- Update tests to accept dynamic UID range (10000-59999) instead of hardcoded 1001
- Enhance lock file creation with permission error handling and graceful fallback
- Fix database initialization test to handle different container UIDs
- Add proper error recovery when lock file creation fails
- Improve test robustness with better permission management for mounted volumes
These changes ensure tests pass in CI environments while maintaining the security
benefits of dynamic UID generation.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This fixes the fundamental issue causing persistent test failures.
Root Cause:
- The entrypoint script's user switching was broken
- Used 'exec $*' which fails when no arguments provided
- Used 'printf %q' which doesn't exist in Alpine Linux
- User switching wasn't actually working properly
Fixes:
1. Added su-exec package to Dockerfile
- Proper tool for switching users in containers
- Handles signal propagation correctly
- No intermediate shell process
2. Rewrote user switching logic
- Uses su-exec with fallback to su
- Fixed command injection vulnerability in su fallback
- Properly handles case when no arguments provided
- Exports environment variables before switching
3. Added security improvements
- Restricted permissions on AUTH_TOKEN_FILE
- Added comments explaining su-exec benefits
This explains why tests kept failing - we were testing around a broken implementation rather than fixing the actual broken code.
Root cause analysis and fixes:
1. **MCP_MODE environment variable tests**
- Issue: Tests were checking env vars after exec process replacement
- Fix: Test actual HTTP server behavior instead of env vars
- Changed tests to verify health endpoint responds in HTTP mode
2. **NODE_DB_PATH configuration tests**
- Issue: Tests expected env var output but got initialization logs
- Fix: Check process environment via /proc/1/environ
- Added proper async handling for container startup
3. **Permission handling tests**
- Issue: BusyBox sleep syntax and timing race conditions
- Fix: Use detached containers with proper wait times
- Check permissions after entrypoint completes
4. **Implementation improvements**
- Export NODE_DB_PATH in entrypoint for visibility
- Preserve env vars when switching to nodejs user
- Add debug output option in n8n-mcp wrapper
- Handle NODE_DB_PATH case preservation in parse-config.js
5. **Test infrastructure**
- Created test-helpers.ts with proper async utilities
- Use health checks instead of arbitrary sleep times
- Test actual functionality rather than implementation details
These changes ensure tests verify the actual behavior (server running,
health endpoint responding) rather than checking internal implementation
details that aren't accessible after process replacement.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Security Fixes:
- Add command injection prevention in n8n-mcp wrapper with whitelist validation
- Fix race condition in database initialization with proper lock directory creation
- Add flock availability check with fallback behavior
- Implement comprehensive input sanitization in parse-config.js
Improvements:
- Add debug logging support to parse-config.js (DEBUG_CONFIG=true)
- Improve test cleanup error handling with proper error tracking
- Increase integration test timeouts for CI compatibility
- Update test assertions to check environment variables instead of processes
All critical security vulnerabilities identified by code review have been addressed.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit adds comprehensive support for JSON configuration files in Docker containers,
addressing the issue where the Docker image fails to start in server mode and ignores
configuration files.
## Changes
### Docker Configuration Support
- Added parse-config.js to safely parse JSON configs and export as shell variables
- Implemented secure shell quoting to prevent command injection
- Added dangerous environment variable blocking for security
- Support for all JSON data types with proper edge case handling
### Docker Server Mode Fix
- Added support for "n8n-mcp serve" command in entrypoint
- Properly transforms serve command to HTTP mode
- Fixed missing n8n-mcp binary issue in Docker image
### Security Enhancements
- POSIX-compliant shell quoting without eval
- Blocked dangerous variables (PATH, LD_PRELOAD, etc.)
- Sanitized configuration keys to prevent invalid shell variables
- Protection against shell metacharacters in values
### Testing
- Added 53 comprehensive tests for Docker configuration
- Unit tests for parsing, security, and edge cases
- Integration tests for Docker entrypoint behavior
- Security-focused tests for injection prevention
### Documentation
- Updated Docker README with config file mounting examples
- Enhanced troubleshooting guide with config file issues
- Added version bump to 2.8.2
### Additional Files
- Included deployment-engineer and technical-researcher agent files
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added proper SIGTERM/SIGINT signal handlers to stdio-wrapper.ts
- Removed problematic trap commands from docker-entrypoint.sh
- Added STOPSIGNAL directive to Dockerfile for explicit signal handling
- Implemented graceful shutdown in MCP server with database cleanup
- Added stdin close detection for proper cleanup when Claude Desktop closes the pipe
- Containers now properly exit with the --rm flag, preventing accumulation
- Added --init flag to all Docker configuration examples
- Updated documentation with container lifecycle management best practices
- Bumped version to 2.7.20
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed docker-entrypoint.sh to use NODE_DB_PATH instead of hardcoded paths
- Added log_message() helper to prevent stdio mode output corruption
- Fixed directory creation race condition with proper ownership
- Added path validation to ensure NODE_DB_PATH ends with .db
- Updated rebuild.ts to respect NODE_DB_PATH environment variable
- Added comprehensive documentation for custom database paths
- Bumped version to 2.7.16
The bug was caused by hardcoded /app/data/nodes.db paths in the Docker
entrypoint script that ignored the NODE_DB_PATH environment variable.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added specific error reasons for auth failures: no_auth_header, invalid_auth_format, invalid_token
- Fixed AUTH_TOKEN_FILE support in Docker production stacks (issue #16)
- Added AUTH_TOKEN_FILE support to single-session HTTP server for consistency
- Enhanced security by removing token lengths from logs
- Added token trimming and empty token validation
- Updated Docker entrypoint to properly support AUTH_TOKEN_FILE
- Bumped version to 2.7.10
This improves debugging for mcp-remote authentication issues and enables
proper Docker secrets usage in production environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Set environment variables BEFORE imports in stdio-wrapper
- Override ALL console methods to prevent any output
- Update docker-entrypoint.sh to use exec for proper signal handling
- Add fallback if stdio-wrapper.js is missing
- Remove background process handling in stdio mode
This ensures absolutely no log output corrupts the JSON-RPC stream
- Add InitializeRequestSchema handler to MCP server
- Implement stdout flushing for Docker environments
- Create stdio-wrapper for clean JSON-RPC communication
- Update docker-entrypoint.sh to prevent stdout pollution
- Fix logger to check MCP_MODE before level check
These changes ensure the MCP server responds to initialization requests
within Claude Desktop's 60-second timeout when running in Docker.
Fixed the initialization timeout issue with minimal changes:
1. Added stdout flush after server connection to combat Docker buffering
2. Fixed docker-entrypoint.sh to not output to stdout in stdio mode
3. Added process.stdin.resume() to keep server alive
4. Added IS_DOCKER environment variable for future use
5. Updated README to prioritize Docker with correct -i flag configuration
The core issue was Docker's block buffering preventing immediate JSON-RPC
responses. The -i flag maintains stdin connection, and explicit flushing
ensures responses reach Claude Desktop immediately.
Also fixed "Shutting down..." message that was breaking JSON-RPC protocol
by redirecting it to stderr in stdio mode.
Docker is now the recommended installation method as originally intended.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added ca-certificates package for proper SSL certificate validation
- Configured git to handle SSL and initialization properly
- Added --depth 1 for faster cloning and reduced network issues
- Improved error handling to continue build even if docs clone fails
- Fixed su-exec issue by using Alpine's native su command
- Redirected git clone stderr to avoid polluting build logs
These changes address the exit code 128 git errors occurring in GitHub Actions
Docker builds while maintaining backwards compatibility.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
