Skip to content

feat: add CLI flags and tests for transport security#2

Open
EliShteinman wants to merge 3 commits intoDavidFHCh:feature/configurable-transport-securityfrom
EliShteinman:feature/transport-security-enhancements
Open

feat: add CLI flags and tests for transport security#2
EliShteinman wants to merge 3 commits intoDavidFHCh:feature/configurable-transport-securityfrom
EliShteinman:feature/transport-security-enhancements

Conversation

@EliShteinman
Copy link

@EliShteinman EliShteinman commented Feb 13, 2026
edited
Loading

Summary

Enhancements to your transport security PR (crystaldba#144 on crystaldba/postgres-mcp):

  • CLI flags (--disable-dns-rebinding-protection, --allowed-hosts, --allowed-origins) — consistent with the project's existing argparse pattern for --transport, --sse-host, etc.
  • Scoped to network transports only — DNS rebinding protection is irrelevant for stdio, so it's now applied only for sse and streamable-http
  • Moved from module-level to main() — allows CLI flags to participate and keeps all initialization in one place
  • Env vars override CLIMCP_* env vars take precedence when both are set
  • Comprehensive tests — 9 parametrized scenarios × 2 transports = 18 tests covering CLI flags, env vars, env overriding CLI, default behavior, and argument ordering
  • README update — added CLI flags documentation table to the Transport Security section

Test plan

  • All 18 tests pass (ruff, pyright, pytest)
  • Existing project tests unaffected

@EliShteinman @claude
feat: add CLI flags and tests for transport security configuration
ce9d985 
- Add --disable-dns-rebinding-protection, --allowed-hosts, --allowed-origins CLI flags
- Move transport security from module-level init to main() (after argparse)
- Apply transport security only for SSE and streamable-http transports (not stdio)
- Env vars (POSTGRES_MCP_*) override CLI flags when both are set
- Add comprehensive test suite: 10 scenarios × 2 transports = 20 tests

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings February 13, 2026 08:47
@EliShteinman @claude
fix: use MCP_* env var prefix instead of POSTGRES_MCP_*
6c5357b 
Align with the shorter MCP_* naming convention used in the original PR.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Copilot AI reviewed Feb 13, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds CLI-level configuration for FastMCP transport security (DNS rebinding protection + allow-lists) and introduces unit tests validating the CLI/env-var interactions for network transports (sse, streamable-http).

Changes:

  • Add CLI flags: --disable-dns-rebinding-protection, --allowed-hosts, --allowed-origins.
  • Apply TransportSecuritySettings only for network transports and set them at runtime in main().
  • Add a new parametrized unit test suite covering CLI/env behavior across the two network transports.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File Description
src/postgres_mcp/server.py Adds CLI flags and runtime application of TransportSecuritySettings for sse/streamable-http.
tests/unit/test_transport_security.py New integration-style unit tests asserting the transport-security settings derived from CLI flags and env vars.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@EliShteinman @claude
fix: align env var names with original PR and address review feedback
dd887e5 
- Rename MCP_DNS_REBINDING_PROTECTION to MCP_ENABLE_DNS_REBINDING_PROTECTION
- Add monkeypatch fixture to clear MCP_* env vars in tests
- Remove coupling to FastMCP upstream defaults in test_default_defers_to_fastmcp
- Update README with CLI flags documentation table

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@EliShteinman
Copy link
Author

EliShteinman commented Feb 13, 2026

Addressed all 4 Copilot review comments in the latest push:

  1. Env var naming mismatch — Renamed MCP_DNS_REBINDING_PROTECTION to MCP_ENABLE_DNS_REBINDING_PROTECTION to match the original PR and README documentation. No need for dual-prefix support since this PR replaces the module-level init entirely.

  2. Flaky tests from env leakage — Added monkeypatch.delenv in the autouse fixture to clear all MCP_* env keys before each test, preventing interference from the developer's local environment or CI.

  3. Coupling to FastMCP defaults in test_default_defers_to_fastmcp — Removed the assert "localhost:*" in allowed_hosts assertion. The test now only verifies that transport_security exists and enable_dns_rebinding_protection is True — the contract we own.

  4. Test count mismatch in PR description — Updated to the correct count: 9 scenarios × 2 transports = 18 tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EliShteinman