sei-protocol
diff --git a/‎.changeset/calm-houses-listen.md‎
Lines changed: 9 additions & 0 deletions b/‎.changeset/calm-houses-listen.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎.gitmodules‎
Lines changed: 1 addition & 1 deletion b/‎.gitmodules‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎packages/mcp-server/src/server/transport/http-sse.ts‎
Lines changed: 11 additions & 6 deletions b/‎packages/mcp-server/src/server/transport/http-sse.ts‎
Lines changed: 11 additions & 6 deletions
@@ -0,0 +1,9 @@
+---
+"@sei-js/mcp-server": patch
+---
+
+Fix session binding and response isolation in the HTTP SSE transport.
+
+- POST handler now validates `sessionId` on every request — rejects missing session IDs (400) and unknown session IDs (404)
+- Each POST is routed to the transport instance that owns the matching session ID, preventing cross-client request injection
+- Session IDs now use the MCP SDK's `transport.sessionId` rather than `Date.now()`
@@ -1,6 +1,6 @@
 [submodule "packages/registry/community-assetlist"]
 	path = packages/registry/community-assetlist
-	url = https://github.com/Sei-Public-Goods/sei-assetlist.git
+	url = https://github.com/Seitrace/sei-assetlist.git
 [submodule "packages/registry/chain-registry"]
 	path = packages/registry/chain-registry
 	url = https://github.com/sei-protocol/chain-registry.git
@@ -40,12 +40,12 @@ export class HttpSseTransport implements McpTransport {
 
 		this.app.get(this.path, (req: Request, res: Response) => {
 			console.error(`SSE connection from ${req.ip}`);
-			
+
 			// Create SSE transport - it will handle headers automatically
 			const transport = new SSEServerTransport(`${this.path}/message`, res);
-			const sessionId = Date.now().toString();
+			const sessionId = transport.sessionId
 			this.connections.set(sessionId, transport);
-			
+
 			// Connect transport to MCP server
 			if (this.mcpServer) {
 				this.mcpServer.connect(transport);
@@ -61,10 +61,15 @@ export class HttpSseTransport implements McpTransport {
 		// Message endpoint for SSE transport
 		this.app.post(`${this.path}/message`, async (req: Request, res: Response) => {
 			try {
-				// Find the first available transport (simple approach for now)
-				const transport = Array.from(this.connections.values())[0];
+				const sessionId = typeof req.query.sessionId === 'string' ? req.query.sessionId : undefined;
+				if (!sessionId) {
+					res.status(400).json({ error: 'Missing sessionId' });
+					return;
+				}
+
+				const transport = this.connections.get(sessionId);
 				if (!transport) {
-					res.status(404).json({ error: 'No active SSE connection' });
+					res.status(404).json({ error: 'Session not found' });
 					return;
 				}