* fix: deprecate USE_FIXED_HTTP for SSE streaming support (Issue #524)
The fixed HTTP implementation does not support SSE streaming required
by clients like OpenAI Codex. This commit deprecates USE_FIXED_HTTP
and makes SingleSessionHTTPServer the default.
Changes:
- Add deprecation warnings in src/mcp/index.ts and src/http-server.ts
- Remove USE_FIXED_HTTP from docker-compose.yml and Dockerfile.railway
- Update .env.example with deprecation notice
- Rename npm script to start:http:fixed:deprecated
- Update all documentation to remove USE_FIXED_HTTP references
- Mark test case as deprecated
Users should unset USE_FIXED_HTTP to use the modern SingleSessionHTTPServer
which supports both JSON-RPC and SSE streaming.
Closes#524
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: bump version to 2.31.8 and add CHANGELOG entry
- Fix comment inaccuracy: "deprecated" not "deprecated and removed"
- Bump version from 2.31.7 to 2.31.8
- Add CHANGELOG entry documenting USE_FIXED_HTTP deprecation
- Update all deprecation messages to reference v2.31.8
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Romuald Członkowski <romualdczlonkowski@MacBook-Pro-Romuald.local>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
This commit implements HIGH-02 (Rate Limiting) and HIGH-03 (SSRF Protection)
from the security audit, protecting against brute force attacks and
Server-Side Request Forgery.
Security Enhancements:
- Rate limiting: 20 attempts per 15 minutes per IP (configurable)
- SSRF protection: Three security modes (strict/moderate/permissive)
- DNS rebinding prevention
- Cloud metadata blocking in all modes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers
- Fix hardcoded localhost URLs in server console output
- Add hostname validation to prevent host header injection attacks
- Restrict URL schemes to http/https only (block javascript:, file://, etc.)
- Remove sensitive environment data from API responses
- Add GET endpoints (/, /mcp) for better API discovery
- Fix version inconsistency between server implementations
- Update HTTP bridge to use HOST/PORT environment variables
- Add comprehensive test scripts for URL configuration and security
This resolves issues #41 and #42 by making the HTTP server properly handle
deployment behind reverse proxies and adds critical security validations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add TRUST_PROXY environment variable to enable proxy header trust
- Configure Express trust proxy in both HTTP server implementations
- Fix issue #19: Docker internal IPs logged instead of real client IPs
- Update documentation with reverse proxy configuration guide
- Add examples for nginx proxy header forwarding
- Maintain backward compatibility (disabled by default)
When TRUST_PROXY=1 is set, the server will correctly log client IPs
from X-Forwarded-For headers instead of proxy/container IPs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added warning about experimental remote server deployment
- Clarified HTTP bridge architecture in documentation
- Added deployment scenarios section explaining local vs remote options
- Enhanced troubleshooting with bridge-specific issues
- Created http-bridge.js for local HTTP testing
- Fixed HTTP server to include management tools in tools/list
The documentation now clearly explains:
- Why "node" command is used instead of "docker" (stdio bridge requirement)
- Three deployment scenarios with pros/cons
- How to test locally with Docker
- Bridge architecture (Claude Desktop → bridge → HTTP server)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add comprehensive documentation for n8n API integration
- Document all 16 management tools available when configured
- Add environment variables N8N_API_URL and N8N_API_KEY
- Include security best practices for API key management
- Add examples of using n8n management tools
- Note version requirement (v2.7.1+) for Docker fix
- Correct tool counts (38 total: 22 documentation + 16 management)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Updated README.md with clear setup instructions and recent updates
- Simplified Claude Desktop setup guide with troubleshooting
- Enhanced HTTP deployment guide for production use
- Streamlined troubleshooting guide with quick fixes
- Added mcp-http-client.js for Node.js 16 compatibility
- Fixed stdio mode console output corruption
Key improvements:
- Clear distinction between local and remote deployment
- Node.js 18+ requirement for mcp-remote clearly documented
- USE_FIXED_HTTP=true prominently featured for v2.3.2
- Production deployment best practices
- Multi-user service considerations
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Major documentation cleanup and updates:
Updates:
- Add USE_FIXED_HTTP=true to all Docker and HTTP deployment examples
- Update main README with v2.3.2 release notes and version badges
- Add HTTP server troubleshooting section for stream errors
- Update CHANGELOG with v2.3.1 and v2.3.2 entries
- Update all configuration examples (.env.example, docker-compose.yml)
- Add clear instructions for using the fixed HTTP implementation
Removed legacy documentation (11 files):
- Implementation plans that have been completed
- Architecture analysis documents
- Intermediate fix documentation
- Planning documents for features now implemented
- Duplicate SETUP.md (content merged into INSTALLATION.md)
The documentation now accurately reflects the current v2.3.2 state
with the complete HTTP server fix using USE_FIXED_HTTP=true.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
