Harden server; add authenticated Streamable HTTP transport and Nix module

- Streamable HTTP transport (MCP_TRANSPORT=http) with mandatory auth:
  static bearer tokens or OIDC resource-server mode (JWT via JWKS, or
  RFC 7662 introspection), RFC 9728 protected-resource metadata, and
  DNS-rebinding protection
- secrets loadable from files via *_FILE variants
- timeouts on all outbound requests; JORTT_READ_ONLY tool filtering
- OpenAPI spec committed and bundled; no implicit network fetches
- Nix flake: sandboxed package build + hardened NixOS module taking an
  EnvironmentFile (agenix-friendly)

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
Claude 2026-07-11 19:10:55 +02:00
parent 240a53fade
commit a73af353d4
17 changed files with 1255 additions and 77 deletions

7
package-lock.json generated
View file

@ -1,15 +1,16 @@
{
"name": "jortt-mcp",
"version": "0.1.0",
"version": "0.2.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "jortt-mcp",
"version": "0.1.0",
"version": "0.2.0",
"license": "MIT",
"dependencies": {
"@modelcontextprotocol/sdk": "^1.12.0"
"@modelcontextprotocol/sdk": "^1.29.0",
"jose": "^6.0.0"
},
"bin": {
"jortt-mcp": "dist/index.js"