Security Fixes:
- Add command injection prevention in n8n-mcp wrapper with whitelist validation
- Fix race condition in database initialization with proper lock directory creation
- Add flock availability check with fallback behavior
- Implement comprehensive input sanitization in parse-config.js
Improvements:
- Add debug logging support to parse-config.js (DEBUG_CONFIG=true)
- Improve test cleanup error handling with proper error tracking
- Increase integration test timeouts for CI compatibility
- Update test assertions to check environment variables instead of processes
All critical security vulnerabilities identified by code review have been addressed.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit adds comprehensive support for JSON configuration files in Docker containers,
addressing the issue where the Docker image fails to start in server mode and ignores
configuration files.
## Changes
### Docker Configuration Support
- Added parse-config.js to safely parse JSON configs and export as shell variables
- Implemented secure shell quoting to prevent command injection
- Added dangerous environment variable blocking for security
- Support for all JSON data types with proper edge case handling
### Docker Server Mode Fix
- Added support for "n8n-mcp serve" command in entrypoint
- Properly transforms serve command to HTTP mode
- Fixed missing n8n-mcp binary issue in Docker image
### Security Enhancements
- POSIX-compliant shell quoting without eval
- Blocked dangerous variables (PATH, LD_PRELOAD, etc.)
- Sanitized configuration keys to prevent invalid shell variables
- Protection against shell metacharacters in values
### Testing
- Added 53 comprehensive tests for Docker configuration
- Unit tests for parsing, security, and edge cases
- Integration tests for Docker entrypoint behavior
- Security-focused tests for injection prevention
### Documentation
- Updated Docker README with config file mounting examples
- Enhanced troubleshooting guide with config file issues
- Added version bump to 2.8.2
### Additional Files
- Included deployment-engineer and technical-researcher agent files
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added proper SIGTERM/SIGINT signal handlers to stdio-wrapper.ts
- Removed problematic trap commands from docker-entrypoint.sh
- Added STOPSIGNAL directive to Dockerfile for explicit signal handling
- Implemented graceful shutdown in MCP server with database cleanup
- Added stdin close detection for proper cleanup when Claude Desktop closes the pipe
- Containers now properly exit with the --rm flag, preventing accumulation
- Added --init flag to all Docker configuration examples
- Updated documentation with container lifecycle management best practices
- Bumped version to 2.7.20
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed docker-entrypoint.sh to use NODE_DB_PATH instead of hardcoded paths
- Added log_message() helper to prevent stdio mode output corruption
- Fixed directory creation race condition with proper ownership
- Added path validation to ensure NODE_DB_PATH ends with .db
- Updated rebuild.ts to respect NODE_DB_PATH environment variable
- Added comprehensive documentation for custom database paths
- Bumped version to 2.7.16
The bug was caused by hardcoded /app/data/nodes.db paths in the Docker
entrypoint script that ignored the NODE_DB_PATH environment variable.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added specific error reasons for auth failures: no_auth_header, invalid_auth_format, invalid_token
- Fixed AUTH_TOKEN_FILE support in Docker production stacks (issue #16)
- Added AUTH_TOKEN_FILE support to single-session HTTP server for consistency
- Enhanced security by removing token lengths from logs
- Added token trimming and empty token validation
- Updated Docker entrypoint to properly support AUTH_TOKEN_FILE
- Bumped version to 2.7.10
This improves debugging for mcp-remote authentication issues and enables
proper Docker secrets usage in production environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Set environment variables BEFORE imports in stdio-wrapper
- Override ALL console methods to prevent any output
- Update docker-entrypoint.sh to use exec for proper signal handling
- Add fallback if stdio-wrapper.js is missing
- Remove background process handling in stdio mode
This ensures absolutely no log output corrupts the JSON-RPC stream
- Add InitializeRequestSchema handler to MCP server
- Implement stdout flushing for Docker environments
- Create stdio-wrapper for clean JSON-RPC communication
- Update docker-entrypoint.sh to prevent stdout pollution
- Fix logger to check MCP_MODE before level check
These changes ensure the MCP server responds to initialization requests
within Claude Desktop's 60-second timeout when running in Docker.
Fixed the initialization timeout issue with minimal changes:
1. Added stdout flush after server connection to combat Docker buffering
2. Fixed docker-entrypoint.sh to not output to stdout in stdio mode
3. Added process.stdin.resume() to keep server alive
4. Added IS_DOCKER environment variable for future use
5. Updated README to prioritize Docker with correct -i flag configuration
The core issue was Docker's block buffering preventing immediate JSON-RPC
responses. The -i flag maintains stdin connection, and explicit flushing
ensures responses reach Claude Desktop immediately.
Also fixed "Shutting down..." message that was breaking JSON-RPC protocol
by redirecting it to stderr in stdio mode.
Docker is now the recommended installation method as originally intended.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added ca-certificates package for proper SSL certificate validation
- Configured git to handle SSL and initialization properly
- Added --depth 1 for faster cloning and reduced network issues
- Improved error handling to continue build even if docs clone fails
- Fixed su-exec issue by using Alpine's native su command
- Redirected git clone stderr to avoid polluting build logs
These changes address the exit code 128 git errors occurring in GitHub Actions
Docker builds while maintaining backwards compatibility.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
