Problem
The MCP HTTP bridge (packages/core/src/runner/runtime/mcp-http-bridge.ts) binds to 0.0.0.0 on a random port to expose injected MCP tools to Docker-containerized agents. This is necessary because the agent container needs to reach the bridge over the Docker network — binding to 127.0.0.1 would make it unreachable from inside the container.
However, binding to all interfaces means any other container on the same Docker network (or on a multi-tenant Docker host) could discover the port and call the MCP tools without authentication.
Relevant code (mcp-http-bridge.ts:246):
server.listen(0, "0.0.0.0", () => { ... });
The bridge currently accepts any incoming request with no authentication check.
Suggested Fix
Generate a per-instance bearer token when starting the bridge and require it on every request:
- On bridge startup: Generate a random token (e.g.
crypto.randomUUID() or crypto.randomBytes(32).toString('hex'))
- Pass token to container: Include the token in the MCP server URL or as an environment variable passed to the Docker container
- Validate on each request: The bridge's request handler checks
Authorization: Bearer <token> and rejects requests without a valid token
This keeps the bridge bound to 0.0.0.0 (required for Docker networking) while preventing unauthorized access from other containers.
Impact
Low risk in practice — the bridge only lives for the duration of a single agent job, listens on a random ephemeral port, and is only relevant when using Docker runtime. But it's a defense-in-depth measure worth adding.
Problem
The MCP HTTP bridge (
packages/core/src/runner/runtime/mcp-http-bridge.ts) binds to0.0.0.0on a random port to expose injected MCP tools to Docker-containerized agents. This is necessary because the agent container needs to reach the bridge over the Docker network — binding to127.0.0.1would make it unreachable from inside the container.However, binding to all interfaces means any other container on the same Docker network (or on a multi-tenant Docker host) could discover the port and call the MCP tools without authentication.
Relevant code (
mcp-http-bridge.ts:246):The bridge currently accepts any incoming request with no authentication check.
Suggested Fix
Generate a per-instance bearer token when starting the bridge and require it on every request:
crypto.randomUUID()orcrypto.randomBytes(32).toString('hex'))Authorization: Bearer <token>and rejects requests without a valid tokenThis keeps the bridge bound to
0.0.0.0(required for Docker networking) while preventing unauthorized access from other containers.Impact
Low risk in practice — the bridge only lives for the duration of a single agent job, listens on a random ephemeral port, and is only relevant when using Docker runtime. But it's a defense-in-depth measure worth adding.