From e7c3cd7ceea0ccbf30b6fd282e63ec2c31e79dd0 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBook-Pro.local>
Date: Mon, 15 Jun 2026 18:36:47 +0200
Subject: [PATCH] fix(mcp): DNS-Rebinding-Schutz aus (server-to-server+Bearer)
 + MCP-Dienst expose-only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- FastMCP transport_security: enable_dns_rebinding_protection nur an, wenn
  MCP_ALLOWED_HOSTS gesetzt; sonst aus (sonst HTTP 421 "Invalid Host header" bei
  Aufrufen über nginx/Container-Name). Bearer bleibt die Zugriffskontrolle.
- bp-compliance-mcp: Host-Port-Mapping entfernt (8099 war von bp-core-health
  belegt) → expose-only im breakpilot-network, Routing via nginx (Folgeschritt).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 backend-compliance/compliance/mcp/server.py | 13 ++++++++++++-
 docker-compose.yml                          |  6 ++++--
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/backend-compliance/compliance/mcp/server.py b/backend-compliance/compliance/mcp/server.py
index 1087fcd4..1a3ee715 100644
--- a/backend-compliance/compliance/mcp/server.py
+++ b/backend-compliance/compliance/mcp/server.py
@@ -17,11 +17,22 @@ import os
 from typing import Optional
 
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 
 from compliance.api.cra_annex_i_data import ANNEX_I_REQUIREMENTS
 from compliance.services.cra_finding_mapper import assess_findings_payload
 
-mcp = FastMCP("breakpilot-cra")
+# We are a server-to-server, Bearer-gated API behind nginx — not a browser target.
+# FastMCP's DNS-rebinding protection rejects unknown Host headers (HTTP 421); keep
+# it OFF unless MCP_ALLOWED_HOSTS pins an explicit allowlist (comma-separated).
+_ALLOWED = [h.strip() for h in (os.environ.get("MCP_ALLOWED_HOSTS") or "").split(",") if h.strip()]
+_SECURITY = TransportSecuritySettings(
+    enable_dns_rebinding_protection=bool(_ALLOWED),
+    allowed_hosts=_ALLOWED,
+    allowed_origins=_ALLOWED,
+)
+
+mcp = FastMCP("breakpilot-cra", transport_security=_SECURITY)
 
 
 @mcp.tool(
diff --git a/docker-compose.yml b/docker-compose.yml
index 973ec844..5335adae 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -156,13 +156,15 @@ services:
     container_name: bp-compliance-mcp
     platform: linux/arm64
     command: ["python", "-m", "compliance.mcp.server"]
+    # Internal-only on the breakpilot network; reached via nginx (follow-up) or by
+    # other containers. No host port (avoids host-port conflicts).
     expose:
       - "8099"
-    ports:
-      - "8099:8099"
     environment:
       MCP_PORT: 8099
       CRA_MCP_TOKEN: ${CRA_MCP_TOKEN:-}
+      # Optional: pin Host allowlist (comma-separated) to enable DNS-rebinding protection.
+      MCP_ALLOWED_HOSTS: ${MCP_ALLOWED_HOSTS:-}
     healthcheck:
       disable: true
     restart: unless-stopped