Enhance MCP server configuration: add MCP_URL_ONLY environment variable to restrict to URL-based clients

[brainexe]

Summary

• createClientEntry in lib/server.js can spawn arbitrary local processes via the stdio command path, giving any authenticated caller effective RCE on the host.
• Added new opt-in env var MCP_URL_ONLY: when truthy, configs with command are rejected and only url-based MCP clients are accepted. So only known proxies/URL servers can be used.
• Default behavior unchanged when the var is unset.

[trungdq88]

TypingMind support MCP url directly without needing typingmind-mcp, you can enter the MCP url directly to TypingMind and it will work, right?.

This package is designed for the command use case where the MCP server need a host to run commands on. Not sure if I'm missing something here 😅

[brainexe]

We'd like to use this MCP connector on our infrastructure to run a defined list of MCPs on our defined and secure infrastructure.

So, like a proxy from the TypingMind side to the internal MCPs, without exposing all MCP endpoints to the internet (only one endpoint with IP whitelist and authentication, etc.).

So let's say we have some MCPs – they could run on our connector server in Docker containers (defined on our side and not as JSON inside the TypingMind admin panel!) and can be accessed via the IP...or some other internal MCP domains in the network which should not be reached by extern directly.

And this MR is the ultimate way to increase security: in case someone gets access to the TypingMind admin panel, he'd be able to run any command on the MCP connector server. This is something which we'd like to restrict.

-> this MR should just give us the option to block one big security issue of this kind of MCP connectors, as I don't want a remote code execution tooling running on my network (which the tool is right now, just with a password protection). And I'd like to avoid having all private MCPs connected to the internet.

Or is there another suggestion to have a MCP proxy running via Typingmind?