From 756ed24bfc60e12863e7d6c880b6949617e3d281 Mon Sep 17 00:00:00 2001
From: ClawdBot <clawdbot@apilab.us>
Date: Thu, 19 Feb 2026 09:58:27 +1100
Subject: [PATCH] fix(security): allow in-cluster service hosts for FastMCP
 transport validation

---
 server.py | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/server.py b/server.py
index 0d8ebcd..382c221 100644
--- a/server.py
+++ b/server.py
@@ -1,6 +1,7 @@
 import os
 import httpx
 from mcp.server.fastmcp import FastMCP
+from mcp.server.transport_security import TransportSecuritySettings
 import psycopg
 from pgvector.psycopg import register_vector
 import uuid
@@ -16,7 +17,23 @@ EMBEDDING_DIM = 768  # BAAI/bge-base-en-v1.5
 
 # Initialize
 logging.basicConfig(level=logging.INFO)
-mcp = FastMCP("knowledge-mcp")
+mcp = FastMCP(
+    "knowledge-mcp",
+    host="0.0.0.0",
+    port=8000,
+    sse_path="/sse",
+    transport_security=TransportSecuritySettings(
+        enable_dns_rebinding_protection=True,
+        allowed_hosts=[
+            "localhost:*",
+            "127.0.0.1:*",
+            "knowledge-mcp:*",
+            "knowledge-mcp.knowledge-mcp.svc:*",
+            "knowledge-mcp.knowledge-mcp.svc.cluster.local:*",
+        ],
+        allowed_origins=[],
+    ),
+)
 
 @contextmanager
 def get_db(init=False):