Block wallet mode on HTTP transports to prevent CORS-based attacks

[besated]

• Remove wildcard CORS policy
• Block wallet mode on HTTP transports
• Add security validation module

[changeset-bot]

🦋 Changeset detected

Latest commit: e13247c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@sei-js/mcp-server	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 79.69%. Comparing base (cb54173) to head (e13247c).
⚠️ Report is 2 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #298      +/-   ##
==========================================
+ Coverage   79.29%   79.69%   +0.39%     
==========================================
  Files          82       83       +1     
  Lines        1280     1305      +25     
  Branches      155      215      +60     
==========================================
+ Hits         1015     1040      +25     
  Misses        265      265              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR implements critical security measures to prevent CORS-based attacks on the MCP server by blocking wallet mode on HTTP transports. The changes remove the wildcard CORS policy that allowed any origin and introduces a secure-by-default CORS middleware that rejects cross-origin requests.

Changes:

• Added a new security validation module that blocks wallet mode on HTTP transports and exits the process with a clear error message
• Replaced wildcard CORS policies in both HTTP transports with secure same-origin-only middleware
• Updated transport constructors to accept and validate walletMode parameters
• Updated help documentation to clarify that wallet mode only works with stdio transport

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
packages/mcp-server/src/server/transport/security.ts	New security module providing CORS middleware and wallet mode validation
packages/mcp-server/src/server/transport/streamable-http.ts	Integrated security validation and secure CORS middleware, added health endpoint
packages/mcp-server/src/server/transport/http-sse.ts	Replaced wildcard CORS with secure middleware, integrated wallet mode validation
packages/mcp-server/src/server/transport/factory.ts	Updated to pass walletMode parameter to HTTP transport constructors
packages/mcp-server/src/server/args.ts	Added security note to help text clarifying wallet mode restrictions
packages/mcp-server/src/tests/server/transport/streamable-http.test.ts	Updated tests to mock security module and verify CORS/health endpoint setup
packages/mcp-server/src/tests/server/transport/http-sse.test.ts	Updated tests to mock security module instead of cors library
packages/mcp-server/src/tests/server/transport/factory.test.ts	Updated factory tests to expect walletMode parameter in transport constructors
.changeset/clever-nights-enjoy.md	Added changeset documenting the security improvement

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.