable HTTP initialization flow, the transport accepts requests with an unsupported or malformed MCP-Protocol-Version header and dispatches them normally with HTTP 200. The MCP Streamable HTTP specification for 2025-11-25 requires servers to respond with HTTP 400 Bad Request for invalid or unsupported MCP-Protocol-Version values.

To Reproduce

1. Start a Streamable HTTP server using the PHP SDK.
2. Complete a normal initialize → notifications/initialized handshake.
3. Send a valid JSON-RPC request, such as ping or tools/list, with MCP-Protocol-Version set to 1900-01-01 (well-formed but unsupported) or not-a-version (malformed).
4. Observe the response.

Expected behavior

The server should reject the request before dispatching it:

HTTP/1.1 400 Bad Request

Logs

Unsupported version:

POST /mcp HTTP/1.1
MCP-Protocol-Version: 1900-01-01
Content-Type: application/json
Accept: application/json, text/event-stream
Mcp-Session-Id: <session-id-from-initialize>

{"jsonrpc":"2.0","id":"bad-version-1","method":"tools/list","params":{}}

HTTP/1.1 200 OK

{"jsonrpc":"2.0","id":"bad-version-1","result":{"tools":[...]}}

Malformed version:

POST /mcp HTTP/1.1
MCP-Protocol-Version: not-a-version
Content-Type: application/json
Accept: application/json, text/event-stream
Mcp-Session-Id: <session-id-from-initialize>

{"jsonrpc":"2.0","id":"bad-version-2","method":"tools/list","params":{}}

HTTP/1.1 200 OK

{"jsonrpc":"2.0","id":"bad-version-2","result":{...}}