Motivation and Context

When an HTTP/2 connection silently drops (e.g., an Envoy sidecar sending RST_STREAM with NO_ERROR), the LocalSessionManager still holds the session handle, keeping the worker's event channel open. The session worker never detects the disconnect and runs indefinitely as a zombie. Over time these zombies accumulate and can block servers that iterate over sessions during notifications, eventually causing the server to become unresponsive.

This changes the default SessionConfig::keep_alive from None (infinite) to 5 minutes. After 5 minutes of inactivity, the session worker exits, the transport closes, and downstream servers can detect the peer as closed. Users can still set keep_alive: None to restore the old behavior if needed.

How Has This Been Tested?

2. Verify the default is applied by checking the SessionConfig::default() value:

use rmcp::transport::streamable_http_server::session::local::SessionConfig;
let config = SessionConfig::default();
assert_eq!(config.keep_alive, Some(std::time::Duration::from_secs(300)));

3. To manually verify zombie cleanup, start an MCP server using LocalSessionManager::default(), initialize a session via curl, Ctrl+C the curl (creating a zombie), and wait 5 minutes. The server logs should show "keep alive timeout after 300000ms" and the session worker should exit.

Breaking Changes

None. No API signatures changed.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

Additional context