fix: disable standalone SSE stream in streamable HTTP transport to prevent HTTP MCP server startup failures (#4428)

HTTP MCP servers (e.g. Unwrap) show `status: error` at gateway startup
and advertise no tools to Copilot CLI, despite the endpoint being
reachable.

## Root cause

The SDK's `StreamableClientTransport` automatically issues a **GET
request for a persistent SSE stream** synchronously inside
`client.Connect()`, immediately after the `initialize` POST succeeds:

1. POST `initialize` → server responds ✓  
2. `sessionUpdated()` → `connectStandaloneSSE()` → GET request  
3. Server returns 5xx (or any non-4xx/non-405) → `c.fail()` marks
connection as broken
4. `client.Connect()` tries to send `initialized` notification →
`c.Write()` sees failure → returns error
5. All three transports fail → `recordError()` → `/health` reports
`status: error`

Additionally, `MaxRetries: 0` in the SDK defaults to **5 retries**, not
0, contrary to the existing comment.

## Changes

- **`internal/mcp/http_transport.go` / `connection.go`**: Set
`DisableStandaloneSSE: true` and `MaxRetries: -1` on
`StreamableClientTransport` in both `tryStreamableHTTPTransport` and
`reconnectSDKTransport`. The gateway is a request-response proxy and has
no use for server-initiated SSE notifications from backends.

```go
return &sdk.StreamableClientTransport{
    Endpoint:             url,
    HTTPClient:           httpClient,
    MaxRetries:           -1, // Disable retries (-1 = 0 retries; SDK treats 0 as "use default: 5")
    DisableStandaloneSSE: true,
}
```

- **`internal/mcp/http_connection_test.go`**: Adds regression test
`TestNewHTTPConnection_StreamableTransport_BadSSEEndpoint` — server
returns valid initialize result for POST but 500 for GET; connection
must succeed via streamable transport with zero GET requests issued.

> [!WARNING]
>
> <details>
> <summary>Firewall rules blocked me from connecting to one or more
addresses (expand for details)</summary>
>
> #### I tried to connect to the following addresses, but was blocked by
firewall rules:
>
> - `example.com`
> - Triggering command: `/tmp/go-build900524329/b513/launcher.test
/tmp/go-build900524329/b513/launcher.test
-test.testlogfile=/tmp/go-build900524329/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build900524329/b410/vet.cfg g_.a o_.o x_amd64/vet 01.o
roundrobin 03.o x_amd64/vet -W wkO_kTNLT .cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet` (dns block)
> - `invalid-host-that-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build900524329/b495/config.test
/tmp/go-build900524329/b495/config.test
-test.testlogfile=/tmp/go-build900524329/b495/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build900524329/b399/vet.cfg g_.a 9742532/b151/ x_amd64/vet
--gdwarf-5 grpcsync
p=/opt/hostedtoolcache/go/1.25.9/tmp/go-build511290287/b107/vet.cfg
x_amd64/vet -W ABSZSCNGR .cfg x_amd64/vet . --gdwarf2 --64 x_amd64/vet`
(dns block)
> - `nonexistent.local`
> - Triggering command: `/tmp/go-build900524329/b513/launcher.test
/tmp/go-build900524329/b513/launcher.test
-test.testlogfile=/tmp/go-build900524329/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build900524329/b410/vet.cfg g_.a o_.o x_amd64/vet 01.o
roundrobin 03.o x_amd64/vet -W wkO_kTNLT .cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet` (dns block)
> - `slow.example.com`
> - Triggering command: `/tmp/go-build900524329/b513/launcher.test
/tmp/go-build900524329/b513/launcher.test
-test.testlogfile=/tmp/go-build900524329/b513/testlog.txt
-test.paniconexit0 -test.timeout=10m0s
/tmp/go-build900524329/b410/vet.cfg g_.a o_.o x_amd64/vet 01.o
roundrobin 03.o x_amd64/vet -W wkO_kTNLT .cfg x_amd64/vet . --gdwarf2
--64 x_amd64/vet` (dns block)
> - `this-host-does-not-exist-12345.com`
> - Triggering command: `/tmp/go-build3852249779/b001/mcp.test
/tmp/go-build3852249779/b001/mcp.test
-test.testlogfile=/tmp/go-build3852249779/b001/testlog.txt
-test.paniconexit0 -test.run=TestNewHTTPConnection|TestHTTPConnection
-test.v=true -test.timeout=1m0s
0/internal/tracetransform/instrumentation.go x_amd64/compile OUTPUT
9742532/b015/ 168.63.129.16 x_amd64/compile -w p/go-build security
64=/_/GOROOT OUTPUT 64/src/runtime/c-unsafeptr=false 168.63.129.16 git`
(dns block)
> - Triggering command: `/tmp/go-build900524329/b522/mcp.test
/tmp/go-build900524329/b522/mcp.test
-test.testlogfile=/tmp/go-build900524329/b522/testlog.txt
-test.paniconexit0 -test.timeout=10m0s 9742�� olang.org/protob-errorsas
.cfg x_amd64/vet --gdwarf-5 --64 -o x_amd64/vet -o 9742532/b408/_pk-s
-trimpath x_amd64/vet -p g/grpc/binarylog/usr/bin/runc -lang=go1.25
x_amd64/vet` (dns block)
> - Triggering command: `/tmp/go-build3289280713/b001/mcp.test
/tmp/go-build3289280713/b001/mcp.test
-test.testlogfile=/tmp/go-build3289280713/b001/testlog.txt
-test.paniconexit0 -test.run=TestNewHTTPConnection -test.v=true
-test.timeout=1m0s y bin/bash ntime.v2.task/mogit .cfg x_amd64/vet
/usr/bin/runc.original --ve�� 30977974af8f49f3088e082efdf88695
runtime-runc/moby /usr/local/bin/iptables io.containerd.ru/bin/sh .cfg
x_amd64/vet b83/log.json` (dns block)
>
> If you need me to access, download, or install something from one of
these locations, you can either:
>
> - Configure [Actions setup
steps](https://gh.io/copilot/actions-setup-steps) to set up my
environment, which run before the firewall is enabled
> - Add the appropriate URLs or hosts to the custom allowlist in this
repository's [Copilot coding agent
settings](https://github.com/github/gh-aw-mcpg/settings/copilot/coding_agent)
(admins only)
>
> </details>

Author: lpcox

internal/mcp/connection.go

@@ -377,9 +377,10 @@ func (c *Connection) reconnectSDKTransport() error {
 	switch c.httpTransportType {
 	case HTTPTransportStreamable:
 		transport = &sdk.StreamableClientTransport{
-			Endpoint:   c.httpURL,
-			HTTPClient: headerClient,
-			MaxRetries: 0,
+			Endpoint:             c.httpURL,
+			HTTPClient:           headerClient,
+			MaxRetries:           -1, // Disable retries; reconnect logic is handled by the gateway.
+			DisableStandaloneSSE: true,
 		}
 	case HTTPTransportSSE:
 		transport = &sdk.SSEClientTransport{

internal/mcp/http_connection_test.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"net/http"
 	"net/http/httptest"
+	"sync/atomic"
 	"testing"
 	"time"
 
@@ -582,3 +583,61 @@ func TestNewHTTPConnection_GettersAfterCreation(t *testing.T) {
 		assert.Equal(t, expectedValue, returnedHeaders[key], "Header %s should match", key)
 	}
 }
+
+// TestNewHTTPConnection_StreamableTransport_BadSSEEndpoint verifies that the streamable
+// HTTP transport succeeds even when the server's SSE endpoint (GET) returns errors.
+//
+// This tests the fix for the Unwrap MCP server issue: some cloud API MCP servers
+// correctly respond to POST (initialize) but return 5xx or unexpected responses to GET
+// requests. Before the fix, the SDK's standalone SSE stream would call c.fail() on the
+// connection, causing the initialized notification to fail and the connection to be
+// reported as "error". With DisableStandaloneSSE: true, the GET is never issued and
+// the connection succeeds on the POST-only path.
+func TestNewHTTPConnection_StreamableTransport_BadSSEEndpoint(t *testing.T) {
+	require := require.New(t)
+	assert := assert.New(t)
+
+	var getMethodCount atomic.Int32
+
+	testServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if r.Method == http.MethodGet {
+			// Simulate a server that returns 500 for the SSE GET stream.
+			// Before the fix this would call c.fail() and break the connection;
+			// after the fix the GET is never issued.
+			getMethodCount.Add(1)
+			w.WriteHeader(http.StatusInternalServerError)
+			w.Write([]byte(`{"error":"internal server error"}`)) //nolint:errcheck
+			return
+		}
+
+		// POST: respond with a valid JSON-RPC initialize result.
+		response := map[string]interface{}{
+			"jsonrpc": "2.0",
+			"id":      1,
+			"result": map[string]interface{}{
+				"protocolVersion": "2024-11-05",
+				"serverInfo": map[string]interface{}{
+					"name":    "unwrap-mcp",
+					"version": "1.0.0",
+				},
+			},
+		}
+		w.Header().Set("Content-Type", "application/json")
+		w.Header().Set("Mcp-Session-Id", "unwrap-session-1")
+		w.WriteHeader(http.StatusOK)
+		json.NewEncoder(w).Encode(response) //nolint:errcheck
+	}))
+	defer testServer.Close()
+
+	conn, err := NewHTTPConnection(context.Background(), "unwrap", testServer.URL, map[string]string{
+		"Authorization": "Bearer secret-token",
+	}, nil, "", 0, 0)
+
+	require.NoError(err, "Connection must succeed even when the server's GET SSE endpoint returns 500")
+	require.NotNil(conn)
+	defer conn.Close()
+
+	assert.Equal(HTTPTransportStreamable, conn.httpTransportType, "Should use streamable transport")
+	assert.Equal("unwrap-session-1", conn.httpSessionID, "Session ID should be captured from POST response")
+	assert.Equal(int32(0), getMethodCount.Load(), "No GET requests should be issued (standalone SSE is disabled)")
+}

internal/mcp/http_transport.go

@@ -445,7 +445,15 @@ func tryStreamableHTTPTransport(ctx context.Context, cancel context.CancelFunc,
 			return &sdk.StreamableClientTransport{
 				Endpoint:   url,
 				HTTPClient: httpClient,
-				MaxRetries: 0, // Don't retry on failure - we'll try other transports
+				MaxRetries: -1, // Disable retries (-1 = 0 retries; SDK treats 0 as "use default: 5"). We try other transports on failure.
+				// DisableStandaloneSSE prevents the SDK from issuing a GET request for a
+				// persistent server-sent events stream immediately after initialization.
+				// Some HTTP MCP servers (e.g. cloud APIs) return 5xx or keep the GET
+				// request open indefinitely, which causes the SDK to call c.fail() and
+				// break the connection before the gateway can send the initialized
+				// notification. The gateway operates in request-response mode only and
+				// does not need server-initiated messages, so this stream is unnecessary.
+				DisableStandaloneSSE: true,
 			}
 		},
 		keepAlive,