mr-magic-mcp-server 0.1.9 → 0.1.11

package/.env.example

@@ -118,6 +118,7 @@ MR_MAGIC_TOOL_ARG_CHUNK_SIZE=400  # Chunk size in chars (only used when LOG_TOOL
 
 # Streamable HTTP MCP transport diagnostics
 MR_MAGIC_MCP_HTTP_DIAGNOSTICS=0  # Set to 1 to log enriched request diagnostics at transport ingress
+MR_MAGIC_ALLOWED_HOSTS=           # Optional. Comma-separated extra allowed hostnames for DNS rebinding protection when binding to 0.0.0.0 (e.g. custom domains). RENDER_EXTERNAL_HOSTNAME is auto-included on Render.
 
 # SDK repro harness verbose HTTP logging
 MR_MAGIC_SDK_REPRO_HTTP_DEBUG=0  # Set to 1 for verbose HTTP previews in the SDK repro harness script

package/README.md

@@ -99,6 +99,7 @@ MR_MAGIC_HTTP_TIMEOUT_MS=10000 # Optional, default 10000. Global outbound HTTP t
 MR_MAGIC_LOG_TOOL_ARGS_CHUNKS=0 # Optional, default 0. Set to 1/true to emit chunk-by-chunk MCP tool argument previews for truncation debugging.
 MR_MAGIC_TOOL_ARG_CHUNK_SIZE=400 # Optional, default 400. Chunk size used when MR_MAGIC_LOG_TOOL_ARGS_CHUNKS is enabled.
 MR_MAGIC_MCP_HTTP_DIAGNOSTICS=0 # Optional, default 0. Set to 1 to log enriched Streamable HTTP MCP request diagnostics at transport ingress.
+MR_MAGIC_ALLOWED_HOSTS= # Optional. Comma-separated extra hostnames for DNS rebinding protection when binding to 0.0.0.0 (e.g. custom domains). Render hostname is auto-included via RENDER_EXTERNAL_HOSTNAME.
 MR_MAGIC_SDK_REPRO_HTTP_DEBUG=0 # Optional, default 0. Set to 1 for verbose HTTP request/response previews in the SDK repro harness script.
 UPSTASH_REDIS_REST_URL= # Get from https://console.upstash.com/redis/rest, required if MR_MAGIC_EXPORT_BACKEND=redis
 UPSTASH_REDIS_REST_TOKEN= # Get from https://console.upstash.com/redis/rest, required if MR_MAGIC_EXPORT_BACKEND=redis
@@ -147,7 +148,9 @@ AIRTABLE_PERSONAL_ACCESS_TOKEN= # Required for push_catalog_to_airtable tool. Ge
 - **PORT** overrides both HTTP entrypoints when your platform injects one
   (Render, Fly, etc.). If unset, the MCP HTTP transport binds to `3444` and
   the JSON HTTP automation server binds to `3333`. CLI flags such as
-  `mrmagic-cli server --port 4000` always take precedence.
+  `mrmagic-cli server --port 4000` always take precedence. On Render,
+  `PORT` is set automatically by the platform (default `10000`) — no manual
+  override is needed.
 - **MR_MAGIC_DOWNLOAD_BASE_URL** should match the public URL that exposes the
   `/downloads` routes. Include `:port` only when the HTTP server isn’t using
   the default for its protocol.
@@ -170,6 +173,11 @@ AIRTABLE_PERSONAL_ACCESS_TOKEN= # Required for push_catalog_to_airtable tool. Ge
 - **MR_MAGIC_MCP_HTTP_DIAGNOSTICS** (default `0`) enables detailed request
   metadata logging at the Streamable HTTP transport boundary (method, content
   type, body shape/length, session header, and safe body preview).
+- **MR_MAGIC_ALLOWED_HOSTS** — comma-separated list of extra hostnames to allow
+  when the MCP HTTP server binds to `0.0.0.0` (required by the MCP SDK for DNS
+  rebinding protection). On Render, `RENDER_EXTERNAL_HOSTNAME` is automatically
+  included; set `MR_MAGIC_ALLOWED_HOSTS` only when you have a custom domain or
+  need to add additional hosts beyond `localhost`/`127.0.0.1`.
 - **MR_MAGIC_SDK_REPRO_HTTP_DEBUG** (default `0`) enables HTTP-level debugging
   output in `scripts/mcp-arg-boundary-sdk-repro.mjs` when validating argument
   boundary behavior from the SDK client path.
@@ -316,6 +324,40 @@ npm run server:http       # or server:mcp / server:mcp:http
 Use a process manager (systemd, PM2, Docker CMD, etc.) to keep long-lived
 servers running.
 
+### Deploying on Render
+
+The MCP HTTP server (`npm run server:mcp:http`) is ready to deploy on Render
+with no extra configuration. Render automatically sets two environment
+variables that the server reads at startup:
+
+| Variable | Set by Render | Value |
+|----------|--------------|-------|
+| `RENDER` | ✅ always | `"true"` |
+| `PORT` | ✅ always | `10000` (default, overridable in dashboard) |
+
+When `RENDER=true` is detected, the server automatically binds to `0.0.0.0`
+(required by Render's load balancer) on the `PORT` Render assigns. You do
+**not** need to set `HOST`, `PORT`, or any other network variable in your
+Render service settings.
+
+Recommended Render service settings:
+
+- **Start Command:** `npm run server:mcp:http`
+- **Environment:** inject your provider credentials (`GENIUS_CLIENT_ID`,
+  `GENIUS_CLIENT_SECRET`, `MUSIXMATCH_FALLBACK_TOKEN`, etc.) via the Render
+  Dashboard → Environment tab
+- **Health Check Path:** `/health` (returns `{ "status": "ok", "providers": [...] }`)
+
+> **Note:** Render's default `PORT` is `10000`. If you set a custom `PORT`
+> in the Render Dashboard the server will honour it; otherwise `10000` is used.
+> The old `3444` default is only active when running outside Render without a
+> `PORT` env var.
+
+> **Custom domains:** If you have a custom domain on Render (e.g.,
+> `mymcp.example.com`), add it to `MR_MAGIC_ALLOWED_HOSTS` in the Render
+> Dashboard → Environment tab so the SDK's DNS rebinding protection accepts
+> requests with that `Host` header.
+
 - **MCP server (Stdio)** for local Model Context Protocol clients (use the
   bundled CLI: `npm run server:mcp` or call `node ./src/bin/mcp-server.js`).
 - **MCP server (Streamable HTTP)** for remote MCP clients that speak the Streamable HTTP

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mr-magic-mcp-server",
-  "version": "0.1.9",
+  "version": "0.1.11",
   "description": "Lyrics MCP server connecting LRCLIB, Genius, Musixmatch, and Melon",
   "type": "module",
   "main": "src/index.js",

package/src/transport/http-server.js

@@ -32,11 +32,47 @@ async function handleAction(action, track, actionOptions) {
 
 export function startHttpServer(options = {}) {
   const logger = createLogger('http-server');
-  const host = options.remote ? '0.0.0.0' : options.host || '127.0.0.1';
-  const port = Number(options.port) || 3333;
+  const host = options.remote
+    ? '0.0.0.0'
+    : (options.host || process.env.HOST || (process.env.RENDER ? '0.0.0.0' : '127.0.0.1'));
+  const port = Number(options.port) || Number(process.env.PORT) || 3333;
+
+  // When binding to 0.0.0.0, build an allowed-host set for DNS rebinding protection.
+  // Render sets RENDER_EXTERNAL_HOSTNAME automatically; add custom domains via
+  // MR_MAGIC_ALLOWED_HOSTS (comma-separated).
+  const allowedHosts =
+    host === '0.0.0.0'
+      ? new Set([
+          'localhost',
+          '127.0.0.1',
+          ...(process.env.RENDER_EXTERNAL_HOSTNAME
+            ? [process.env.RENDER_EXTERNAL_HOSTNAME]
+            : []),
+          ...(process.env.MR_MAGIC_ALLOWED_HOSTS
+            ? process.env.MR_MAGIC_ALLOWED_HOSTS.split(',')
+                .map((h) => h.trim())
+                .filter(Boolean)
+            : [])
+        ])
+      : null;
 
   return new Promise((resolve) => {
     const server = http.createServer(async (req, res) => {
+      // DNS rebinding protection: validate Host header when binding to all interfaces.
+      if (allowedHosts) {
+        const reqHostname = (req.headers.host || '').split(':')[0].toLowerCase();
+        if (!reqHostname || !allowedHosts.has(reqHostname)) {
+          logger.warn('DNS rebinding protection: rejected request with disallowed Host', {
+            host: req.headers.host,
+            url: req.url,
+            method: req.method
+          });
+          res.writeHead(403, { 'Content-Type': 'application/json' });
+          res.end(JSON.stringify({ error: 'Forbidden: Host header not allowed' }));
+          return;
+        }
+      }
+
       if (req.method === 'GET' && req.url === '/health') {
         res.writeHead(200, { 'Content-Type': 'application/json' });
         res.end(

package/src/transport/mcp-http-server.js

@@ -64,8 +64,10 @@ export async function startMcpHttpServer(options = {}) {
   const logger = createLogger('mcp-http-server');
   const httpDiagnostics = process.env.MR_MAGIC_MCP_HTTP_DIAGNOSTICS === '1';
   const configuredSessionless = Boolean(options.sessionless);
-  const host = options.remote ? '0.0.0.0' : options.host || '127.0.0.1';
-  const port = Number(options.port) || 3444;
+  const host = options.remote
+    ? '0.0.0.0'
+    : (options.host || process.env.HOST || (process.env.RENDER ? '0.0.0.0' : '127.0.0.1'));
+  const port = Number(options.port) || Number(process.env.PORT) || 3444;
 
   const server = new Server(
     { name: 'mcp-http-server', version: '0.1.4' },
@@ -91,7 +93,24 @@ export async function startMcpHttpServer(options = {}) {
   await server.connect(transport);
   await logTokenStatus({ context: 'http-mcp' });
 
-  const app = createMcpExpressApp({ host });
+  // When binding to 0.0.0.0 the SDK requires an explicit allowedHosts list for
+  // DNS rebinding protection. Build it from well-known safe hosts plus any
+  // platform-injected hostname (Render sets RENDER_EXTERNAL_HOSTNAME automatically).
+  const allowedHosts =
+    host === '0.0.0.0'
+      ? [
+          'localhost',
+          '127.0.0.1',
+          ...(process.env.RENDER_EXTERNAL_HOSTNAME
+            ? [process.env.RENDER_EXTERNAL_HOSTNAME]
+            : []),
+          ...(process.env.MR_MAGIC_ALLOWED_HOSTS
+            ? process.env.MR_MAGIC_ALLOWED_HOSTS.split(',').map((h) => h.trim()).filter(Boolean)
+            : [])
+        ]
+      : undefined;
+
+  const app = createMcpExpressApp({ host, ...(allowedHosts ? { allowedHosts } : {}) });
   app.get('/health', async (_req, res) => {
     res.json({ status: 'ok', providers: await getProviderStatus() });
   });
@@ -199,7 +218,7 @@ export async function startMcpHttpServer(options = {}) {
   });
 }
 
-if (process.argv[1]?.endsWith('mcp-http-server.js')) {
+if (process.argv[1]?.endsWith('transport/mcp-http-server.js')) {
   startMcpHttpServer().catch((error) => {
     console.error(error);
     process.exit(1);