n8n-mcp

ros/n8n-mcp

Fork 0

mirror of https://github.com/czlonkowski/n8n-mcp.git synced 2026-02-06 13:33:11 +00:00

Commit Graph

Author	SHA1	Message	Date
czlonkowski	821ace310e	refactor: Improve DISABLED_TOOLS implementation based on code review Performance Optimization: - Add caching to getDisabledTools() to prevent 3x parsing per request - Cache result as instance property disabledToolsCache - Reduces overhead from 3x to 1x per server instance Security Improvements: - Fix information disclosure in error responses - Only reveal the attempted tool name, not full list of disabled tools - Prevents leaking security configuration details Safety Limits: - Add 10KB maximum length for DISABLED_TOOLS environment variable - Add 200-tool maximum limit to prevent abuse - Include warnings when limits are exceeded Code Quality: - Add clarifying comment for defense-in-depth guard in executeTool() - Change logging level from info to debug for frequent operations - Add comprehensive JSDoc to TestableN8NMCPServer test classes - Document test wrapper pattern and exposed methods Test Updates: - Update test to verify 200-tool safety limit enforcement - All 45 tests passing with improved coverage Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>	2025-11-09 17:00:23 +01:00
czlonkowski	53252adc68	feat: Add DISABLED_TOOLS environment variable for tool filtering (Issue #410 ) Added DISABLED_TOOLS environment variable to filter specific tools from registration at startup, enabling deployment-specific tool configuration for multi-tenant deployments, security hardening, and feature flags. ## Implementation - Added getDisabledTools() method to parse comma-separated tool names from env var - Modified ListToolsRequestSchema handler to filter both documentation and management tools - Modified CallToolRequestSchema handler to reject disabled tool calls with clear error messages - Added defense-in-depth guard in executeTool() method ## Features - Environment variable format: DISABLED_TOOLS=tool1,tool2,tool3 - O(1) lookup performance using Set data structure - Clear error messages with TOOL_DISABLED code - Backward compatible (no DISABLED_TOOLS = all tools enabled) - Comprehensive logging for observability ## Use Cases - Multi-tenant: Hide tools that check global env vars - Security: Disable management tools in production - Feature flags: Gradually roll out new tools - Deployment-specific: Different tool sets for cloud vs self-hosted ## Testing - 45 comprehensive tests (all passing) - 95% feature code coverage - Unit tests + additional test scenarios - Performance tested with 1000 tools (<100ms) ## Files Modified - src/mcp/server.ts - Core implementation (~40 lines) - .env.example, .env.docker - Configuration documentation - tests/unit/mcp/disabled-tools*.test.ts - Comprehensive tests - package.json, package.runtime.json - Version bump to 2.22.14 - CHANGELOG.md - Full documentation Resolves #410 Conceived by Romuald Członkowski - www.aiadvisors.pl/en	2025-11-09 16:26:47 +01:00

Author

SHA1

Message

Date

czlonkowski

821ace310e

refactor: Improve DISABLED_TOOLS implementation based on code review

Performance Optimization:
- Add caching to getDisabledTools() to prevent 3x parsing per request
- Cache result as instance property disabledToolsCache
- Reduces overhead from 3x to 1x per server instance

Security Improvements:
- Fix information disclosure in error responses
- Only reveal the attempted tool name, not full list of disabled tools
- Prevents leaking security configuration details

Safety Limits:
- Add 10KB maximum length for DISABLED_TOOLS environment variable
- Add 200-tool maximum limit to prevent abuse
- Include warnings when limits are exceeded

Code Quality:
- Add clarifying comment for defense-in-depth guard in executeTool()
- Change logging level from info to debug for frequent operations
- Add comprehensive JSDoc to TestableN8NMCPServer test classes
- Document test wrapper pattern and exposed methods

Test Updates:
- Update test to verify 200-tool safety limit enforcement
- All 45 tests passing with improved coverage

Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-11-09 17:00:23 +01:00

czlonkowski

53252adc68

feat: Add DISABLED_TOOLS environment variable for tool filtering (Issue #410 )

Added DISABLED_TOOLS environment variable to filter specific tools from registration at startup, enabling deployment-specific tool configuration for multi-tenant deployments, security hardening, and feature flags.

## Implementation

- Added getDisabledTools() method to parse comma-separated tool names from env var
- Modified ListToolsRequestSchema handler to filter both documentation and management tools
- Modified CallToolRequestSchema handler to reject disabled tool calls with clear error messages
- Added defense-in-depth guard in executeTool() method

## Features

- Environment variable format: DISABLED_TOOLS=tool1,tool2,tool3
- O(1) lookup performance using Set data structure
- Clear error messages with TOOL_DISABLED code
- Backward compatible (no DISABLED_TOOLS = all tools enabled)
- Comprehensive logging for observability

## Use Cases

- Multi-tenant: Hide tools that check global env vars
- Security: Disable management tools in production
- Feature flags: Gradually roll out new tools
- Deployment-specific: Different tool sets for cloud vs self-hosted

## Testing

- 45 comprehensive tests (all passing)
- 95% feature code coverage
- Unit tests + additional test scenarios
- Performance tested with 1000 tools (<100ms)

## Files Modified

- src/mcp/server.ts - Core implementation (~40 lines)
- .env.example, .env.docker - Configuration documentation
- tests/unit/mcp/disabled-tools*.test.ts - Comprehensive tests
- package.json, package.runtime.json - Version bump to 2.22.14
- CHANGELOG.md - Full documentation

Resolves #410

Conceived by Romuald Członkowski - www.aiadvisors.pl/en

2025-11-09 16:26:47 +01:00

2 Commits