fix(mcp): DNS-Rebinding-Schutz aus (server-to-server+Bearer) + MCP-Dienst expose-only

- FastMCP transport_security: enable_dns_rebinding_protection nur an, wenn MCP_ALLOWED_HOSTS gesetzt; sonst aus (sonst HTTP 421 "Invalid Host header" bei Aufrufen über nginx/Container-Name). Bearer bleibt die Zugriffskontrolle. - bp-compliance-mcp: Host-Port-Mapping entfernt (8099 war von bp-core-health belegt) → expose-only im breakpilot-network, Routing via nginx (Folgeschritt). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-06-15 18:36:47 +02:00
parent 414496c31a
commit e7c3cd7cee
2 changed files with 16 additions and 3 deletions
@@ -156,13 +156,15 @@ services:
    container_name: bp-compliance-mcp
    platform: linux/arm64
    command: ["python", "-m", "compliance.mcp.server"]
+    # Internal-only on the breakpilot network; reached via nginx (follow-up) or by
+    # other containers. No host port (avoids host-port conflicts).
    expose:
      - "8099"
-    ports:
-      - "8099:8099"
    environment:
      MCP_PORT: 8099
      CRA_MCP_TOKEN: ${CRA_MCP_TOKEN:-}
+      # Optional: pin Host allowlist (comma-separated) to enable DNS-rebinding protection.
+      MCP_ALLOWED_HOSTS: ${MCP_ALLOWED_HOSTS:-}
    healthcheck:
      disable: true
    restart: unless-stopped