From af56ac0ee45686710708f3ef553f360a2f696ca4 Mon Sep 17 00:00:00 2001 From: Aaron Sachs <898627+asachs01@users.noreply.github.com> Date: Mon, 18 May 2026 11:02:29 -0400 Subject: [PATCH 1/2] fix(health): make /health a shallow unauthenticated liveness probe /health called getCredentials() and returned 503 when no process-wide credentials were set. In gateway mode (AUTH_MODE=gateway) credentials only arrive per-request via headers, so /health always 503'd, failing the Azure liveness probe and crash-looping the container. Make /health (and new /healthz alias) return 200 {"status":"ok"} with no credential check. Same fix already applied to mimecast-mcp, ironscales-mcp, spamtitan-mcp and threatlocker-mcp. Bumps version to 1.0.1. --- CHANGELOG.md | 4 ++++ package-lock.json | 4 ++-- package.json | 4 ++-- src/index.ts | 27 ++++++++------------------- 4 files changed, 16 insertions(+), 23 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 65d3877..dcb4c2d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Fixed + +- `/health` no longer calls `getCredentials()` — it is now a shallow, unauthenticated liveness probe returning `200 {"status":"ok"}`. In gateway mode credentials only arrive per-request via headers, so the previous credential check always returned `503`, failing the Azure liveness probe and crash-looping the container. Also added `/healthz` as an alias. + ### Added - Lazy-loading meta-tools mode (`LAZY_LOADING=true` env var) as alternative to decision-tree navigation diff --git a/package-lock.json b/package-lock.json index a581f5a..74bc4a4 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@wyre-technology/mcp-server-proofpoint", - "version": "1.0.0", + "version": "1.0.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@wyre-technology/mcp-server-proofpoint", - "version": "1.0.0", + "version": "1.0.1", "license": "Apache-2.0", "dependencies": { "@modelcontextprotocol/sdk": "^1.25.3" diff --git a/package.json b/package.json index 7513b88..ef4fd12 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@wyre-technology/proofpoint-mcp", - "version": "1.0.0", + "version": "1.0.1", "description": "MCP server for Proofpoint Email Protection - email security, threat intelligence, TAP (Targeted Attack Protection), and email filtering API integration", "type": "module", "main": "dist/index.js", @@ -60,4 +60,4 @@ "engines": { "node": ">=20.0.0" } -} \ No newline at end of file +} diff --git a/src/index.ts b/src/index.ts index 098d53f..10b2aa4 100644 --- a/src/index.ts +++ b/src/index.ts @@ -527,25 +527,14 @@ async function startHttpTransport(): Promise { const httpServer = createHttpServer((req: IncomingMessage, res: ServerResponse) => { const url = new URL(req.url || "/", `http://${req.headers.host || "localhost"}`); - // Health check - no auth required - if (url.pathname === "/health") { - const creds = getCredentials(); - const statusCode = creds ? 200 : 503; - - res.writeHead(statusCode, { "Content-Type": "application/json" }); - res.end( - JSON.stringify({ - status: creds ? "ok" : "degraded", - transport: "http", - authMode: isGatewayMode ? "gateway" : "env", - timestamp: new Date().toISOString(), - credentials: { - configured: !!creds, - }, - logLevel: process.env.LOG_LEVEL || "info", - version: "1.0.0", - }) - ); + // Health check - shallow, unauthenticated liveness probe. + // Must NOT call getCredentials() or any upstream: in gateway mode + // credentials only arrive per-request via headers, so a credential + // check here would always fail the Azure liveness probe and the + // container would be SIGTERM-killed in a crash loop. + if (url.pathname === "/health" || url.pathname === "/healthz") { + res.writeHead(200, { "Content-Type": "application/json" }); + res.end(JSON.stringify({ status: "ok" })); return; } From f301b3b220e030f6e2f96d9eaa870820db99cae3 Mon Sep 17 00:00:00 2001 From: Aaron Sachs Date: Mon, 18 May 2026 18:17:25 -0400 Subject: [PATCH 2/2] ci(lint): add missing ESLint config to fix Test job The CI Test job runs 'npm run lint' (eslint src --ext .ts) but the repo never had an ESLint config file, so lint exited with code 2 and failed all three Node matrix jobs. Add the canonical fleet .eslintrc.json (matching autotask-mcp et al.). The @typescript-eslint parser/plugin were already in devDependencies. Lint now passes clean with no warnings. --- .eslintrc.json | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) create mode 100644 .eslintrc.json diff --git a/.eslintrc.json b/.eslintrc.json new file mode 100644 index 0000000..fc79f41 --- /dev/null +++ b/.eslintrc.json @@ -0,0 +1,32 @@ +{ + "env": { + "node": true, + "es2021": true + }, + "extends": [ + "eslint:recommended", + "plugin:@typescript-eslint/recommended" + ], + "parser": "@typescript-eslint/parser", + "parserOptions": { + "ecmaVersion": "latest", + "sourceType": "module" + }, + "plugins": [ + "@typescript-eslint" + ], + "rules": { + "@typescript-eslint/no-explicit-any": "warn", + "@typescript-eslint/no-unused-vars": ["warn", { + "argsIgnorePattern": "^_", + "varsIgnorePattern": "^_" + }], + "no-console": "off" + }, + "ignorePatterns": [ + "dist", + "node_modules", + "coverage", + "*.js" + ] +}