From 41826f46ad5dcb2fa2f4c58a5c580ef8b7d796bf Mon Sep 17 00:00:00 2001
From: Deep Kanaparthi <rathnadeep.deepu@gmail.com>
Date: Sat, 24 Jan 2026 16:10:40 -0500
Subject: [PATCH 1/4] feat: Add configurable SSL verification for
 Docker/corporate networks

- Added VT_VERIFY_SSL environment variable support
- Defaults to SSL verification enabled (secure)
- Can be disabled for Docker environments with SSL inspection
- Uses environment variable: VT_VERIFY_SSL=false to disable

Changes:
- Modified _vt_client_factory to accept verify_ssl parameter
- Reads VT_VERIFY_SSL environment variable (defaults to true)
- Passes verify_ssl to vt.Client constructor

This enables the GTI MCP to work in Docker containers within
corporate networks that perform SSL inspection while maintaining
secure SSL verification by default for local/production use.
---
 server/gti/gti_mcp/server.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/server/gti/gti_mcp/server.py b/server/gti/gti_mcp/server.py
index 8c4d4f50..81829cc1 100644
--- a/server/gti/gti_mcp/server.py
+++ b/server/gti/gti_mcp/server.py
@@ -35,7 +35,9 @@ def _vt_client_factory(unused_ctx) -> vt.Client:
   api_key = os.getenv("VT_APIKEY")
   if not api_key:
     raise ValueError("VT_APIKEY environment variable is required")
-  return vt.Client(api_key)
+  # Disable SSL verification for Docker/corporate network environments
+  verify_ssl = os.getenv("VT_VERIFY_SSL", "true").lower() != "false"
+  return vt.Client(api_key, verify_ssl=verify_ssl)
 
 vt_client_factory = _vt_client_factory
 

From cf9065a51d01edb48f62ae9e0c092ae8a78f6fba Mon Sep 17 00:00:00 2001
From: Deep Kanaparthi <rathnadeep.deepu@gmail.com>
Date: Fri, 13 Feb 2026 13:08:36 -0500
Subject: [PATCH 2/4] docs: add modification copyright header to
 gti_mcp/server.py

---
 server/gti/gti_mcp/server.py | 1 +
 1 file changed, 1 insertion(+)

diff --git a/server/gti/gti_mcp/server.py b/server/gti/gti_mcp/server.py
index 81829cc1..2c30ff79 100644
--- a/server/gti/gti_mcp/server.py
+++ b/server/gti/gti_mcp/server.py
@@ -1,4 +1,5 @@
 # Copyright 2025 Google LLC
+# Modifications Copyright (c) 2025-2026 Deep Kanaparthi
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

From c923eb03cb13acc02d353e54d04f593c4a426d4a Mon Sep 17 00:00:00 2001
From: Deep Kanaparthi <rathnadeep.deepu@gmail.com>
Date: Fri, 13 Feb 2026 18:58:17 -0500
Subject: [PATCH 3/4] feat: add HTTP header credential passthrough and
 streamable-http transport

- Add per-request X-VT-ApiKey header support via FastMCP get_http_headers()
- Graceful fallback to VT_APIKEY env var when no header is present
- Add streamable-http transport for Docker-based multi-client deployments
- Add fastmcp>=2.11.1 and uvicorn dependencies
- Preserve SSL verification configuration
---
 server/gti/gti_mcp/server.py | 57 ++++++++++++++++++++++++++++++++----
 server/gti/pyproject.toml    |  6 ++--
 2 files changed, 55 insertions(+), 8 deletions(-)

diff --git a/server/gti/gti_mcp/server.py b/server/gti/gti_mcp/server.py
index 2c30ff79..feb52163 100644
--- a/server/gti/gti_mcp/server.py
+++ b/server/gti/gti_mcp/server.py
@@ -19,6 +19,7 @@
 
 import logging
 import os
+from typing import Dict
 import vt
 
 from mcp.server.fastmcp import FastMCP, Context
@@ -31,14 +32,46 @@
 if os.getenv("STATELESS") == "1":
   stateless = True
 
+# ---------------------------------------------------------------------------
+# HTTP header access for multi-client credential passthrough
+# ---------------------------------------------------------------------------
+try:
+  from fastmcp.server.dependencies import get_http_headers
+except ImportError:
+  get_http_headers = None
+
+
+def _get_request_headers() -> Dict[str, str]:
+  """Get HTTP headers for the current MCP session via FastMCP's built-in context."""
+  if get_http_headers is None:
+    return {}
+  try:
+    headers = get_http_headers()
+    if headers:
+      return headers
+  except Exception:
+    pass
+  return {}
+
+
+def _get_gti_config() -> Dict[str, str]:
+  """Resolve VT config from HTTP headers with env var fallback."""
+  headers = _get_request_headers()
+  h = {k.lower(): v for k, v in headers.items()}
+  return {
+    "api_key": h.get("x-vt-apikey", os.getenv("VT_APIKEY", "")),
+    "verify_ssl": os.getenv("VT_VERIFY_SSL", "true").lower() != "false",
+  }
+
 
 def _vt_client_factory(unused_ctx) -> vt.Client:
-  api_key = os.getenv("VT_APIKEY")
+  cfg = _get_gti_config()
+  api_key = cfg["api_key"]
   if not api_key:
-    raise ValueError("VT_APIKEY environment variable is required")
-  # Disable SSL verification for Docker/corporate network environments
-  verify_ssl = os.getenv("VT_VERIFY_SSL", "true").lower() != "false"
-  return vt.Client(api_key, verify_ssl=verify_ssl)
+    raise ValueError(
+      "VT_APIKEY not configured. Set VT_APIKEY env var or send X-VT-ApiKey header."
+    )
+  return vt.Client(api_key, verify_ssl=cfg["verify_ssl"])
 
 vt_client_factory = _vt_client_factory
 
@@ -68,4 +101,16 @@ def main():
 
 
 if __name__ == '__main__':
-  main()
+  import sys
+  transport = sys.argv[1] if len(sys.argv) > 1 else os.getenv("MCP_TRANSPORT", "stdio")
+
+  if transport == "streamable-http":
+    import uvicorn
+    app = server.streamable_http_app()
+    uvicorn.run(
+      app,
+      host=os.getenv("FASTMCP_HOST", "0.0.0.0"),
+      port=int(os.getenv("FASTMCP_PORT", "8003")),
+    )
+  else:
+    main()
diff --git a/server/gti/pyproject.toml b/server/gti/pyproject.toml
index 8d6937dd..8e35ea75 100644
--- a/server/gti/pyproject.toml
+++ b/server/gti/pyproject.toml
@@ -18,8 +18,10 @@ classifiers = [
     "Topic :: Security",
 ]
 dependencies = [
-    "mcp",
-    "vt-py"
+    "mcp>=1.26.0",
+    "vt-py",
+    "fastmcp>=2.11.1",
+    "uvicorn>=0.34.0",
 ]
 
 [project.urls]

From fec78e8539392edc6a06eb455859ee0b48a4efc4 Mon Sep 17 00:00:00 2001
From: Deep Kanaparthi <rathnadeep.deepu@gmail.com>
Date: Tue, 24 Feb 2026 18:45:56 -0500
Subject: [PATCH 4/4] fix: disable DNS rebinding protection for reverse proxy
 deployments

Add TransportSecuritySettings(enable_dns_rebinding_protection=False)
to GTI FastMCP server for Kubernetes/nginx ingress compatibility.
---
 server/gti/gti_mcp/server.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/server/gti/gti_mcp/server.py b/server/gti/gti_mcp/server.py
index feb52163..4f6e258d 100644
--- a/server/gti/gti_mcp/server.py
+++ b/server/gti/gti_mcp/server.py
@@ -23,6 +23,7 @@
 import vt
 
 from mcp.server.fastmcp import FastMCP, Context
+from mcp.server.transport_security import TransportSecuritySettings
 
 logging.basicConfig(level=logging.ERROR)
 
@@ -90,7 +91,11 @@ async def vt_client(ctx: Context) -> AsyncIterator[vt.Client]:
 server = FastMCP(
     "Google Threat Intelligence MCP server",
     dependencies=["vt-py"],
-    stateless_http=stateless)
+    stateless_http=stateless,
+    transport_security=TransportSecuritySettings(
+        enable_dns_rebinding_protection=False,
+    ),
+)
 
 # Load tools.
 from gti_mcp.tools import *