fix(transport): validate JSON-RPC request ID is a safe integer

When a JSON-RPC request arrives with a numeric ID exceeding
Number.MAX_SAFE_INTEGER, Zod schema validation correctly rejects it
(z.number().int() enforces safe integer range in Zod v4). However, the
rejected message falls through to the "Unknown message type" error
handler, which silently drops it without sending any response back to
the client. This causes the server to appear permanently hung.

This fix detects request-like messages that fail schema validation in
the onmessage handler and responds with a JSON-RPC -32600 (Invalid
Request) error instead of silently ignoring them.

Closes #1765

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: Aboudjem

packages/core/src/shared/protocol.ts

@@ -713,6 +713,28 @@ export abstract class Protocol<ContextT extends BaseContext> {
             } else if (isJSONRPCNotification(message)) {
                 this._onnotification(message);
             } else {
+                // Check if this is a request-like message with an invalid ID (e.g.,
+                // a numeric ID exceeding Number.MAX_SAFE_INTEGER). Such IDs fail
+                // schema validation because JavaScript cannot represent them exactly,
+                // which prevents reliable request/response correlation. Respond with
+                // a JSON-RPC Invalid Request error instead of silently dropping it.
+                const msg = message as Record<string, unknown>;
+                if (msg && typeof msg === 'object' && msg.jsonrpc === '2.0' && 'id' in msg && 'method' in msg) {
+                    const errorResponse: JSONRPCErrorResponse = {
+                        jsonrpc: '2.0',
+                        id: msg.id as RequestId,
+                        error: {
+                            code: ProtocolErrorCode.InvalidRequest,
+                            message: 'Invalid request: ID must be a string or a safe integer'
+                        }
+                    };
+
+                    this._transport
+                        ?.send(errorResponse)
+                        .catch(error => this._onerror(new Error(`Failed to send an error response: ${error}`)));
+                    return;
+                }
+
                 this._onerror(new Error(`Unknown message type: ${JSON.stringify(message)}`));
             }
         };

packages/core/test/shared/protocol.test.ts

@@ -5722,4 +5722,104 @@ describe('Error handling for missing resolvers', () => {
             expect(callOrder).toEqual([1, 2, 3]);
         });
     });
+
+    describe('unsafe integer request ID validation', () => {
+        let protocol: Protocol<BaseContext>;
+        let transport: MockTransport;
+
+        beforeEach(() => {
+            transport = new MockTransport();
+            protocol = new (class extends Protocol<BaseContext> {
+                protected assertCapabilityForMethod(): void {}
+                protected assertNotificationCapability(): void {}
+                protected assertRequestHandlerCapability(): void {}
+                protected assertTaskCapability(): void {}
+                protected buildContext(ctx: BaseContext): BaseContext {
+                    return ctx;
+                }
+                protected assertTaskHandlerCapability(): void {}
+            })();
+        });
+
+        it('should respond with InvalidRequest error when request ID exceeds MAX_SAFE_INTEGER', async () => {
+            await protocol.connect(transport);
+            const sendSpy = vi.spyOn(transport, 'send');
+
+            // Send a request with an ID exceeding Number.MAX_SAFE_INTEGER
+            // Note: 9007199254740992 === Number.MAX_SAFE_INTEGER + 1, but due to
+            // floating-point precision loss, JavaScript cannot represent it exactly.
+            const unsafeId = Number.MAX_SAFE_INTEGER + 1;
+            transport.onmessage?.({
+                jsonrpc: '2.0',
+                id: unsafeId,
+                method: 'tools/list',
+                params: {}
+            });
+
+            // Wait for async processing
+            await new Promise(resolve => setTimeout(resolve, 50));
+
+            // Should have sent an error response
+            expect(sendSpy).toHaveBeenCalledTimes(1);
+            const sentMessage = sendSpy.mock.calls[0][0] as JSONRPCErrorResponse;
+            expect(sentMessage.jsonrpc).toBe('2.0');
+            expect(sentMessage.id).toBe(unsafeId);
+            expect(sentMessage.error.code).toBe(ProtocolErrorCode.InvalidRequest);
+            expect(sentMessage.error.message).toBe('Invalid request: ID must be a string or a safe integer');
+        });
+
+        it('should process requests normally when ID is at MAX_SAFE_INTEGER', async () => {
+            await protocol.connect(transport);
+            const sendSpy = vi.spyOn(transport, 'send');
+
+            protocol.setRequestHandler('tools/list', async () => {
+                return { tools: [] };
+            });
+
+            // Send a request with ID exactly at Number.MAX_SAFE_INTEGER
+            transport.onmessage?.({
+                jsonrpc: '2.0',
+                id: Number.MAX_SAFE_INTEGER,
+                method: 'tools/list',
+                params: {}
+            });
+
+            // Wait for async processing
+            await new Promise(resolve => setTimeout(resolve, 50));
+
+            // Should have sent a successful response, not an error
+            expect(sendSpy).toHaveBeenCalledTimes(1);
+            const sentMessage = sendSpy.mock.calls[0][0] as JSONRPCResultResponse;
+            expect(sentMessage.jsonrpc).toBe('2.0');
+            expect(sentMessage.id).toBe(Number.MAX_SAFE_INTEGER);
+            expect(sentMessage.result).toBeDefined();
+        });
+
+        it('should process requests normally when ID is a string', async () => {
+            await protocol.connect(transport);
+            const sendSpy = vi.spyOn(transport, 'send');
+
+            protocol.setRequestHandler('tools/list', async () => {
+                return { tools: [] };
+            });
+
+            // String IDs should always be accepted regardless of content
+            transport.onmessage?.({
+                jsonrpc: '2.0',
+                id: '9007199254740992',
+                method: 'tools/list',
+                params: {}
+            });
+
+            // Wait for async processing
+            await new Promise(resolve => setTimeout(resolve, 50));
+
+            // Should have sent a successful response
+            expect(sendSpy).toHaveBeenCalledTimes(1);
+            const sentMessage = sendSpy.mock.calls[0][0] as JSONRPCResultResponse;
+            expect(sentMessage.jsonrpc).toBe('2.0');
+            expect(sentMessage.id).toBe('9007199254740992');
+            expect(sentMessage.result).toBeDefined();
+        });
+    });
 });