* fix: deprecate USE_FIXED_HTTP for SSE streaming support (Issue #524)
The fixed HTTP implementation does not support SSE streaming required
by clients like OpenAI Codex. This commit deprecates USE_FIXED_HTTP
and makes SingleSessionHTTPServer the default.
Changes:
- Add deprecation warnings in src/mcp/index.ts and src/http-server.ts
- Remove USE_FIXED_HTTP from docker-compose.yml and Dockerfile.railway
- Update .env.example with deprecation notice
- Rename npm script to start:http:fixed:deprecated
- Update all documentation to remove USE_FIXED_HTTP references
- Mark test case as deprecated
Users should unset USE_FIXED_HTTP to use the modern SingleSessionHTTPServer
which supports both JSON-RPC and SSE streaming.
Closes#524
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: bump version to 2.31.8 and add CHANGELOG entry
- Fix comment inaccuracy: "deprecated" not "deprecated and removed"
- Bump version from 2.31.7 to 2.31.8
- Add CHANGELOG entry documenting USE_FIXED_HTTP deprecation
- Update all deprecation messages to reference v2.31.8
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Romuald Członkowski <romualdczlonkowski@MacBook-Pro-Romuald.local>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
* enhance: Add safety features to HTTP validation tools response
- Add TypeScript interface (MCPToolResponse) for type safety
- Implement 1MB response size validation and truncation
- Add warning logs for large validation responses
- Prevent memory issues with size limits (matches STDIO behavior)
This enhances PR #343's fix with defensive measures:
- Size validation prevents DoS/memory exhaustion
- Truncation ensures HTTP transport stability
- Type safety improves code maintainability
All changes are backward compatible and non-breaking.
Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en
* chore: Version bump to 2.20.4 with documentation
- Bump version 2.20.3 → 2.20.4
- Add comprehensive CHANGELOG.md entry for v2.20.4
- Document CI test infrastructure issues in docs/CI_TEST_INFRASTRUCTURE.md
- Explain MSW/external PR integration test failures
- Reference PR #343 and enhancement safety features
Code review: 9/10 (code-reviewer agent approved)
Conceived by Romuald Członkowski - https://www.aiadvisors.pl/en
Merging PR #343 - fixes MCP protocol error -32600 for validation tools via HTTP transport.
The integration test failures are due to MSW/CI infrastructure issues with external contributor PRs (mock server not responding), NOT the code changes. The fix has been manually tested and verified working with n8n-nodes-mcp community node.
Tests pass locally and the code is correct.
- Add N8N_MODE environment variable for n8n-specific behavior
- Implement HTTP Streamable transport with multiple session support
- Add protocol version endpoint (GET /mcp) for n8n compatibility
- Support multiple initialize requests for stateless n8n clients
- Add Docker configuration for n8n deployment
- Add test script with persistent volume support
- Add comprehensive unit tests for n8n mode
- Fix session management to handle per-request transport pattern
BREAKING CHANGE: Server now creates new transport for each initialize request
when running in n8n mode to support n8n's stateless client architecture
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove Jest and all related packages
- Install Vitest with coverage support
- Create vitest.config.ts with path aliases
- Set up global test configuration
- Migrate all 6 test files to Vitest syntax
- Update TypeScript configuration for better Vitest support
- Create separate tsconfig.build.json for clean builds
- Fix all import/module issues in tests
- All 68 tests passing successfully
- Current coverage baseline: 2.45%
Phase 1 of testing suite improvement complete.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers
- Fix hardcoded localhost URLs in server console output
- Add hostname validation to prevent host header injection attacks
- Restrict URL schemes to http/https only (block javascript:, file://, etc.)
- Remove sensitive environment data from API responses
- Add GET endpoints (/, /mcp) for better API discovery
- Fix version inconsistency between server implementations
- Update HTTP bridge to use HOST/PORT environment variables
- Add comprehensive test scripts for URL configuration and security
This resolves issues #41 and #42 by making the HTTP server properly handle
deployment behind reverse proxies and adds critical security validations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added specific error reasons for auth failures: no_auth_header, invalid_auth_format, invalid_token
- Fixed AUTH_TOKEN_FILE support in Docker production stacks (issue #16)
- Added AUTH_TOKEN_FILE support to single-session HTTP server for consistency
- Enhanced security by removing token lengths from logs
- Added token trimming and empty token validation
- Updated Docker entrypoint to properly support AUTH_TOKEN_FILE
- Bumped version to 2.7.10
This improves debugging for mcp-remote authentication issues and enables
proper Docker secrets usage in production environments.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add TRUST_PROXY environment variable to enable proxy header trust
- Configure Express trust proxy in both HTTP server implementations
- Fix issue #19: Docker internal IPs logged instead of real client IPs
- Update documentation with reverse proxy configuration guide
- Add examples for nginx proxy header forwarding
- Maintain backward compatibility (disabled by default)
When TRUST_PROXY=1 is set, the server will correctly log client IPs
from X-Forwarded-For headers instead of proxy/container IPs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add AUTH_TOKEN_FILE environment variable support for reading auth tokens from files
- Support Docker secrets pattern for production deployments
- Add Known Issues section documenting Claude Desktop container duplication bug
- Update documentation with authentication options and best practices
- Fix issue #16: AUTH_TOKEN_FILE was documented but not implemented
- Add comprehensive tests for AUTH_TOKEN_FILE functionality
BREAKING CHANGE: None - AUTH_TOKEN continues to work as before
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Added warning about experimental remote server deployment
- Clarified HTTP bridge architecture in documentation
- Added deployment scenarios section explaining local vs remote options
- Enhanced troubleshooting with bridge-specific issues
- Created http-bridge.js for local HTTP testing
- Fixed HTTP server to include management tools in tools/list
The documentation now clearly explains:
- Why "node" command is used instead of "docker" (stdio bridge requirement)
- Three deployment scenarios with pros/cons
- How to test locally with Docker
- Bridge architecture (Claude Desktop → bridge → HTTP server)
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Updates the protocol version from '1.0' to the current MCP specification version '2024-11-05'.
This resolves compatibility issues with modern MCP clients and ensures proper protocol negotiation.
- Renamed files to remove unnecessary suffixes:
- tools-update.ts → tools.ts
- server-update.ts → server.ts
- http-server-fixed.ts → http-server.ts
- Created version utility to read from package.json as single source of truth
- Updated all imports across 21+ files
- Removed legacy files:
- src/http-server.ts (legacy HTTP server with known issues)
- src/utils/n8n-client.ts (unused legacy API client)
- Added n8n_diagnostic tool to help troubleshoot management tools visibility
- Added script to sync package.runtime.json version
- Fixed version mismatch issue (was hardcoded 2.4.1, now reads 2.7.0 from package.json)
This addresses GitHub issue #5 regarding version mismatch and provides better diagnostics for users.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Root Cause Analysis:
- Express.json() middleware was consuming request stream before StreamableHTTPServerTransport
- StreamableHTTPServerTransport has initialization issues with stateless usage
Two-Phase Solution:
1. Removed all body parsing middleware to preserve raw streams
2. Created http-server-fixed.ts with direct JSON-RPC implementation
Key Changes:
- Remove express.json() from all HTTP server implementations
- Add http-server-fixed.ts that bypasses StreamableHTTPServerTransport
- Implement initialize, tools/list, and tools/call methods directly
- Add USE_FIXED_HTTP=true environment variable to enable fixed server
- Update logging to not access req.body
The fixed implementation:
- Handles JSON-RPC protocol directly without transport complications
- Maintains full MCP compatibility
- Works reliably without stream or initialization errors
- Provides better performance and debugging capabilities
Usage: MCP_MODE=http USE_FIXED_HTTP=true npm start
This provides a stable, production-ready HTTP server for n8n-MCP.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
