From 4cea9555d484c217c22a0cecbf3b18d2ffbf4005 Mon Sep 17 00:00:00 2001
From: Snider <snider@host.uk.com>
Date: Fri, 17 Apr 2026 20:50:17 +0100
Subject: [PATCH] fix(agentic): reject empty MCP session ids

Co-Authored-By: Virgil <virgil@lethean.io>
---
 pkg/agentic/remote_client_test.go | 12 ++++++++++++
 pkg/agentic/transport.go          |  3 +++
 2 files changed, 15 insertions(+)

diff --git a/pkg/agentic/remote_client_test.go b/pkg/agentic/remote_client_test.go
index 24b9209..c7ad38c 100644
--- a/pkg/agentic/remote_client_test.go
+++ b/pkg/agentic/remote_client_test.go
@@ -59,6 +59,18 @@ func TestRemoteclient_McpInitialize_Bad_ServerError(t *testing.T) {
 	assert.Contains(t, err.Error(), "HTTP 500")
 }
 
+func TestRemoteclient_McpInitialize_Bad_MissingSessionID(t *testing.T) {
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "text/event-stream")
+		fmt.Fprintf(w, "data: {\"result\":{}}\n\n")
+	}))
+	t.Cleanup(srv.Close)
+
+	_, err := mcpInitialize(context.Background(), srv.URL, "")
+	require.Error(t, err)
+	assert.Contains(t, err.Error(), "missing session id")
+}
+
 func TestRemoteclient_McpInitialize_Bad_Unreachable(t *testing.T) {
 	_, err := mcpInitialize(context.Background(), "http://127.0.0.1:1", "")
 	assert.Error(t, err)
diff --git a/pkg/agentic/transport.go b/pkg/agentic/transport.go
index 4403a12..48a2d4d 100644
--- a/pkg/agentic/transport.go
+++ b/pkg/agentic/transport.go
@@ -223,6 +223,9 @@ func mcpInitializeResult(ctx context.Context, url, token string) core.Result {
 	}
 
 	sessionID := response.Header.Get("Mcp-Session-Id")
+	if sessionID == "" {
+		return core.Result{Value: core.E("mcpInitialize", "missing session id", nil), OK: false}
+	}
 
 	drainSSE(response)