RFC: Session-Scoped Architecture for vMCP (#38)

* Add RFC: Session-scoped MCP client lifecycle management

The RFC captures the complete architectural vision from the discussion,
providing a roadmap for simplifying the client pooling implementation
while maintaining all current functionality.

* fixes from review

Refactor RFC to address scattered session architecture concerns

Address architectural feedback from PR #38 review, specifically jerm-dro's
comments about the root cause being scattered session concerns rather than
just client lifecycle management.

Major changes:

1. **Expanded Problem Statement**:
   - Identified root cause: session concerns scattered across middleware,
     adapters, and hooks
   - Current VMCPSession is a passive data container, not a domain object
   - Session construction tangled with SDK lifecycle callbacks
   - Hard to create session-scoped resources (clients, optimizer features)

2. **Introduced Core Interfaces**:
   - Session interface: Domain object that owns clients, encapsulates routing,
     manages lifecycle (not just a data container)
   - SessionFactory interface: Creates fully-formed sessions with all
     dependencies (discovery, client init, routing setup)
   - SessionManager: Bridges between domain (Session) and protocol (SDK)

3. **Updated Goals**:
   - Primary goal: Encapsulate session behavior in clean interfaces
   - Decouple session creation from SDK wiring
   - Enable testing without full server (addresses toolhive#2852)
   - Enable future features through interface decoration

4. **Revised Implementation Plan**:
   - Phase 1: Introduce Session/SessionFactory interfaces
   - Phase 2: Wire SessionManager to SDK
   - Phase 3: Migrate existing code to use Session interface
   - Phase 4: Cleanup and observability

5. **Added Benefits Documentation**:
   - Concrete examples of decorator pattern (optimizer-in-vmcp)
   - Simplified capability refresh approach
   - Clear testing strategy without server dependency

6. **Fixed Formatting Issues** (from Copilot review):
   - Split Goals & Non-Goals into separate sections
   - Changed "Security" to "Security Considerations"
   - Restructured Compatibility section
   - Fixed References to use full repo-qualified format
   - Added credential refresh considerations

The RFC now addresses the architectural root cause (scattered session
concerns) rather than just the symptom (per-request client creation).

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Update Last Updated date to 2026-02-09

* rewrite style

* rewrite style

* changes from review

* fixes from review

* fixes from review

* changes from review meeting

Author: yrobla