fix: return 405 for GET/DELETE in stateless streamable-http mode

In stateless mode, GET opens a session-less SSE stream that idles until
the platform kills it (e.g. Cloud Run 120s timeout). Clients like
mcp-remote auto-reconnect, creating an infinite loop of billed CPU.

The TypeScript SDK correctly returns 405 for GET and DELETE in stateless
mode. This aligns the Python SDK with that behavior and the MCP spec
(GET is MAY, not MUST; stateless servers have no session context for
server-initiated notifications).

Author: sys-2077

src/mcp/server/streamable_http_manager.py

@@ -152,6 +152,21 @@ async def handle_request(self, scope: Scope, receive: Receive, send: Send) -> No
 
     async def _handle_stateless_request(self, scope: Scope, receive: Receive, send: Send) -> None:
         """Process request in stateless mode - creating a new transport for each request."""
+        # In stateless mode only POST is meaningful.  GET would open a
+        # session-less SSE stream that idles until the platform kills it,
+        # and DELETE has no session to terminate.  Return 405 per spec.
+        request = Request(scope, receive)
+        if request.method != "POST":
+            from starlette.responses import Response
+
+            response = Response(
+                content="Method Not Allowed",
+                status_code=405,
+                headers={"Allow": "POST"},
+            )
+            await response(scope, receive, send)
+            return
+
         logger.debug("Stateless mode: Creating new transport for this request")
         # No session ID needed in stateless mode
         http_transport = StreamableHTTPServerTransport(

tests/server/test_streamable_http_manager.py

@@ -413,3 +413,59 @@ def test_session_idle_timeout_rejects_non_positive():
 def test_session_idle_timeout_rejects_stateless():
     with pytest.raises(RuntimeError, match="not supported in stateless"):
         StreamableHTTPSessionManager(app=Server("test"), session_idle_timeout=30, stateless=True)
+
+
+@pytest.mark.anyio
+async def test_stateless_get_returns_405():
+    """GET /mcp must return 405 in stateless mode (no SSE stream to open)."""
+    app = Server("test-stateless-get")
+    manager = StreamableHTTPSessionManager(app=app, stateless=True)
+
+    async with manager.run():
+        sent_messages: list[Message] = []
+
+        async def mock_send(message: Message):
+            sent_messages.append(message)
+
+        scope = {
+            "type": "http",
+            "method": "GET",
+            "path": "/mcp",
+            "headers": [(b"accept", b"text/event-stream")],
+        }
+
+        async def mock_receive():
+            return {"type": "http.request", "body": b"", "more_body": False}
+
+        await manager.handle_request(scope, mock_receive, mock_send)
+
+        assert sent_messages[0]["type"] == "http.response.start"
+        assert sent_messages[0]["status"] == 405
+
+
+@pytest.mark.anyio
+async def test_stateless_delete_returns_405():
+    """DELETE /mcp must return 405 in stateless mode (no session to terminate)."""
+    app = Server("test-stateless-delete")
+    manager = StreamableHTTPSessionManager(app=app, stateless=True)
+
+    async with manager.run():
+        sent_messages: list[Message] = []
+
+        async def mock_send(message: Message):
+            sent_messages.append(message)
+
+        scope = {
+            "type": "http",
+            "method": "DELETE",
+            "path": "/mcp",
+            "headers": [],
+        }
+
+        async def mock_receive():
+            return {"type": "http.request", "body": b"", "more_body": False}
+
+        await manager.handle_request(scope, mock_receive, mock_send)
+
+        assert sent_messages[0]["type"] == "http.response.start"
+        assert sent_messages[0]["status"] == 405