mcp-proxy-adapter 6.6.1__py3-none-any.whl → 6.6.4__py3-none-any.whl

mcp_proxy_adapter/api/app.py

@@ -65,11 +65,8 @@ def create_lifespan(config_path: Optional[str] = None):
             initialize_proxy_registration,
         )
 
-        # Initialize proxy registration manager early
-        try:
-            initialize_proxy_registration(config.get_all())
-        except Exception as e:
-            logger.error(f"Failed to initialize proxy registration: {e}")
+        # Proxy registration manager will be initialized in registry.reload_system()
+        # after all commands are loaded to ensure complete command schema
 
         # Compute server_url EARLY and inject into registration manager so
         # that reload_system (which may perform registration) uses the correct
@@ -88,11 +85,11 @@ def create_lifespan(config_path: Optional[str] = None):
         public_host = reg_cfg.get("public_host")
         public_port = reg_cfg.get("public_port")
 
-        security_config = config.get("security", {})
-        ssl_config = security_config.get("ssl", {})
-        if not ssl_config.get("enabled", False):
-            ssl_config = config.get("ssl", {})
-        protocol = "https" if ssl_config.get("enabled", False) else "http"
+        # Check SSL configuration from new structure
+        protocol = config.get("server.protocol", "http")
+        verify_client = config.get("transport.verify_client", False)
+        ssl_enabled = protocol in ["https", "mtls"] or verify_client
+        protocol = "https" if ssl_enabled else "http"
 
         import os
         docker_host_addr = os.getenv("DOCKER_HOST_ADDR", "172.17.0.1")
@@ -124,11 +121,7 @@ def create_lifespan(config_path: Optional[str] = None):
         )
         logger.info(f"System initialization result: {init_result}")
 
-        # Initialize proxy registration manager with current config
-        try:
-            initialize_proxy_registration(config.get_all())
-        except Exception as e:
-            logger.error(f"Failed to initialize proxy registration: {e}")
+        # Proxy registration manager is already initialized in registry.reload_system()
 
         # Recompute registration URL AFTER config reload using final config
         try:
@@ -141,11 +134,11 @@ def create_lifespan(config_path: Optional[str] = None):
             public_host = reg_cfg.get("public_host")
             public_port = reg_cfg.get("public_port")
 
-            security_config = final_config.get("security", {})
-            ssl_cfg = security_config.get("ssl", {})
-            if not ssl_cfg.get("enabled", False):
-                ssl_cfg = final_config.get("ssl", {})
-            protocol = "https" if ssl_cfg.get("enabled", False) else "http"
+            # Determine protocol using the new configuration structure
+            protocol_cfg = final_config.get("server", {}).get("protocol", "http")
+            verify_client_cfg = final_config.get("transport", {}).get("verify_client", False)
+            ssl_enabled_final = protocol_cfg in ["https", "mtls"] or verify_client_cfg
+            protocol = "https" if ssl_enabled_final else "http"
 
             import os
             docker_host_addr = os.getenv("DOCKER_HOST_ADDR", "172.17.0.1")
@@ -184,19 +177,26 @@ def create_lifespan(config_path: Optional[str] = None):
             logger.error(f"Failed to recompute registration URL: {e}")
             server_url = early_server_url
 
-        # Attempt proxy registration in background with small delay
-        async def _delayed_register():
+        # Proxy registration is now handled in registry.reload_system() 
+        # after all commands are loaded, ensuring complete command schema
+        logger.info("ℹ️ Proxy registration will be handled after command loading completes")
+        
+        # Add delayed registration task to allow server to fully start
+        async def delayed_registration():
+            """Delayed registration to ensure server is fully started."""
+            await asyncio.sleep(2)  # Wait for server to start listening
+            logger.info("🔄 Attempting delayed proxy registration after server startup")
             try:
-                await asyncio.sleep(0.5)
+                from mcp_proxy_adapter.core.proxy_registration import register_with_proxy
                 success = await register_with_proxy(server_url)
                 if success:
-                    logger.info("✅ Proxy registration completed successfully")
+                    logger.info("✅ Delayed proxy registration successful")
                 else:
-                    logger.info("ℹ️ Proxy registration is disabled or failed")
+                    logger.warning("⚠️ Delayed proxy registration failed")
             except Exception as e:
-                logger.error(f"Proxy registration failed: {e}")
-
-        asyncio.create_task(_delayed_register())
+                logger.error(f"❌ Delayed proxy registration error: {e}")
+        
+        asyncio.create_task(delayed_registration())
 
         yield  # Application is running
 
@@ -227,20 +227,30 @@ def create_ssl_context(
     """
     current_config = app_config if app_config is not None else config.get_all()
 
-    # Try security framework SSL config first
-    security_config = current_config.get("security", {})
-    ssl_config = security_config.get("ssl", {})
-
-    # Fallback to legacy SSL config
-    if not ssl_config.get("enabled", False):
-        ssl_config = current_config.get("ssl", {})
+    # Check SSL configuration from new structure
+    protocol = current_config.get("server", {}).get("protocol", "http")
+    verify_client = current_config.get("transport", {}).get("verify_client", False)
+    ssl_enabled = protocol in ["https", "mtls"] or verify_client
 
-    if not ssl_config.get("enabled", False):
+    if not ssl_enabled:
         logger.info("SSL is disabled in configuration")
         return None
 
-    cert_file = ssl_config.get("cert_file")
-    key_file = ssl_config.get("key_file")
+    # Get certificate paths from configuration
+    cert_file = current_config.get("transport", {}).get("cert_file")
+    key_file = current_config.get("transport", {}).get("key_file")
+    ca_cert = current_config.get("transport", {}).get("ca_cert")
+    
+    # Convert relative paths to absolute paths
+    if cert_file and not Path(cert_file).is_absolute():
+        project_root = Path(__file__).parent.parent.parent
+        cert_file = str(project_root / cert_file)
+    if key_file and not Path(key_file).is_absolute():
+        project_root = Path(__file__).parent.parent.parent
+        key_file = str(project_root / key_file)
+    if ca_cert and not Path(ca_cert).is_absolute():
+        project_root = Path(__file__).parent.parent.parent
+        ca_cert = str(project_root / ca_cert)
 
     if not cert_file or not key_file:
         logger.warning("SSL enabled but certificate or key file not specified")
@@ -251,15 +261,15 @@ def create_ssl_context(
         ssl_context = SSLUtils.create_ssl_context(
             cert_file=cert_file,
             key_file=key_file,
-            ca_cert=ssl_config.get("ca_cert"),
-            verify_client=ssl_config.get("verify_client", False),
-            cipher_suites=ssl_config.get("cipher_suites", []),
-            min_tls_version=ssl_config.get("min_tls_version", "1.2"),
-            max_tls_version=ssl_config.get("max_tls_version", "1.3"),
+            ca_cert=ca_cert,
+            verify_client=current_config.get("transport", {}).get("verify_client", False),
+            cipher_suites=[],
+            min_tls_version="1.2",
+            max_tls_version="1.3",
         )
 
         logger.info(
-            f"SSL context created successfully for mode: {ssl_config.get('mode', 'https_only')}"
+            f"SSL context created successfully for mode: https_only"
         )
         return ssl_context
 
@@ -308,17 +318,13 @@ def create_app(
             print(
                 f"🔍 Debug: create_app received app_config keys: {list(app_config.keys())}"
             )
-            if "security" in app_config:
-                ssl_config = app_config["security"].get("ssl", {})
-                print(
-                    f"🔍 Debug: create_app SSL config: enabled={ssl_config.get('enabled', False)}"
-                )
-                print(
-                    f"🔍 Debug: create_app SSL config: cert_file={ssl_config.get('cert_file')}"
-                )
-                print(
-                    f"🔍 Debug: create_app SSL config: key_file={ssl_config.get('key_file')}"
-                )
+            # Debug SSL configuration
+            protocol = app_config.get("server", {}).get("protocol", "http")
+            verify_client = app_config.get("transport", {}).get("verify_client", False)
+            ssl_enabled = protocol in ["https", "mtls"] or verify_client
+            print(f"🔍 Debug: create_app SSL config: enabled={ssl_enabled}")
+            print(f"🔍 Debug: create_app protocol: {protocol}")
+            print(f"🔍 Debug: create_app verify_client: {verify_client}")
         else:
             print(f"🔍 Debug: create_app received app_config type: {type(app_config)}")
     else:

mcp_proxy_adapter/commands/command_registry.py

@@ -786,23 +786,37 @@ class CommandRegistry:
             # Initialize proxy registration manager with current config
             initialize_proxy_registration(config.get_all())
 
-            # Get server configuration
+            # Get server configuration with proper URL resolution logic
             server_config = config.get("server", {})
             server_host = server_config.get("host", "0.0.0.0")
             server_port = server_config.get("port", 8000)
 
-            # Determine server URL based on SSL configuration
-            ssl_config = config.get("ssl", {})
-            if ssl_config.get("enabled", False):
-                protocol = "https"
-            else:
-                protocol = "http"
-
-            # Use localhost for external access if host is 0.0.0.0
-            if server_host == "0.0.0.0":
-                server_host = "localhost"
-
-            server_url = f"{protocol}://{server_host}:{server_port}"
+            # Get registration configuration for public host/port overrides
+            # First check server config, then registration config
+            public_host = config.get("server.public_host")
+            public_port = config.get("server.public_port")
+            
+            # Fallback to registration config if not found in server
+            if not public_host or not public_port:
+                reg_cfg = config.get("registration", config.get("proxy_registration", {}))
+                public_host = public_host or reg_cfg.get("public_host")
+                public_port = public_port or reg_cfg.get("public_port")
+
+            # Determine protocol based on new configuration structure
+            protocol = config.get("server.protocol", "http")
+            verify_client = config.get("transport.verify_client", False)
+            ssl_enabled = protocol in ["https", "mtls"] or verify_client
+            protocol = "https" if ssl_enabled else "http"
+
+            # Resolve host and port (same logic as in app.py)
+            import os
+            docker_host_addr = os.getenv("DOCKER_HOST_ADDR", "172.17.0.1")
+            resolved_host = public_host or (docker_host_addr if server_host == "0.0.0.0" else server_host)
+            resolved_port = public_port or server_port
+
+            server_url = f"{protocol}://{resolved_host}:{resolved_port}"
+            
+            logger.info(f"🔍 Proxy registration URL resolved: {server_url}")
 
             # Attempt proxy registration
             proxy_registration_success = await register_with_proxy(server_url)

mcp_proxy_adapter/config.py

@@ -84,15 +84,8 @@ class Config:
             "transport": {
                 "type": "http",
                 "port": None,
-                "ssl": {
-                    "enabled": False,
-                    "cert_file": None,
-                    "key_file": None,
-                    "ca_cert": None,
                     "verify_client": False,
-                    "client_cert_required": False,
-                    "chk_hostname": False,  # Default to False when SSL is disabled
-                },
+                "chk_hostname": False,  # Default to False for HTTP
             },
             "proxy_registration": {
                 "enabled": False,

mcp_proxy_adapter/core/proxy_registration.py

@@ -13,6 +13,7 @@ email: vasilyvz@gmail.com
 import asyncio
 import time
 import ssl
+import traceback
 from typing import Dict, Any, Optional, Tuple
 from pathlib import Path
 from urllib.parse import urljoin
@@ -248,10 +249,15 @@ class ProxyRegistrationManager:
         """
         logger.debug("_create_ssl_context called")
         
-        # Check if we're in HTTP mode - if so, don't create SSL context
-        server_config = self.config.get("server", {})
-        if server_config.get("protocol", "http").lower() == "http":
-            logger.debug("HTTP mode detected, skipping SSL context creation")
+        # Decide SSL strictly by proxy URL scheme: use SSL only for https proxy URLs
+        try:
+            from urllib.parse import urlparse as _urlparse
+            scheme = _urlparse(self.proxy_url).scheme if self.proxy_url else "http"
+            if scheme.lower() != "https":
+                logger.debug("Proxy URL is HTTP, skipping SSL context creation for registration")
+                return None
+        except Exception:
+            logger.debug("Failed to parse proxy_url, assuming HTTP and skipping SSL context")
             return None
             
         if not self.client_security:
@@ -440,7 +446,11 @@ class ProxyRegistrationManager:
 
                 if success:
                     self.registered = True
-                    self.server_key = result.get("server_key")
+                    # Safely extract server_key from result
+                    if isinstance(result, dict):
+                        self.server_key = result.get("server_key")
+                    else:
+                        self.server_key = None
                     logger.info(
                         f"✅ Successfully registered with proxy. Server key: {self.server_key}"
                     )
@@ -455,8 +465,65 @@ class ProxyRegistrationManager:
                 else:
                     # Be robust if result is not a dict
                     error_msg = None
+                    logger.error(f"DEBUG: result type = {type(result)}, result = {result}")
                     if isinstance(result, dict):
-                        error_msg = result.get("error", {}).get("message", "Unknown error")
+                        logger.error(f"DEBUG: result is dict, getting error field")
+                        error_field = result.get("error", {})
+                        logger.error(f"DEBUG: error_field type = {type(error_field)}, error_field = {error_field}")
+                        if isinstance(error_field, dict):
+                            error_msg = error_field.get("message", "Unknown error")
+                        elif isinstance(error_field, str):
+                            error_msg = error_field
+                        else:
+                            error_msg = str(error_field)
+
+                        # Auto-recovery: already registered case → force unregistration then retry once
+                        error_code = result.get("error_code") or (result.get("error", {}).get("code") if isinstance(result.get("error"), dict) else None)
+                        already_registered = False
+                        existing_server_key = None
+                        # Prefer structured detail if provided
+                        if isinstance(result.get("details"), dict):
+                            existing_server_key = result.get("details", {}).get("existing_server_key")
+                        # Fallback: parse from error message text
+                        if not existing_server_key and isinstance(error_msg, str) and "already registered as" in error_msg:
+                            try:
+                                # Expecting: "... already registered as <server_id>_<copy_number>"
+                                tail = error_msg.split("already registered as", 1)[1].strip()
+                                existing_server_key = tail.split()[0]
+                            except Exception:
+                                existing_server_key = None
+
+                        if (error_code in ("DUPLICATE_SERVER_URL", "REGISTRATION_ERROR") or already_registered) and existing_server_key:
+                            try:
+                                logger.info(f"Attempting auto-unregistration of existing instance: {existing_server_key}")
+                                # Build unregistration payload using parsed server_key
+                                try:
+                                    copy_number = int(existing_server_key.split("_")[-1])
+                                except Exception:
+                                    copy_number = 1
+                                unregistration_data = {"server_id": self.server_id, "copy_number": copy_number}
+                                # Reuse secure unregistration request directly
+                                unreg_success, _unreg_result = await self._make_secure_unregistration_request(unregistration_data)
+                                if unreg_success:
+                                    logger.info("Auto-unregistration succeeded, retrying registration once...")
+                                    # Retry registration once immediately
+                                    retry_success, retry_result = await self._make_secure_registration_request(registration_data)
+                                    if retry_success:
+                                        self.registered = True
+                                        if isinstance(retry_result, dict):
+                                            self.server_key = retry_result.get("server_key")
+                                        else:
+                                            self.server_key = None
+                                        logger.info(f"✅ Successfully registered after auto-unregistration. Server key: {self.server_key}")
+                                        if self.registration_config.get("heartbeat", {}).get("enabled", True):
+                                            await self._start_heartbeat()
+                                        return True
+                                    else:
+                                        logger.warning(f"Retry registration failed after auto-unregistration: {retry_result}")
+                                else:
+                                    logger.warning(f"Auto-unregistration failed: {_unreg_result}")
+                            except Exception as _auto_e:
+                                logger.warning(f"Auto-unregistration/registration flow error: {_auto_e}")
                     else:
                         error_msg = str(result)
                     logger.warning(
@@ -467,6 +534,7 @@ class ProxyRegistrationManager:
                 logger.error(
                     f"❌ Registration attempt {attempt + 1} failed with exception: {e}"
                 )
+                logger.error(f"Full traceback: {traceback.format_exc()}")
 
         logger.error(
             f"❌ Failed to register with proxy after {self.retry_attempts} attempts"
@@ -562,8 +630,10 @@ class ProxyRegistrationManager:
                 ) as response:
                     try:
                         result = await response.json()
-                    except Exception:
+                        logger.debug(f"Response JSON parsed successfully: {type(result)} - {result}")
+                    except Exception as e:
                         text_body = await response.text()
+                        logger.debug(f"JSON parsing failed: {e}, text_body: {text_body}")
                         result = {"success": False, "error": {"code": "NON_JSON_RESPONSE", "message": text_body}}
 
                     # Validate response headers if security framework available
@@ -604,6 +674,9 @@ class ProxyRegistrationManager:
                         logger.warning(
                             f"Registration failed with HTTP status: {response.status}"
                         )
+                        # Ensure result is a dict for consistent error handling
+                        if isinstance(result, str):
+                            result = {"success": False, "error": {"code": "HTTP_ERROR", "message": result}}
                         return False, result
         finally:
             if connector:

mcp_proxy_adapter/core/server_adapter.py

@@ -65,7 +65,7 @@ class ServerConfigAdapter:
 
         # Map verification mode
         if ssl_config.get("verify_client", False):
-            hypercorn_ssl["verify_mode"] = "CERT_REQUIRED"
+            hypercorn_ssl["verify_mode"] = 2  # ssl.CERT_REQUIRED
 
         # Map hostname checking
         if "chk_hostname" in ssl_config:

mcp_proxy_adapter/examples/check_config.py

@@ -15,7 +15,7 @@ from pathlib import Path
 from typing import Dict, Any, List, Optional
 
 # Add the project root to the path
-sys.path.insert(0, str(Path(__file__).parent))
+sys.path.insert(0, str(Path(__file__).parent.parent.parent))
 
 from mcp_proxy_adapter.config import Config
 from mcp_proxy_adapter.examples.config_builder import ConfigBuilder, Protocol, AuthMethod

mcp_proxy_adapter/examples/config_builder.py

@@ -76,16 +76,9 @@ class ConfigBuilder:
             },
             "transport": {
                 "type": "http",
-                "port": None,
-                "ssl": {
-                    "enabled": False,
-                    "cert_file": None,
-                    "key_file": None,
-                    "ca_cert": None,
-                    "verify_client": False,
-                    "client_cert_required": False,
-                    "chk_hostname": False,
-                },
+                        "port": None,
+                "verify_client": False,
+                "chk_hostname": False
             }
         }
     
@@ -94,18 +87,19 @@ class ConfigBuilder:
         self.config["server"]["protocol"] = protocol.value
         
         if protocol == Protocol.HTTP:
-            # HTTP - no SSL
-            pass
+            # HTTP - no SSL, no client verification
+            self.config["transport"]["verify_client"] = False
+            self.config["transport"]["chk_hostname"] = False
             
         elif protocol == Protocol.HTTPS:
-            # HTTPS - server SSL only
-            # SSL configuration will be handled by the server based on protocol
-            pass
+            # HTTPS - SSL enabled, no client verification
+            self.config["transport"]["verify_client"] = False
+            self.config["transport"]["chk_hostname"] = True
             
         elif protocol == Protocol.MTLS:
-            # mTLS - server SSL + client certificates
-            # SSL configuration will be handled by the server based on protocol
-            pass
+            # mTLS - SSL enabled, client verification required
+            self.config["transport"]["verify_client"] = True
+            self.config["transport"]["chk_hostname"] = True
         
         return self
     
@@ -237,7 +231,7 @@ class ConfigFactory:
                 .set_auth(AuthMethod.TOKEN)
                 .set_server(port=port)
                 .build())
-    
+
     @staticmethod
     def create_mtls_token_roles_config(port: int = 8008) -> Dict[str, Any]:
         """Create mTLS with token and roles configuration."""

mcp_proxy_adapter/examples/{generate_certificates_bugfix.py → generate_certificates.py}

@@ -229,7 +229,18 @@ class BugfixCertificateGenerator:
                 with open(client_info["output_key"], 'w') as f:
                     f.write(result.private_key_pem)
                 
+                # Also create a copy in certs/ directory for easier access
+                cert_name_base = client_info["common_name"].replace("-", "_")
+                certs_cert = self.certs_dir / f"{cert_name_base}_client.crt"
+                certs_key = self.certs_dir / f"{cert_name_base}_client.key"
+                
+                with open(certs_cert, 'w') as f:
+                    f.write(result.certificate_pem)
+                with open(certs_key, 'w') as f:
+                    f.write(result.private_key_pem)
+                
                 self.print_success(f"{cert_name} certificate generated: {client_info['output_cert']}")
+                self.print_success(f"Also created: {certs_cert} and {certs_key}")
                 return True
             else:
                 self.print_error(f"Failed to generate {cert_name} certificate")

mcp_proxy_adapter/examples/generate_config.py

@@ -12,10 +12,10 @@ import sys
 from pathlib import Path
 from typing import Dict, Any, Optional
 
-# Add the examples directory to the path to import config_builder
-sys.path.insert(0, str(Path(__file__).parent / "mcp_proxy_adapter" / "examples"))
+# Add the project root to the path to import config_builder
+sys.path.insert(0, str(Path(__file__).parent.parent.parent))
 
-from config_builder import ConfigBuilder, ConfigFactory, Protocol, AuthMethod
+from mcp_proxy_adapter.examples.config_builder import ConfigBuilder, ConfigFactory, Protocol, AuthMethod
 
 
 def create_config_from_flags(

mcp_proxy_adapter/examples/run_full_test_suite.py

@@ -113,7 +113,7 @@ class FullTestSuiteRunner:
 
         try:
             # Check if certificate generation script exists
-            cert_script = self.working_dir / "generate_certificates_bugfix.py"
+            cert_script = self.working_dir / "mcp_proxy_adapter" / "examples" / "generate_certificates.py"
             if not cert_script.exists():
                 self.print_error(
                     f"Certificate generation script not found: {cert_script}"
@@ -167,7 +167,7 @@ class FullTestSuiteRunner:
 
         try:
             # Check if create_test_configs.py exists
-            config_script = self.working_dir / "create_test_configs.py"
+            config_script = self.working_dir / "mcp_proxy_adapter" / "examples" / "create_test_configs.py"
             if not config_script.exists():
                 self.print_error(f"Configuration generator not found: {config_script}")
                 return False
@@ -194,7 +194,7 @@ class FullTestSuiteRunner:
             # Run the configuration generator
             cmd = [
                 sys.executable,
-                "create_test_configs.py",
+                "mcp_proxy_adapter/examples/create_test_configs.py",
                 "--comprehensive-config",
                 "comprehensive_config.json",
             ]

mcp_proxy_adapter/examples/security_test_client.py

@@ -124,11 +124,12 @@ class SecurityTestClient:
     def create_ssl_context_for_mtls(self) -> ssl.SSLContext:
         """Create SSL context for mTLS connections."""
         # For mTLS, we need client certificates - check if they exist
-        # Paths are relative to project root (../../ from examples directory)
-        # Use admin certificates to match server configuration
-        cert_file = "../../certs/admin.crt"
-        key_file = "../../certs/client_admin.key"
-        ca_cert_file = "../../certs/localhost_server.crt"
+        # Use absolute paths to avoid issues with working directory
+        # Use newly generated admin_client_client.crt which is signed by the same CA as server
+        project_root = Path(__file__).parent.parent.parent
+        cert_file = str(project_root / "certs" / "admin_client_client.crt")
+        key_file = str(project_root / "keys" / "admin-client_client.key")
+        ca_cert_file = str(project_root / "certs" / "localhost_server.crt")
         
         # CRITICAL: For mTLS, certificates are REQUIRED
         if not os.path.exists(cert_file):

mcp_proxy_adapter/examples/test_chk_hostname_automated.py

@@ -13,7 +13,7 @@ from pathlib import Path
 import sys
 
 # Add the project root to the path
-sys.path.insert(0, str(Path(__file__).parent))
+sys.path.insert(0, str(Path(__file__).parent.parent.parent))
 
 from mcp_proxy_adapter.config import Config
 from mcp_proxy_adapter.examples.config_builder import ConfigBuilder, Protocol, AuthMethod
@@ -27,7 +27,7 @@ def test_chk_hostname_default_config():
     
     # Default should be HTTP with chk_hostname=False
     assert config.get("server.protocol") == "http"
-    assert config.get("transport.ssl.chk_hostname") is False
+    assert config.get("transport.chk_hostname") is False
     
     print("✅ Default config: chk_hostname=False for HTTP")
 
@@ -49,7 +49,7 @@ def test_chk_hostname_http_config():
         
         # HTTP should have chk_hostname=False
         assert config.get("server.protocol") == "http"
-        assert config.get("transport.ssl.chk_hostname") is False
+        assert config.get("transport.chk_hostname") is False
         
         print("✅ HTTP config: chk_hostname=False")
     finally:
@@ -74,7 +74,7 @@ def test_chk_hostname_https_config():
         
         # HTTPS should have chk_hostname=True
         assert config.get("server.protocol") == "https"
-        assert config.get("transport.ssl.chk_hostname") is True
+        assert config.get("transport.chk_hostname") is True
         
         print("✅ HTTPS config: chk_hostname=True")
     finally:
@@ -98,7 +98,7 @@ def test_chk_hostname_mtls_config():
         
         # mTLS should have chk_hostname=True
         assert config.get("server.protocol") == "mtls"
-        assert config.get("transport.ssl.chk_hostname") is True
+        assert config.get("transport.chk_hostname") is True
         
         print("✅ mTLS config: chk_hostname=True")
     finally:
@@ -114,10 +114,7 @@ def test_chk_hostname_override():
     # Add transport section if it doesn't exist
     if "transport" not in https_config:
         https_config["transport"] = {}
-    if "ssl" not in https_config["transport"]:
-        https_config["transport"]["ssl"] = {}
-    https_config["transport"]["ssl"]["chk_hostname"] = False
-    https_config["transport"]["ssl"]["_chk_hostname_user_set"] = True
+    https_config["transport"]["chk_hostname"] = False
     
     # Save to temporary file and load with Config
     with tempfile.NamedTemporaryFile(mode='w', suffix='.json', delete=False) as f:
@@ -130,7 +127,7 @@ def test_chk_hostname_override():
         
         # Should respect the override
         assert config.get("server.protocol") == "https"
-        assert config.get("transport.ssl.chk_hostname") is False
+        assert config.get("transport.chk_hostname") is False
         
         print("✅ HTTPS config with chk_hostname=False override works")
     finally: