- Add header extraction logic in http-server-single-session.ts
- Extract X-N8n-Url, X-N8n-Key, X-Instance-Id, X-Session-Id headers
- Pass extracted context to handleRequest method
- Maintain full backward compatibility (falls back to env vars)
- Add comprehensive tests for header extraction scenarios
- Update documentation with HTTP header specifications
This fixes the bug where instance-specific configuration headers were not
being extracted and passed to the MCP server, preventing the multi-tenant
feature from working as designed in PR #209.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add InstanceContext interface for runtime configuration
- Implement dual-mode API client (singleton + instance-specific)
- Add secure SHA-256 hashing for cache keys
- Implement LRU cache with TTL (100 instances, 30min expiry)
- Add comprehensive input validation for URLs and API keys
- Sanitize all logging to prevent API key exposure
- Fix session context cleanup and memory management
- Add comprehensive security and integration tests
- Maintain full backward compatibility for single-player usage
Security improvements based on code review:
- Cache keys are now cryptographically hashed
- API credentials never appear in logs
- Memory-bounded cache prevents resource exhaustion
- Input validation rejects invalid/placeholder values
- Proper cleanup of orphaned session contexts
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
