mcp-compose

The server implements robust OAuth2 features including PKCE, state parameters for CSRF protection, and resource indicators (RFC 8707) for token binding. It performs token validation by calling the GitHub API for external tokens or verifying its own issued JWTs. However, the JWT signing key (`JWT_SIGN_KEY`) is hardcoded as 'dev_sign_key_change_in_production' in `server.py`, which is a critical vulnerability if used in production. CORS is set to `allow_origins=["*"]` in development, which should be restricted for production deployment. While the configuration file `config.json` is intended for local credentials, sensitive information can be loaded from environment variables in a production context, but this is a manual step for the user. SSL/HTTPS support via `mkcert` is provided. No `eval` or obfuscation was found.