Summary

• Reject a second initialize request once a session connection already has negotiated client params.
• Preserve stateless HTTP first-initialize behavior by keying the guard on client_params, not the initialized event.
• Update the hosting session reinitialize requirement/test to assert the duplicate request returns INVALID_REQUEST and does not overwrite the original client params.

Fixes #2605

Validation

• uv run --frozen pytest tests/interaction/transports/test_hosting_session.py::test_second_initialize_on_an_existing_session_is_rejected -q
• uv run --frozen pytest tests/interaction/transports/test_hosting_session.py::test_second_initialize_on_an_existing_session_is_rejected tests/interaction/transports/test_hosting_session.py::test_stateless_mode_never_issues_a_session_id tests/interaction/transports/test_hosting_session.py::test_stateless_mode_serves_concurrent_clients_independently -q
• uv run --frozen pytest tests/interaction/transports/test_hosting_session.py -q
• uv run --frozen pyright src/mcp/server/runner.py tests/interaction/_connect.py tests/interaction/transports/test_hosting_session.py tests/interaction/_requirements.py
• uv run --frozen ruff format --check src/mcp/server/runner.py tests/interaction/_connect.py tests/interaction/transports/test_hosting_session.py tests/interaction/_requirements.py
• uv run --frozen ruff check src/mcp/server/runner.py tests/interaction/_connect.py tests/interaction/transports/test_hosting_session.py tests/interaction/_requirements.py
• uv run --frozen python scripts/update_readme_snippets.py --check
• uv lock --check
• git diff --check