Draft
Conversation
- Adiciona MCP_API_KEY para proteger o servidor via Bearer token ou x-api-key header - Implementa HTTP server com SSE transport (modo ENABLE_HTTP=true) para Dokploy - Mantém modo STDIO para uso local com Claude Desktop - Adiciona endpoint /health sem autenticação para health checks - Remove WebSocket stub não funcional Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Reviewer's GuideReplaces the WebSocket MCP server with an HTTP/SSE-based server secured via optional API key, updates CLI entrypoint to choose between HTTP/SSE and STDIO modes, introduces configurable MCP API key in config, and refactors the Dockerfile into a two-stage build/runtime image aligned with the new startup mode. Sequence diagram for HTTP/SSE MCP server with API key validationsequenceDiagram
actor Client
participant HttpServer
participant ValidateApiKey
participant SSEServerTransport
participant TransportsMap
participant MCPServer
Client->>HttpServer: GET /health
HttpServer-->>Client: 200 { status: ok }
Client->>HttpServer: GET /sse (with headers)
HttpServer->>ValidateApiKey: validateApiKey(req, res)
alt API key invalid or missing
ValidateApiKey-->>HttpServer: false
HttpServer-->>Client: 401 { error: Unauthorized }
else API key valid or not configured
ValidateApiKey-->>HttpServer: true
HttpServer->>SSEServerTransport: new SSEServerTransport(/message, res)
HttpServer->>TransportsMap: set(sessionId, transport)
SSEServerTransport->>MCPServer: connect(transport)
MCPServer-->>SSEServerTransport: session established
end
Client->>HttpServer: POST /message?sessionId
HttpServer->>ValidateApiKey: validateApiKey(req, res)
alt API key invalid
ValidateApiKey-->>HttpServer: false
HttpServer-->>Client: 401 { error: Unauthorized }
else API key valid
ValidateApiKey-->>HttpServer: true
HttpServer->>TransportsMap: get(sessionId)
alt transport not found
TransportsMap-->>HttpServer: undefined
HttpServer-->>Client: 400 { error: Sessao nao encontrada }
else transport found
TransportsMap-->>HttpServer: transport
HttpServer->>SSEServerTransport: handlePostMessage(req, res)
SSEServerTransport->>MCPServer: forward MCP request
MCPServer-->>SSEServerTransport: MCP response
SSEServerTransport-->>Client: SSE event with response
end
end
SSEServerTransport-->>TransportsMap: onclose() delete(sessionId)
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.gh.lumenfield.work/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey - I've found 2 issues, and left some high level feedback:
- The updated Dockerfile no longer defines a CMD/ENTRYPOINT, so containers built from this image won’t start the MCP server by default; consider adding back something like
CMD ["node", "dist/index.js"](or the appropriate entrypoint for the new HTTP mode). - In
startHttpServer, the base URL for parsing (new URL(req.url || '/', 'http://localhost')) and the logged SSE endpoint both hardcodelocalhost, which may be confusing or incorrect when running behind a reverse proxy or in containerized environments; consider deriving the host/port from configuration or the incoming request instead.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The updated Dockerfile no longer defines a CMD/ENTRYPOINT, so containers built from this image won’t start the MCP server by default; consider adding back something like `CMD ["node", "dist/index.js"]` (or the appropriate entrypoint for the new HTTP mode).
- In `startHttpServer`, the base URL for parsing (`new URL(req.url || '/', 'http://localhost')`) and the logged SSE endpoint both hardcode `localhost`, which may be confusing or incorrect when running behind a reverse proxy or in containerized environments; consider deriving the host/port from configuration or the incoming request instead.
## Individual Comments
### Comment 1
<location path="src/index.ts" line_range="762-771" />
<code_context>
+ const httpServer = http.createServer(async (req, res) => {
</code_context>
<issue_to_address>
**issue (bug_risk):** Unhandled errors inside the async HTTP request handler can cause unhandled rejections and inconsistent responses.
Since the `http.createServer` callback is `async`, any thrown error or rejected promise in this handler will surface as an unhandled rejection rather than a proper HTTP response. Consider wrapping the handler body in a `try/catch`, returning a 5xx response and logging the error to avoid hanging requests or abrupt socket closures.
</issue_to_address>
### Comment 2
<location path="Dockerfile" line_range="2-11" />
<code_context>
-FROM node:18-alpine
+# ---- Stage 1: Build ----
+FROM node:18-alpine AS builder
WORKDIR /app
-# Copiar arquivos de dependências
COPY package*.json ./
-RUN npm ci --only=production
+RUN npm install
+
+COPY tsconfig.json ./
+COPY src ./src
+RUN npm run build
+
+# ---- Stage 2: Runtime ----
+FROM node:18-alpine
-# Copiar arquivos de código compilado
-COPY dist ./dist
-COPY .env.example ./.env.example
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm install --omit=dev
-# Definir variáveis de ambiente padrão
</code_context>
<issue_to_address>
**suggestion (performance):** The multi-stage Docker build installs dependencies twice and could be optimized for size and speed.
The builder stage runs `npm install`, and the runtime stage runs `npm install --omit=dev`, duplicating the install work. Instead, install production deps once in the builder (e.g., `npm ci --omit=dev`) and copy `node_modules` into the runtime image to skip the second install. In the runtime stage, also set `NODE_ENV=production` so dependencies run in production mode and can apply their own optimizations.
Suggested implementation:
```
COPY package*.json ./
RUN npm ci --omit=dev
```
```
WORKDIR /app
ENV NODE_ENV=production
COPY --from=builder /app/node_modules ./node_modules
COPY --from=builder /app/dist ./dist
```
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
Author
|
Revisado |
Permite autenticação via URL para clientes que não suportam headers customizados, como o Claude Desktop. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
- Adiciona fluxo OAuth 2.0 completo (authorize, token, register) - Página HTML de autorização solicita a MCP_API_KEY ao usuário - Suporte a PKCE (S256 e plain) - CORS habilitado para requisições do Claude.ai - Adiciona BASE_URL no config para discovery OAuth - Mantém compatibilidade com Bearer token e x-api-key header Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary by Sourcery
Add HTTP/SSE-based MCP server mode with optional API key authentication and update runtime configuration accordingly.
New Features:
Enhancements:
Build: