feat(server): support configurable max request payload size

[jskjw157]

Summary

Add maxRequestBodySize parameter to StreamableHttpServerTransport.Configuration, allowing consumers to set a custom request body size limit lower than the default 4 MB.

• Add maxRequestBodySize: Long property to Configuration with a default of 4 MB (4,194,304 bytes)
• Replace hardcoded MAXIMUM_MESSAGE_SIZE constant with the configurable value in parseBody()
• Use Long for content-length comparison to avoid Int overflow on large values

Motivation and Context

Closes #521

The StreamableHttpServerTransport has a hardcoded 4 MB request body limit. Consumers who need a lower limit currently have to manually count the request payload size before passing it to the SDK. This change makes the limit configurable via Configuration.

How Has This Been Tested?

• Existing unit tests continue to pass (default 4 MB behavior unchanged)
• Added POST with custom max request body size rejects oversized payload — verifies PayloadTooLarge is returned for payloads exceeding the custom limit
• Added POST at exactly custom max request body size is not rejected as payload too large — verifies payloads at exactly the limit are not rejected by the size check

./gradlew :kotlin-sdk-server:jvmTest --tests "*.StreamableHttpServerTransportTest"

Breaking Changes

None. The new parameter has a default value matching the previous hardcoded limit.

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)
• Documentation update

Checklist

• I have read the MCP Documentation
• My code follows the repository's style guidelines
• New and existing tests pass locally
• I have added appropriate error handling
• I have added or updated documentation as needed

[codecov-commenter]

Codecov Report

❌ Patch coverage is 70.00000% with 3 lines in your changes missing coverage. Please review.
✅ All tests successful. No failed tests found.

Files with missing lines	Patch %	Lines
...kotlin/sdk/server/StreamableHttpServerTransport.kt	70.00%	1 Missing and 2 partials ⚠️

📢 Thoughts on this report? Let us know!

[jskjw157]

@kpavlov Hey! I’ve addressed the feedback on this PR and all checks are passing now. Would you mind taking a look when you get a chance? Thanks!

[kpavlov]

nit: Maybe let's use small valid payload and set the max size to payload length + 1. It ensures that rejection reason is size.

[jskjw157]

Done — combined with the next nit into a parameterized test using a small 64-byte payload, with maxSize set relative to payload length (length-1, length, length+1).

[kpavlov]

nit: This and previous tests could be combined into one parametrized test

[jskjw157]

Done — merged into a single @ParameterizedTest with @MethodSource covering three boundary cases.

[kpavlov]

nit: If there is a content length header and it's bigger than max body size, then receiving text is a waste of time and memory. Request can be immediately rejected.

[jskjw157]

Already covered — Content-Length is checked before receiveText() (line 676). The body-length check after receiveText() is a fallback for missing or inaccurate Content-Length headers.

[kpavlov]

• test for negative value throwong IllegalArgumentException

[jskjw157]

Done — added assertFailsWith for Configuration(maxRequestBodySize = -1).

[kpavlov]

lgtm