mcp-hooks

The primary security concern lies in the `passthrough-mcp-server` (which this hook would integrate with). It constructs `StreamableHTTPClientTransport` client connections using `TARGET_SERVER_URL` and `HOOKS` environment variables directly, without validation or allow-listing. This creates a significant Server-Side Request Forgery (SSRF) vulnerability, potentially allowing an attacker to force the server to make requests to internal network resources. Additionally, the `api-key-hook` uses a default test API key ('test-api-key-12345') which is hardcoded and must be overridden in production to prevent unauthorized access. The `setup-db.ts` script for PostgreSQL logging uses default `postgres/postgres` credentials, which is highly insecure for production environments. Sensitive audit logs (if file-based) must be properly secured to prevent data leakage.