* fix: deprecate USE_FIXED_HTTP for SSE streaming support (Issue #524)
The fixed HTTP implementation does not support SSE streaming required
by clients like OpenAI Codex. This commit deprecates USE_FIXED_HTTP
and makes SingleSessionHTTPServer the default.
Changes:
- Add deprecation warnings in src/mcp/index.ts and src/http-server.ts
- Remove USE_FIXED_HTTP from docker-compose.yml and Dockerfile.railway
- Update .env.example with deprecation notice
- Rename npm script to start:http:fixed:deprecated
- Update all documentation to remove USE_FIXED_HTTP references
- Mark test case as deprecated
Users should unset USE_FIXED_HTTP to use the modern SingleSessionHTTPServer
which supports both JSON-RPC and SSE streaming.
Closes#524
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
* chore: bump version to 2.31.8 and add CHANGELOG entry
- Fix comment inaccuracy: "deprecated" not "deprecated and removed"
- Bump version from 2.31.7 to 2.31.8
- Add CHANGELOG entry documenting USE_FIXED_HTTP deprecation
- Update all deprecation messages to reference v2.31.8
Concieved by Romuald Członkowski - www.aiadvisors.pl/en
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---------
Co-authored-by: Romuald Członkowski <romualdczlonkowski@MacBook-Pro-Romuald.local>
Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
Added DISABLED_TOOLS environment variable to filter specific tools from registration at startup, enabling deployment-specific tool configuration for multi-tenant deployments, security hardening, and feature flags.
## Implementation
- Added getDisabledTools() method to parse comma-separated tool names from env var
- Modified ListToolsRequestSchema handler to filter both documentation and management tools
- Modified CallToolRequestSchema handler to reject disabled tool calls with clear error messages
- Added defense-in-depth guard in executeTool() method
## Features
- Environment variable format: DISABLED_TOOLS=tool1,tool2,tool3
- O(1) lookup performance using Set data structure
- Clear error messages with TOOL_DISABLED code
- Backward compatible (no DISABLED_TOOLS = all tools enabled)
- Comprehensive logging for observability
## Use Cases
- Multi-tenant: Hide tools that check global env vars
- Security: Disable management tools in production
- Feature flags: Gradually roll out new tools
- Deployment-specific: Different tool sets for cloud vs self-hosted
## Testing
- 45 comprehensive tests (all passing)
- 95% feature code coverage
- Unit tests + additional test scenarios
- Performance tested with 1000 tools (<100ms)
## Files Modified
- src/mcp/server.ts - Core implementation (~40 lines)
- .env.example, .env.docker - Configuration documentation
- tests/unit/mcp/disabled-tools*.test.ts - Comprehensive tests
- package.json, package.runtime.json - Version bump to 2.22.14
- CHANGELOG.md - Full documentation
Resolves#410
Conceived by Romuald Członkowski - www.aiadvisors.pl/en
This commit implements HIGH-02 (Rate Limiting) and HIGH-03 (SSRF Protection)
from the security audit, protecting against brute force attacks and
Server-Side Request Forgery.
Security Enhancements:
- Rate limiting: 20 attempts per 15 minutes per IP (configurable)
- SSRF protection: Three security modes (strict/moderate/permissive)
- DNS rebinding prevention
- Cloud metadata blocking in all modes
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Complete implementation of Phase 1 foundation for n8n API integration tests.
Establishes core utilities, fixtures, and infrastructure for testing all 17 n8n API handlers against real n8n instance.
Changes:
- Add integration test environment configuration to .env.example
- Create comprehensive test utilities infrastructure:
* credentials.ts: Environment-aware credential management (local .env vs CI secrets)
* n8n-client.ts: Singleton API client wrapper with health checks
* test-context.ts: Resource tracking and automatic cleanup
* cleanup-helpers.ts: Multi-level cleanup strategies (orphaned, age-based, tag-based)
* fixtures.ts: 6 pre-built workflow templates (webhook, HTTP, multi-node, error handling, AI, expressions)
* factories.ts: Dynamic node/workflow builders with 15+ factory functions
* webhook-workflows.ts: Webhook workflow configs and setup instructions
- Add npm scripts:
* test:integration:n8n: Run n8n API integration tests
* test:cleanup:orphans: Clean up orphaned test resources
- Create cleanup script for CI/manual use
Documentation:
- Add comprehensive integration testing plan (550 lines)
- Add Phase 1 completion summary with lessons learned
Key Features:
- Automatic credential detection (CI vs local)
- Multi-level cleanup (test, suite, CI, orphan)
- 6 workflow fixtures covering common scenarios
- 15+ factory functions for dynamic test data
- Support for 4 HTTP methods (GET, POST, PUT, DELETE) via pre-activated webhook workflows
- TypeScript-first with full type safety
- Comprehensive error handling with helpful messages
Total: ~1,520 lines of production-ready code + 650 lines of documentation
Ready for Phase 2: Workflow creation tests
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Implements comprehensive multi-tenant support to fix n8n API tools not being dynamically registered when instance context is provided via headers. Includes critical security and performance improvements identified during code review.
Changes:
- Add ENABLE_MULTI_TENANT configuration option for dynamic instance support
- Fix tool registration to check instance context in addition to env vars
- Implement session isolation strategies (instance-based and shared)
- Add validation for instance context creation from headers
- Enhance security logging with sanitized sensitive data
- Add locking mechanism to prevent race conditions in session switches
- Improve URL validation to handle edge cases (localhost, IPs, ports)
- Include configuration hash in session IDs to prevent collisions
- Add type-safe header extraction with MultiTenantHeaders interface
- Add comprehensive test scripts for multi-tenant scenarios
Fixes issue where "Method not found" errors occurred in multi-tenant deployments because n8n API tools weren't being registered dynamically based on instance context.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add cache-utils.ts with hash memoization, configurable cache, metrics tracking, mutex, and retry logic
- Enhance validation with field-specific error messages in instance-context.ts
- Add JSDoc documentation to all public methods
- Make cache configurable via INSTANCE_CACHE_MAX and INSTANCE_CACHE_TTL_MINUTES env vars
- Add comprehensive test coverage for cache utilities and metrics monitoring
- Fix test expectations for new validation error format
Addresses all feedback from PR #209 code review
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
- Implement OpenAI batch API integration for metadata generation
- Add metadata columns to database schema (metadata_json, metadata_generated_at)
- Create MetadataGenerator service with structured output schemas
- Create BatchProcessor for handling OpenAI batch jobs
- Add --generate-metadata flag to fetch-templates script
- Update template repository with metadata management methods
- Add OpenAI configuration to environment variables
- Include comprehensive tests for metadata generation
- Use gpt-4o-mini model with 50% cost savings via batch API
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Fixed docker-entrypoint.sh to use NODE_DB_PATH instead of hardcoded paths
- Added log_message() helper to prevent stdio mode output corruption
- Fixed directory creation race condition with proper ownership
- Added path validation to ensure NODE_DB_PATH ends with .db
- Updated rebuild.ts to respect NODE_DB_PATH environment variable
- Added comprehensive documentation for custom database paths
- Bumped version to 2.7.16
The bug was caused by hardcoded /app/data/nodes.db paths in the Docker
entrypoint script that ignored the NODE_DB_PATH environment variable.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add intelligent URL detection supporting BASE_URL, PUBLIC_URL, and proxy headers
- Fix hardcoded localhost URLs in server console output
- Add hostname validation to prevent host header injection attacks
- Restrict URL schemes to http/https only (block javascript:, file://, etc.)
- Remove sensitive environment data from API responses
- Add GET endpoints (/, /mcp) for better API discovery
- Fix version inconsistency between server implementations
- Update HTTP bridge to use HOST/PORT environment variables
- Add comprehensive test scripts for URL configuration and security
This resolves issues #41 and #42 by making the HTTP server properly handle
deployment behind reverse proxies and adds critical security validations.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add TRUST_PROXY environment variable to enable proxy header trust
- Configure Express trust proxy in both HTTP server implementations
- Fix issue #19: Docker internal IPs logged instead of real client IPs
- Update documentation with reverse proxy configuration guide
- Add examples for nginx proxy header forwarding
- Maintain backward compatibility (disabled by default)
When TRUST_PROXY=1 is set, the server will correctly log client IPs
from X-Forwarded-For headers instead of proxy/container IPs.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Major documentation cleanup and updates:
Updates:
- Add USE_FIXED_HTTP=true to all Docker and HTTP deployment examples
- Update main README with v2.3.2 release notes and version badges
- Add HTTP server troubleshooting section for stream errors
- Update CHANGELOG with v2.3.1 and v2.3.2 entries
- Update all configuration examples (.env.example, docker-compose.yml)
- Add clear instructions for using the fixed HTTP implementation
Removed legacy documentation (11 files):
- Implementation plans that have been completed
- Architecture analysis documents
- Intermediate fix documentation
- Planning documents for features now implemented
- Duplicate SETUP.md (content merged into INSTALLATION.md)
The documentation now accurately reflects the current v2.3.2 state
with the complete HTTP server fix using USE_FIXED_HTTP=true.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Separate configuration sections for local (stdio) and HTTP modes
- Fix variable names: MCP_SERVER_PORT/HOST for local mode
- Change default NODE_DB_PATH to ./data/nodes-v2.db for local dev
- Add missing REBUILD_ON_START variable
- Set NODE_ENV to development by default
- Add clear comments explaining which mode uses which variables
- Update README with cp .env.example .env step
The .env.example now properly supports both deployment modes
and will work out of the box when copied to .env.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add HTTP/JSON-RPC server for remote MCP access
- Configure domain and authentication via environment variables
- Create comprehensive remote deployment documentation
- Support both local (stdio) and remote (HTTP) deployment modes
- Add PM2 and Nginx configuration examples
- Update README with remote server instructions
The server can now be deployed on a VM (e.g., Hetzner) and accessed
from Claude Desktop over HTTPS using the configured domain.
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
Major features implemented:
- SQLite storage service with FTS5 for fast node search
- Database rebuild mechanism for bulk node extraction
- MCP tools: search_nodes, extract_all_nodes, get_node_statistics
- Production Docker deployment with persistent storage
- Management scripts for database operations
- Comprehensive test suite for all functionality
Database capabilities:
- Stores node source code and metadata
- Full-text search by node name or content
- No versioning (stores latest only as per requirements)
- Supports complete database rebuilds
- ~4.5MB database with 500+ nodes indexed
Production features:
- Automated deployment script
- Docker Compose production configuration
- Database initialization on first run
- Volume persistence for data
- Management utilities for operations
Documentation:
- Updated README with complete instructions
- Production deployment guide
- Clear troubleshooting section
- API reference for all new tools
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
This commit adds a complete integration between n8n workflow automation and the Model Context Protocol (MCP):
Features:
- MCP server that exposes n8n workflows as tools, resources, and prompts
- Custom n8n node for connecting to MCP servers from workflows
- Bidirectional bridge for data format conversion
- Token-based authentication and credential management
- Comprehensive error handling and logging
- Full test coverage for core components
Infrastructure:
- TypeScript/Node.js project setup with proper build configuration
- Docker support with multi-stage builds
- Development and production docker-compose configurations
- Installation script for n8n custom node deployment
Documentation:
- Detailed README with usage examples and API reference
- Environment configuration templates
- Troubleshooting guide
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
