fix: resolve SSE reconnection loop with separate /sse + /messages endpoints (v2.46.1) (#699)

Fix SSE clients entering rapid reconnection loops because POST /mcp
never routed messages to SSEServerTransport.handlePostMessage() (#617).

Root cause: SSE sessions were stored in a separate `this.session` property
invisible to the StreamableHTTP POST handler. The POST handler only
checked `this.transports` (StreamableHTTP map), so SSE messages were
never delivered, causing immediate reconnection and rate limiter exhaustion.

Changes:
- Add GET /sse + POST /messages endpoints following the official MCP SDK
  backward-compatible server pattern (separate endpoints per transport)
- Store SSE transports in the shared this.transports map with instanceof
  guards for type discrimination
- Remove legacy this.session singleton, resetSessionSSE(), and isExpired()
- Extract duplicated auth logic into authenticateRequest() method
- Add Bearer token auth and rate limiting to SSE endpoints
- Add skipSuccessfulRequests to authLimiter to prevent 429 storms
- Mark SSE transport as deprecated (removed in MCP SDK v2.x)

The handleRequest() codepath used by the downstream SaaS backend
(N8NMCPEngine.processRequest()) is unchanged. Session persistence
(exportSessionState/restoreSessionState) is unchanged.

Closes #617

Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

dist/http-server-single-session.d.ts

@@ -12,7 +12,6 @@ export declare class SingleSessionHTTPServer {
     private sessionMetadata;
     private sessionContexts;
     private contextSwitchLocks;
-    private session;
     private consoleManager;
     private expressServer;
     private sessionTimeout;
@@ -29,14 +28,14 @@ export declare class SingleSessionHTTPServer {
     private isJsonRpcNotification;
     private sanitizeErrorForClient;
     private updateSessionAccess;
+    private authenticateRequest;
     private switchSessionContext;
     private performContextSwitch;
     private getSessionMetrics;
     private loadAuthToken;
     private validateEnvironment;
     handleRequest(req: express.Request, res: express.Response, instanceContext?: InstanceContext): Promise<void>;
-    private resetSessionSSE;
-    private isExpired;
+    private createSSESession;
     private isSessionExpired;
     start(): Promise<void>;
     shutdown(): Promise<void>;