fix: reject init header/body version mismatch

[DaleSeo]

Fixes #852

Motivation and Context

When a client sends an initialize request and the MCP-Protocol-Version HTTP header doesn't match the params.protocolVersion value in the JSON-RPC body, the Streamable HTTP server accepts the request without any notification. According to the MCP 2025-11-25 spec's Protocol Version Header section, an invalid or unsupported MCP-Protocol-Version should return a 400 Bad Request. A header that contradicts the body shows a clear inconsistency on the client side and should be rejected before the session is established.

How Has This Been Tested?

Added intergration tests.

Breaking Changes

None

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling- [ ] I have added or updated documentation as needed

Additional context

This change aligns with the fix in the TypeScript SDK modelcontextprotocol/typescript-sdk#2111 and the spec PR modelcontextprotocol/modelcontextprotocol#2721. When the header is missing, which is expected during the first initialize round-trip before any version has been negotiated, the request will still go through as usual.