From 2ba26fb2de3829bc428eda6cdc0ad16e164e6bbc Mon Sep 17 00:00:00 2001
From: Rafael Poyiadzi <rafael@futuresearch.ai>
Date: Tue, 24 Feb 2026 23:29:57 +0000
Subject: [PATCH 1/2] Security hardening: auth replay, encryption guards, rate
 limits, CORS, error sanitization (#209)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Address 18 security audit findings (7 HIGH, 8 MEDIUM, 3 LOW) across the
MCP HTTP server, plus test and observability improvements.

HIGH:
- H1: Fail-closed encryption — encrypt/decrypt raise RuntimeError in HTTP
  mode when UPLOAD_SECRET is missing. Required regardless of --no-auth.
- H2: ALLOW_NO_AUTH strict check — only "1" disables auth.
- H3: Redis password required in authenticated HTTP mode (hard error).
- H4: HTTPS-only URL validation on mcp_server_url and supabase_url.
- H5: Referrer-Policy no-referrer meta tag in both widget templates.
- H6: Auth code and refresh token re-storage uses SET NX to prevent
  concurrent overwrites.
- H7: OAuth state consumed atomically in handle_start, re-stored to
  narrow replay window.

MEDIUM:
- M1: Security events (revoked tokens, failed polls, rate limits) at WARNING.
- M2: Stack traces suppressed in error responses; generic messages returned.
- M3: app.openLink() calls guarded with https scheme check.
- M4: rel="noopener noreferrer" on linkified anchors in results widget.
- M5: Removed in-memory rate limit fallback — Redis is a hard dependency.
- M6: Rate limit TTL always refreshed (removed nx=True on EXPIRE).
- M7: CORS wildcard origin for widget endpoints (auth via Bearer tokens).
- M8: Content-Type allowlist on upload endpoint (415 for unsupported types).

LOW:
- L1: Per-user upload rate limiting via atomic Redis pipeline.
- L4: Remote Redis without SSL fails in HTTP mode (warns in stdio).

Additional:
- Upload tool fails early when client has no API token.
- Direct path_params lookup for state in handle_start.
- E2e integration test: swap results tool to HTTP variant in _http_state.
- Fernet cache cleared in test override_settings for correct encryption.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 everyrow-mcp/src/everyrow_mcp/auth.py         |  32 ++++--
 everyrow-mcp/src/everyrow_mcp/config.py       |  45 +++++++-
 everyrow-mcp/src/everyrow_mcp/http_config.py  |  42 +++++---
 everyrow-mcp/src/everyrow_mcp/middleware.py   |  78 +++-----------
 everyrow-mcp/src/everyrow_mcp/redis_store.py  |   8 ++
 everyrow-mcp/src/everyrow_mcp/result_store.py |   7 +-
 everyrow-mcp/src/everyrow_mcp/routes.py       |  30 ++++--
 everyrow-mcp/src/everyrow_mcp/server.py       |  15 ++-
 everyrow-mcp/src/everyrow_mcp/templates.py    |  12 +--
 everyrow-mcp/src/everyrow_mcp/tool_helpers.py |   9 +-
 everyrow-mcp/src/everyrow_mcp/tools.py        |  33 ++++++
 everyrow-mcp/src/everyrow_mcp/uploads.py      |  49 ++++++++-
 everyrow-mcp/tests/conftest.py                |   3 +
 everyrow-mcp/tests/test_auth.py               |  12 ++-
 everyrow-mcp/tests/test_http_integration.py   |   5 +-
 everyrow-mcp/tests/test_http_real.py          |   2 +-
 everyrow-mcp/tests/test_mcp_e2e.py            |  30 +++++-
 everyrow-mcp/tests/test_middleware.py         |  25 -----
 everyrow-mcp/tests/test_result_store.py       |   2 +-
 everyrow-mcp/tests/test_routes.py             |  19 +++-
 everyrow-mcp/tests/test_security_hardening.py | 100 ++++++++++++++++++
 everyrow-mcp/tests/test_server.py             |  12 ++-
 everyrow-mcp/tests/test_stdio_content.py      |  33 +++---
 everyrow-mcp/tests/test_uploads.py            |  92 +++++++++++++++-
 24 files changed, 518 insertions(+), 177 deletions(-)
 create mode 100644 everyrow-mcp/tests/test_security_hardening.py

diff --git a/everyrow-mcp/src/everyrow_mcp/auth.py b/everyrow-mcp/src/everyrow_mcp/auth.py
index b06ed1e5..6858bd56 100644
--- a/everyrow-mcp/src/everyrow_mcp/auth.py
+++ b/everyrow-mcp/src/everyrow_mcp/auth.py
@@ -99,12 +99,12 @@ async def verify_token(self, token: str) -> AccessToken | None:
             payload = self._decode_jwt(token, signing_key)
 
             if await self._is_revoked(token):
-                logger.debug("Token is revoked")
+                logger.warning("Revoked token presented")
                 return None
 
             sub = payload.get("sub")
             if not sub:
-                logger.debug("JWT missing required 'sub' claim")
+                logger.warning("JWT missing required 'sub' claim")
                 return None
             return AccessToken(
                 token=token,
@@ -116,7 +116,7 @@ async def verify_token(self, token: str) -> AccessToken | None:
             logger.warning("JWKS fetch timed out (10s)")
             return None
         except pyjwt.PyJWTError:
-            logger.debug("JWT verification failed")
+            logger.warning("JWT verification failed")
             return None
 
 
@@ -212,7 +212,7 @@ async def _check_rate_limit(self, action: str, client_ip: str) -> None:
         rl_key = build_key("ratelimit", action, client_ip)
         async with self._redis.pipeline() as pipe:
             pipe.incr(rl_key)
-            pipe.expire(rl_key, settings.registration_rate_window, nx=True)
+            pipe.expire(rl_key, settings.registration_rate_window)
             count, _ = await pipe.execute()
         if count > settings.registration_rate_limit:
             raise ValueError(f"{action.title()} rate limit exceeded")
@@ -232,6 +232,7 @@ async def register_client(self, client_info: OAuthClientInformationFull) -> None
             time=settings.client_registration_ttl,
             value=client_info.model_dump_json(),
         )
+        logger.info("Registered new OAuth client client_id=%s", client_info.client_id)
 
     @staticmethod
     def _supabase_redirect_url(supabase_verifier: str) -> str:
@@ -361,11 +362,16 @@ async def authorize(
         return f"{settings.mcp_server_url}/auth/start/{state}"
 
     async def handle_start(self, request: Request) -> RedirectResponse:
+        state = request.path_params["state"]
         pending = await self._validate_auth_request(
-            request, "start", request.path_params.get("state")
+            request, "start", state, consume=True
+        )
+        # Re-store so the callback can still find it
+        await self._redis.setex(
+            name=build_key("pending", state),
+            time=settings.pending_auth_ttl,
+            value=pending.model_dump_json(),
         )
-
-        state = request.path_params.get("state", "")
         response = RedirectResponse(url=pending.supabase_redirect_url, status_code=302)
         response.set_cookie(
             key="__Host-mcp_auth_state",
@@ -434,9 +440,9 @@ async def load_authorization_code(
         if code_obj.expires_at and code_obj.expires_at < time.time():
             return None
         if code_obj.client_id != client.client_id:
-            # Re-store so the legitimate client can still use it.
+            # Re-store so the legitimate client can still use it (NX prevents overwrite).
             remaining = max(1, int((code_obj.expires_at or 0) - time.time()))
-            await self._redis.setex(key, remaining, code_data_encrypted)
+            await self._redis.set(key, code_data_encrypted, ex=remaining, nx=True)
             return None
         return code_obj
 
@@ -476,6 +482,7 @@ async def exchange_authorization_code(
         authorization_code: EveryRowAuthorizationCode,
     ) -> OAuthToken:
         assert client.client_id is not None
+        logger.info("Token exchange successful user=%s", authorization_code.client_id)
         return await self._issue_token_response(
             access_token=authorization_code.supabase_access_token,
             client_id=client.client_id,
@@ -499,8 +506,10 @@ async def load_refresh_token(
             return None
         rt = EveryRowRefreshToken.model_validate_json(decrypt_value(data_encrypted))
         if rt.client_id != client.client_id:
-            # Re-store so the legitimate client can still use it.
-            await self._redis.setex(key, settings.refresh_token_ttl, data_encrypted)
+            # Re-store so the legitimate client can still use it (NX prevents overwrite).
+            await self._redis.set(
+                key, data_encrypted, ex=settings.refresh_token_ttl, nx=True
+            )
             return None
         return rt
 
@@ -524,6 +533,7 @@ async def exchange_refresh_token(
             )
             raise
         assert client.client_id is not None
+        logger.info("Token refresh successful user=%s", client.client_id)
         return await self._issue_token_response(
             access_token=supa_tokens.access_token,
             client_id=client.client_id,
diff --git a/everyrow-mcp/src/everyrow_mcp/config.py b/everyrow-mcp/src/everyrow_mcp/config.py
index 16a1619e..339412c0 100644
--- a/everyrow-mcp/src/everyrow_mcp/config.py
+++ b/everyrow-mcp/src/everyrow_mcp/config.py
@@ -1,10 +1,14 @@
 from __future__ import annotations
 
+import logging
 from functools import lru_cache
+from urllib.parse import urlparse
 
-from pydantic import Field, PositiveInt, field_validator
+from pydantic import Field, PositiveInt, field_validator, model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+logger = logging.getLogger(__name__)
+
 
 class Settings(BaseSettings):
     model_config = SettingsConfigDict(extra="ignore")
@@ -108,6 +112,15 @@ class Settings(BaseSettings):
         description="Maximum response size when fetching CSV from a URL (50 MB).",
     )
 
+    upload_rate_limit: PositiveInt = Field(
+        default=20,
+        description="Max uploads per user per rate window",
+    )
+    upload_rate_window: PositiveInt = Field(
+        default=3600,
+        description="Upload rate limit sliding window in seconds (1 hour)",
+    )
+
     everyrow_api_key: str | None = Field(default=None, repr=False)
 
     @property
@@ -120,8 +133,34 @@ def is_stdio(self) -> bool:
 
     @field_validator("mcp_server_url", "supabase_url")
     @classmethod
-    def _strip_url_slashes(cls, v: str) -> str:
-        return v.rstrip("/")
+    def _validate_url(cls, v: str) -> str:
+        v = v.rstrip("/")
+        if not v:
+            return v
+        parsed = urlparse(v)
+        host = (parsed.hostname or "").lower()
+        is_local = host in ("localhost", "127.0.0.1", "::1")
+        if not is_local and parsed.scheme != "https":
+            raise ValueError(
+                f"Non-localhost URLs must use https:// (got {parsed.scheme}://)"
+            )
+        return v
+
+    @model_validator(mode="after")
+    def _require_redis_ssl_for_remote(self) -> Settings:
+        host = (self.redis_host or "").lower()
+        is_local = host in ("localhost", "127.0.0.1", "::1", "")
+        if not is_local and not self.redis_ssl:
+            if self.is_http:
+                raise ValueError(
+                    f"Redis host {self.redis_host} is remote but redis_ssl=False. "
+                    "Enable redis_ssl for non-localhost Redis in HTTP mode."
+                )
+            logger.warning(
+                "Redis host %s is remote but redis_ssl=False — traffic is unencrypted.",
+                self.redis_host,
+            )
+        return self
 
 
 @lru_cache
diff --git a/everyrow-mcp/src/everyrow_mcp/http_config.py b/everyrow-mcp/src/everyrow_mcp/http_config.py
index 36d61d73..04afe553 100644
--- a/everyrow-mcp/src/everyrow_mcp/http_config.py
+++ b/everyrow-mcp/src/everyrow_mcp/http_config.py
@@ -3,8 +3,10 @@
 from __future__ import annotations
 
 import logging
+import time as _time
 from urllib.parse import urlparse
 
+from mcp.server.auth.middleware.auth_context import get_access_token
 from mcp.server.auth.settings import AuthSettings, ClientRegistrationOptions
 from mcp.server.fastmcp import FastMCP
 from mcp.server.fastmcp.server import lifespan_wrapper
@@ -70,16 +72,20 @@ def configure_http_mode(
     mcp.settings.host = host
     mcp.settings.port = port
 
-    if not no_auth and not settings.upload_secret:
+    if not settings.upload_secret:
         raise RuntimeError(
             "UPLOAD_SECRET must be set in HTTP mode for HMAC signing. "
             'Generate one with: python -c "import secrets; print(secrets.token_urlsafe(32))"'
         )
-    if settings.is_http and not no_auth and not settings.redis_password:
-        logger.warning(
+    if not no_auth and not settings.redis_password:
+        raise RuntimeError(
             "REDIS_PASSWORD is not set — Redis is unauthenticated. "
             "Set REDIS_PASSWORD for production deployments."
         )
+    if no_auth and not settings.redis_password:
+        logger.warning(
+            "REDIS_PASSWORD is not set — acceptable for local development only."
+        )
 
     _register_widgets(mcp, mcp_server_url)
     _register_routes(mcp, redis_client, auth_provider if not no_auth else None)
@@ -164,23 +170,31 @@ def _ui_csp(connect_domains: list[str]) -> dict[str, str | list[str]]:
 
 
 class _RequestLoggingMiddleware(BaseHTTPMiddleware):
-    """Log every inbound request and its response status at DEBUG level."""
+    """Log inbound requests at INFO level with method, path, status, and timing."""
 
     async def dispatch(self, request, call_next):
-        has_auth = "authorization" in request.headers
-        logger.debug(
-            "INCOMING %s %s | Host: %s | Auth: %s",
-            request.method,
-            request.url.path,
-            request.headers.get("host", "?"),
-            "present" if has_auth else "none",
-        )
+        # Skip health check requests — k8s probes hit these every ~10s.
+        if request.url.path == "/health":
+            return await call_next(request)
+
+        start = _time.monotonic()
         response = await call_next(request)
-        logger.debug(
-            "RESPONSE %s %s -> %s",
+        elapsed_ms = (_time.monotonic() - start) * 1000
+
+        # Extract user_id from the access token if available.
+        try:
+            access_token = get_access_token()
+            user_id = access_token.client_id if access_token else None
+        except Exception:
+            user_id = None
+
+        logger.info(
+            "HTTP %s %s -> %d (%.0fms) user=%s",
             request.method,
             request.url.path,
             response.status_code,
+            elapsed_ms,
+            user_id or "anon",
         )
         return response
 
diff --git a/everyrow-mcp/src/everyrow_mcp/middleware.py b/everyrow-mcp/src/everyrow_mcp/middleware.py
index f9864f51..70552f53 100644
--- a/everyrow-mcp/src/everyrow_mcp/middleware.py
+++ b/everyrow-mcp/src/everyrow_mcp/middleware.py
@@ -3,11 +3,9 @@
 from __future__ import annotations
 
 import logging
-import threading
 import time
 
 from redis.asyncio import Redis
-from redis.exceptions import RedisError
 from starlette.middleware.base import BaseHTTPMiddleware
 from starlette.requests import Request
 from starlette.responses import JSONResponse, Response
@@ -46,11 +44,9 @@ class RateLimitMiddleware(BaseHTTPMiddleware):
     """Redis-based fixed-window rate limiter per client IP.
 
     Returns 429 with ``Retry-After`` header when the limit is exceeded.
-    Falls back to an in-memory counter when Redis is unavailable.
+    Redis is a hard dependency in HTTP mode — failures propagate.
     """
 
-    _MEM_CLEANUP_INTERVAL = 100  # clean up stale entries every N requests
-
     def __init__(
         self,
         app,
@@ -63,42 +59,6 @@ def __init__(
         self._redis = redis
         self._max_requests = max_requests
         self._window_seconds = window_seconds
-        # In-memory fallback: {key: (count, window_start)}
-        self._mem_counters: dict[str, tuple[int, float]] = {}
-        self._mem_lock = threading.Lock()
-        self._mem_request_count = 0
-
-    def _check_in_memory(self, ip: str) -> bool:
-        """In-memory fixed-window rate check. Returns True if the request should be blocked."""
-        now = time.time()
-        window_start = (int(now) // self._window_seconds) * self._window_seconds
-        key = f"{ip}:{window_start}"
-
-        with self._mem_lock:
-            self._mem_request_count += 1
-            if self._mem_request_count % self._MEM_CLEANUP_INTERVAL == 0:
-                self._cleanup_mem_counters(now)
-
-            count, ws = self._mem_counters.get(key, (0, window_start))
-            count += 1
-            self._mem_counters[key] = (count, ws)
-            return count > self._max_requests
-
-    _MAX_MEM_ENTRIES = 50_000  # hard cap to prevent unbounded memory growth
-
-    def _cleanup_mem_counters(self, now: float) -> None:
-        """Evict stale entries. Must be called under _mem_lock."""
-        cutoff = now - self._window_seconds * 2
-        stale = [k for k, (_, ws) in self._mem_counters.items() if ws < cutoff]
-        for k in stale:
-            del self._mem_counters[k]
-        # Hard cap: if still too many entries, evict oldest
-        if len(self._mem_counters) > self._MAX_MEM_ENTRIES:
-            sorted_keys = sorted(
-                self._mem_counters, key=lambda k: self._mem_counters[k][1]
-            )
-            for k in sorted_keys[: len(self._mem_counters) - self._MAX_MEM_ENTRIES]:
-                del self._mem_counters[k]
 
     async def dispatch(self, request: Request, call_next) -> Response:
         if request.url.path == "/health":
@@ -113,30 +73,20 @@ async def dispatch(self, request: Request, call_next) -> Response:
         window_id = str(int(time.time()) // self._window_seconds)
         key = build_key("rate", client_ip, window_id)
 
-        try:
-            async with self._redis.pipeline() as pipe:
-                pipe.incr(key)
-                pipe.expire(key, self._window_seconds, nx=True)
-                count, _ = await pipe.execute()
-
-            if count > self._max_requests:
-                ttl = await self._redis.ttl(key)
-                retry_after = max(ttl, 1)
-                return JSONResponse(
-                    {"detail": "Rate limit exceeded"},
-                    status_code=429,
-                    headers={"Retry-After": str(retry_after)},
-                )
-        except (RedisError, OSError):
-            logger.warning(
-                "Rate-limit check failed (Redis unavailable), using in-memory fallback"
+        async with self._redis.pipeline() as pipe:
+            pipe.incr(key)
+            pipe.expire(key, self._window_seconds)
+            count, _ = await pipe.execute()
+
+        if count > self._max_requests:
+            logger.warning("Rate limit exceeded for IP %s", client_ip)
+            ttl = await self._redis.ttl(key)
+            retry_after = max(ttl, 1)
+            return JSONResponse(
+                {"detail": "Rate limit exceeded"},
+                status_code=429,
+                headers={"Retry-After": str(retry_after)},
             )
-            if self._check_in_memory(client_ip):
-                return JSONResponse(
-                    {"detail": "Rate limit exceeded"},
-                    status_code=429,
-                    headers={"Retry-After": str(self._window_seconds)},
-                )
 
         return await call_next(request)
 
diff --git a/everyrow-mcp/src/everyrow_mcp/redis_store.py b/everyrow-mcp/src/everyrow_mcp/redis_store.py
index 00a3d86f..d4f11eda 100644
--- a/everyrow-mcp/src/everyrow_mcp/redis_store.py
+++ b/everyrow-mcp/src/everyrow_mcp/redis_store.py
@@ -71,6 +71,10 @@ def encrypt_value(value: str) -> str:
     """Encrypt a string value for Redis storage. No-op without UPLOAD_SECRET."""
     f = _get_fernet()
     if f is None:
+        if settings.is_http:
+            raise RuntimeError(
+                "UPLOAD_SECRET must be set in HTTP mode — cannot store sensitive values in plaintext."
+            )
         return value
     return f.encrypt(value.encode()).decode()
 
@@ -79,6 +83,10 @@ def decrypt_value(value: str) -> str:
     """Decrypt a string value from Redis. No-op without UPLOAD_SECRET."""
     f = _get_fernet()
     if f is None:
+        if settings.is_http:
+            raise RuntimeError(
+                "UPLOAD_SECRET must be set in HTTP mode — cannot read encrypted values without the key."
+            )
         return value
     return f.decrypt(value.encode()).decode()
 
diff --git a/everyrow-mcp/src/everyrow_mcp/result_store.py b/everyrow-mcp/src/everyrow_mcp/result_store.py
index 72bc3a97..e3c029e2 100644
--- a/everyrow-mcp/src/everyrow_mcp/result_store.py
+++ b/everyrow-mcp/src/everyrow_mcp/result_store.py
@@ -282,9 +282,10 @@ async def try_store_result(
             session_url=session_url,
             requested_page_size=page_size,
         )
-    except Exception:
-        logger.exception(
-            "Failed to store results in Redis for task %s, falling back to inline",
+    except Exception as exc:
+        logger.error(
+            "Failed to store results in Redis for task %s, falling back to inline: %s",
             task_id,
+            type(exc).__name__,
         )
         return None
diff --git a/everyrow-mcp/src/everyrow_mcp/routes.py b/everyrow-mcp/src/everyrow_mcp/routes.py
index 1cf408a3..d042c810 100644
--- a/everyrow-mcp/src/everyrow_mcp/routes.py
+++ b/everyrow-mcp/src/everyrow_mcp/routes.py
@@ -20,16 +20,16 @@
 
 
 def _cors_headers() -> dict[str, str]:
-    origin = settings.mcp_server_url
-    if not origin:
-        logger.warning(
-            "mcp_server_url is empty; CORS Access-Control-Allow-Origin will be blank"
-        )
+    """CORS headers for widget endpoints.
+
+    MCP App widgets run in sandboxed iframes whose origin will never match
+    the server's own URL.  Because auth is via Bearer tokens (not cookies),
+    a wildcard origin is safe — no ambient credentials are leaked.
+    """
     return {
-        "Access-Control-Allow-Origin": origin,
+        "Access-Control-Allow-Origin": "*",
         "Access-Control-Allow-Methods": "GET",
         "Access-Control-Allow-Headers": "Authorization",
-        "Vary": "Origin",
     }
 
 
@@ -39,7 +39,9 @@ def _validate_uuid(task_id: str) -> JSONResponse | None:
         UUID(task_id)
     except ValueError:
         return JSONResponse(
-            {"error": "Invalid task ID"}, status_code=400, headers=_cors_headers()
+            {"error": "Invalid task ID"},
+            status_code=400,
+            headers=_cors_headers(),
         )
     return None
 
@@ -58,7 +60,13 @@ async def _validate_poll_token(task_id: str, request: Request) -> JSONResponse |
     else:
         # Fall back to query param (for download links)
         provided = request.query_params.get("token", "")
+        if provided:
+            logger.info(
+                "Poll token provided via query param for task %s — prefer Authorization header",
+                task_id,
+            )
     if not expected or not provided or not secrets.compare_digest(provided, expected):
+        logger.warning("Invalid poll token for task %s", task_id)
         return JSONResponse(
             {"error": "Unauthorized"}, status_code=403, headers=_cors_headers()
         )
@@ -109,8 +117,10 @@ async def api_progress(request: Request) -> Response:
         return JSONResponse(
             ts.model_dump(mode="json", exclude=_UI_EXCLUDE), headers=cors
         )
-    except Exception:
-        logger.exception("Progress poll failed for task %s", task_id)
+    except Exception as exc:
+        logger.error(
+            "Progress poll failed for task %s: %s", task_id, type(exc).__name__
+        )
         return JSONResponse(
             {"error": "Internal server error"}, status_code=500, headers=cors
         )
diff --git a/everyrow-mcp/src/everyrow_mcp/server.py b/everyrow-mcp/src/everyrow_mcp/server.py
index b708a24d..2a659583 100644
--- a/everyrow-mcp/src/everyrow_mcp/server.py
+++ b/everyrow-mcp/src/everyrow_mcp/server.py
@@ -56,7 +56,7 @@ def parse_args() -> InputArgs:
     if input_args.no_auth and not input_args.http:
         parser.error("--no-auth requires --http")
 
-    if input_args.no_auth and not os.environ.get("ALLOW_NO_AUTH"):
+    if input_args.no_auth and os.environ.get("ALLOW_NO_AUTH") != "1":
         print(
             dedent("""ERROR: --no-auth requires the ALLOW_NO_AUTH=1 environment variable.\n
             This prevents accidental unauthenticated deployments in production."""),
@@ -93,6 +93,19 @@ def main():
         )(everyrow_results_http)
 
     if input_args.http:
+        # ── HTTP mode logging ──────────────────────────────────────
+        # INFO level so operational events show up in Cloud Logging.
+        # Format is plain-text; Cloud Logging parses the severity from
+        # the levelname field automatically.
+        logging.basicConfig(
+            level=logging.INFO,
+            format="%(asctime)s %(levelname)s %(name)s %(message)s",
+            force=True,
+        )
+        # Suppress uvicorn's built-in access logger — our
+        # _RequestLoggingMiddleware provides richer per-request logs.
+        logging.getLogger("uvicorn.access").setLevel(logging.WARNING)
+
         register_upload_tool(mcp)
 
         if input_args.no_auth:
diff --git a/everyrow-mcp/src/everyrow_mcp/templates.py b/everyrow-mcp/src/everyrow_mcp/templates.py
index 9fa67679..5dc4e3bd 100644
--- a/everyrow-mcp/src/everyrow_mcp/templates.py
+++ b/everyrow-mcp/src/everyrow_mcp/templates.py
@@ -3,7 +3,7 @@
 _APP_SCRIPT_SRC = "https://unpkg.com/@modelcontextprotocol/ext-apps@1.0.1/app-with-deps"
 
 RESULTS_HTML = """<!DOCTYPE html>
-<html><head><meta name="color-scheme" content="light dark">
+<html><head><meta name="referrer" content="no-referrer"><meta name="color-scheme" content="light dark">
 <style>
 :root{
   --bg:#fff;--bg-alt:#f8f9fa;--bg-hover:rgba(25,118,210,0.06);
@@ -166,7 +166,7 @@
 function esc(s){const d=document.createElement("div");d.textContent=String(s);return d.innerHTML;}
 function escAttr(s){return esc(s).replace(/"/g,"&quot;");}
 function truncSafe(s,len){if(s.length<=len)return s;let t=s.slice(0,len);const urlRe=/(https?:\\/\\/[^\\s<>"'\\]]+)$/;const m=t.match(urlRe);if(m){const full=s.slice(m.index).match(/^https?:\\/\\/[^\\s<>"'\\]]+/);if(full&&full[0].length>m[1].length)t=s.slice(0,m.index+full[0].length);}return t;}
-function linkify(s){const re=/(https?:\\/\\/[^\\s<>"'\\]]+)/g;let last=0,out="",m;while((m=re.exec(s))!==null){let url=m[1];while(url.endsWith(")")&&(url.split("(").length-1)<(url.split(")").length-1))url=url.slice(0,-1);re.lastIndex=m.index+url.length;if(m.index>last)out+=esc(s.slice(last,m.index));out+='<a href="'+escAttr(url)+'" target="_blank">'+esc(url)+"</a>";last=re.lastIndex;}if(last<s.length)out+=esc(s.slice(last));return out;}
+function linkify(s){const re=/(https?:\\/\\/[^\\s<>"'\\]]+)/g;let last=0,out="",m;while((m=re.exec(s))!==null){let url=m[1];while(url.endsWith(")")&&(url.split("(").length-1)<(url.split(")").length-1))url=url.slice(0,-1);re.lastIndex=m.index+url.length;if(m.index>last)out+=esc(s.slice(last,m.index));out+='<a href="'+escAttr(url)+'" target="_blank" rel="noopener noreferrer">'+esc(url)+"</a>";last=re.lastIndex;}if(last<s.length)out+=esc(s.slice(last));return out;}
 
 /* --- data processing --- */
 function flat(obj,pre){
@@ -702,11 +702,11 @@
   sessionLinkEl.innerHTML=h;
   document.getElementById("sessionOpenLink")?.addEventListener("click",e=>{
     e.preventDefault();
-    app.openLink({url:sessionUrl}).catch(()=>window.open(sessionUrl,"_blank"));
+    if(!/^https?:\\/\\//i.test(sessionUrl))return;app.openLink({url:sessionUrl}).catch(()=>window.open(sessionUrl,"_blank"));
   });
   document.getElementById("csvOpenLink")?.addEventListener("click",e=>{
     e.preventDefault();
-    app.openLink({url:csvUrl}).catch(()=>window.open(csvUrl,"_blank"));
+    if(!/^https?:\\/\\//i.test(csvUrl))return;app.openLink({url:csvUrl}).catch(()=>window.open(csvUrl,"_blank"));
   });
 }
 
@@ -743,7 +743,7 @@
 </script></body></html>""".replace("SCRIPT_SRC", _APP_SCRIPT_SRC)
 
 SESSION_HTML = """<!DOCTYPE html>
-<html><head><meta name="color-scheme" content="light dark">
+<html><head><meta name="referrer" content="no-referrer"><meta name="color-scheme" content="light dark">
 <style>
 *{box-sizing:border-box}
 body{font-family:system-ui,-apple-system,sans-serif;margin:0;padding:12px;color:#333;font-size:13px}
@@ -834,7 +834,7 @@
   const link=el.querySelector(".session-open");
   if(link){link.addEventListener("click",e=>{
     e.preventDefault();
-    app.openLink({url:url}).catch(()=>window.open(url,"_blank"));
+    if(!/^https?:\\/\\//i.test(url))return;app.openLink({url:url}).catch(()=>window.open(url,"_blank"));
   });}
 
   if(done&&!wasDone){wasDone=true;el.classList.add("flash")}
diff --git a/everyrow-mcp/src/everyrow_mcp/tool_helpers.py b/everyrow-mcp/src/everyrow_mcp/tool_helpers.py
index 6b763654..af355739 100644
--- a/everyrow-mcp/src/everyrow_mcp/tool_helpers.py
+++ b/everyrow-mcp/src/everyrow_mcp/tool_helpers.py
@@ -300,12 +300,19 @@ def write_initial_task_state(
     input_source: str = "unknown",
 ) -> None:
     """Write initial task state file when a task is first submitted."""
+    # Extract user_id for tracing (HTTP mode only).
+    try:
+        access_token = get_access_token()
+        user_id = access_token.client_id if access_token else None
+    except Exception:
+        user_id = None
     logger.info(
-        "Task %s (%s): input_source=%s, total=%d",
+        "Task submitted task_id=%s type=%s source=%s rows=%d user=%s",
         task_id,
         task_type.value,
         input_source,
         total,
+        user_id or "local",
     )
     if settings.is_http:
         return
diff --git a/everyrow-mcp/src/everyrow_mcp/tools.py b/everyrow-mcp/src/everyrow_mcp/tools.py
index 3560c8da..0363bd94 100644
--- a/everyrow-mcp/src/everyrow_mcp/tools.py
+++ b/everyrow-mcp/src/everyrow_mcp/tools.py
@@ -126,6 +126,11 @@ async def everyrow_agent(params: AgentInput, ctx: EveryRowContext) -> list[TextC
     Then immediately call everyrow_progress(task_id) to monitor.
     Once the task is completed, call everyrow_results to save the output.
     """
+    logger.info(
+        "everyrow_agent: task=%.80s rows=%s",
+        params.task,
+        len(params.data) if params.data else "artifact",
+    )
     client = _get_client(ctx)
 
     _clear_task_state()
@@ -197,6 +202,7 @@ async def everyrow_single_agent(
     Then immediately call everyrow_progress(task_id) to monitor.
     Once the task is completed, call everyrow_results to save the output.
     """
+    logger.info("everyrow_single_agent: task=%.80s", params.task)
     client = _get_client(ctx)
 
     _clear_task_state()
@@ -274,6 +280,11 @@ async def everyrow_rank(params: RankInput, ctx: EveryRowContext) -> list[TextCon
         Success message containing session_url (for the user to open) and
         task_id (for monitoring progress)
     """
+    logger.info(
+        "everyrow_rank: task=%.80s rows=%s",
+        params.task,
+        len(params.data) if params.data else "artifact",
+    )
     client = _get_client(ctx)
 
     _clear_task_state()
@@ -358,6 +369,11 @@ async def everyrow_screen(
         Success message containing session_url (for the user to open) and
         task_id (for monitoring progress)
     """
+    logger.info(
+        "everyrow_screen: task=%.80s rows=%s",
+        params.task,
+        len(params.data) if params.data else "artifact",
+    )
     client = _get_client(ctx)
 
     _clear_task_state()
@@ -435,6 +451,11 @@ async def everyrow_dedupe(
         Success message containing session_url (for the user to open) and
         task_id (for monitoring progress)
     """
+    logger.info(
+        "everyrow_dedupe: equivalence=%.80s rows=%s",
+        params.equivalence_relation,
+        len(params.data) if params.data else "artifact",
+    )
     client = _get_client(ctx)
     _clear_task_state()
 
@@ -516,6 +537,12 @@ async def everyrow_merge(params: MergeInput, ctx: EveryRowContext) -> list[TextC
         Success message containing session_url (for the user to open) and
         task_id (for monitoring progress)
     """
+    logger.info(
+        "everyrow_merge: task=%.80s left_rows=%s right_rows=%s",
+        params.task,
+        len(params.left_data) if params.left_data else "artifact",
+        len(params.right_data) if params.right_data else "artifact",
+    )
     client = _get_client(ctx)
     _clear_task_state()
 
@@ -592,6 +619,11 @@ async def everyrow_forecast(
     Then immediately call everyrow_progress(task_id) to monitor.
     Once the task is completed, call everyrow_results to save the output.
     """
+    logger.info(
+        "everyrow_forecast: context=%.80s rows=%s",
+        params.context or "",
+        len(params.data) if params.data else "artifact",
+    )
     client = _get_client(ctx)
 
     _clear_task_state()
@@ -658,6 +690,7 @@ async def everyrow_upload_data(
     artifact_id parameter. The data is stored server-side and can be reused
     across multiple tool calls.
     """
+    logger.info("everyrow_upload_data: source=%.80s", params.source)
     client = _get_client(ctx)
 
     if is_url(params.source):
diff --git a/everyrow-mcp/src/everyrow_mcp/uploads.py b/everyrow-mcp/src/everyrow_mcp/uploads.py
index 6e022406..ca84f5c5 100644
--- a/everyrow-mcp/src/everyrow_mcp/uploads.py
+++ b/everyrow-mcp/src/everyrow_mcp/uploads.py
@@ -28,11 +28,18 @@
 
 from everyrow_mcp import redis_store
 from everyrow_mcp.config import settings
-from everyrow_mcp.redis_store import decrypt_value, encrypt_value
+from everyrow_mcp.redis_store import build_key, decrypt_value, encrypt_value
 from everyrow_mcp.tool_helpers import EveryRowContext
 
 logger = logging.getLogger(__name__)
 
+_ALLOWED_CONTENT_TYPES = {
+    "text/csv",
+    "application/csv",
+    "text/plain",
+    "application/octet-stream",
+}
+
 
 # ── Input model ───────────────────────────────────────────────
 
@@ -131,6 +138,13 @@ async def request_upload_url(
         # Get user's API token from the MCP context
         client = ctx.request_context.lifespan_context.client_factory()
         api_token = getattr(client, "token", None) or ""
+        if not api_token:
+            return [
+                TextContent(
+                    type="text",
+                    text="Error: no API token available. Please authenticate first.",
+                )
+            ]
 
         # Store metadata in Redis (token encrypted at rest)
         meta = json.dumps(
@@ -228,14 +242,43 @@ async def handle_upload(request: Request) -> JSONResponse:  # noqa: PLR0911
         return error
     assert body is not None and meta is not None  # type narrowing
 
+    # Retrieve and decrypt the user's API token
+    content_type = (
+        (request.headers.get("content-type") or "").split(";")[0].strip().lower()
+    )
+    if content_type and content_type not in _ALLOWED_CONTENT_TYPES:
+        return JSONResponse(
+            {
+                "error": f"Unsupported Content-Type: {content_type}. Use text/csv or application/octet-stream."
+            },
+            status_code=415,
+        )
+
     # Retrieve and decrypt the user's API token
     try:
         api_token = decrypt_value(meta.get("api_token", ""))
     except Exception:
+        logger.warning(
+            "Failed to decrypt api_token for upload %s",
+            request.path_params.get("upload_id"),
+        )
         api_token = ""
     if not api_token:
         return JSONResponse({"error": "Upload authorization missing"}, status_code=403)
 
+    token_hash = hashlib.sha256(api_token.encode()).hexdigest()[:16]
+    rl_key = build_key("upload_rate", token_hash)
+    redis_client = redis_store.get_redis_client()
+    async with redis_client.pipeline() as pipe:
+        pipe.incr(rl_key)
+        pipe.expire(rl_key, settings.upload_rate_window)
+        count, _ = await pipe.execute()
+    if count > settings.upload_rate_limit:
+        return JSONResponse(
+            {"error": "Upload rate limit exceeded. Try again later."},
+            status_code=429,
+        )
+
     try:
         df = pd.read_csv(BytesIO(body))  # type: ignore[arg-type]
     except Exception as exc:
@@ -266,8 +309,8 @@ async def handle_upload(request: Request) -> JSONResponse:  # noqa: PLR0911
         )
         async with create_session(client=client) as session:
             artifact_id = await create_table_artifact(df, session)
-    except Exception:
-        logger.exception("Failed to create artifact from upload")
+    except Exception as exc:
+        logger.error("Failed to create artifact from upload: %s", type(exc).__name__)
         return JSONResponse(
             {"error": "Failed to create artifact. Please try again."},
             status_code=500,
diff --git a/everyrow-mcp/tests/conftest.py b/everyrow-mcp/tests/conftest.py
index 57596e8c..6c06c0f3 100644
--- a/everyrow-mcp/tests/conftest.py
+++ b/everyrow-mcp/tests/conftest.py
@@ -25,6 +25,7 @@
 from everyrow.api_utils import create_client
 
 from everyrow_mcp.config import settings
+from everyrow_mcp.redis_store import _get_fernet
 from everyrow_mcp.tool_helpers import SessionContext
 
 _REDIS_PORT = 16379  # non-default port to avoid clashing with local Redis
@@ -95,11 +96,13 @@ def override_settings(**overrides):
     orig = {k: getattr(settings, k) for k in overrides}
     for k, v in overrides.items():
         setattr(settings, k, v)
+    _get_fernet.cache_clear()
     try:
         yield
     finally:
         for k, v in orig.items():
             setattr(settings, k, v)
+        _get_fernet.cache_clear()
 
 
 @pytest.fixture
diff --git a/everyrow-mcp/tests/test_auth.py b/everyrow-mcp/tests/test_auth.py
index 43b0cdee..7b3d799f 100644
--- a/everyrow-mcp/tests/test_auth.py
+++ b/everyrow-mcp/tests/test_auth.py
@@ -64,7 +64,14 @@ async def _exists(key):
     async def _delete(key):
         store.pop(key, None)
 
+    async def _set(key, value, *, ex=None, nx=False):  # noqa: ARG001
+        if nx and key in store:
+            return None  # NX: skip if key exists
+        store[key] = value
+        return True
+
     redis.setex = AsyncMock(side_effect=_setex)
+    redis.set = AsyncMock(side_effect=_set)
     redis.exists = AsyncMock(side_effect=_exists)
     redis.delete = AsyncMock(side_effect=_delete)
     redis._store = store  # exposed for assertions
@@ -359,8 +366,11 @@ def provider_redis():
 
     redis = AsyncMock()
 
-    async def _set(key, value):
+    async def _set(key, value, *, ex=None, nx=False):  # noqa: ARG001
+        if nx and key in store:
+            return None  # NX: skip if key exists
         store[key] = value
+        return True
 
     async def _setex(*args, name=None, time=None, value=None):  # noqa: ARG001
         key = name if name is not None else args[0]
diff --git a/everyrow-mcp/tests/test_http_integration.py b/everyrow-mcp/tests/test_http_integration.py
index 64a19bae..d72c859e 100644
--- a/everyrow-mcp/tests/test_http_integration.py
+++ b/everyrow-mcp/tests/test_http_integration.py
@@ -26,7 +26,6 @@
 from starlette.routing import Route
 
 from everyrow_mcp import redis_store
-from everyrow_mcp.config import settings
 from everyrow_mcp.routes import api_progress
 from tests.conftest import override_settings
 
@@ -37,7 +36,7 @@
 def _http_state(fake_redis):
     """Configure settings for HTTP mode and patch Redis."""
     with (
-        override_settings(transport="streamable-http"),
+        override_settings(transport="streamable-http", upload_secret="test-secret"),
         patch.object(redis_store, "get_redis_client", return_value=fake_redis),
     ):
         yield
@@ -175,7 +174,7 @@ async def test_running_task_returns_progress(self, client: httpx.AsyncClient):
         assert body["elapsed_s"] >= 0
         assert "session_url" in body
         # CORS header
-        assert resp.headers["access-control-allow-origin"] == settings.mcp_server_url
+        assert resp.headers["access-control-allow-origin"] == "*"
 
     @pytest.mark.asyncio
     async def test_completed_task_cleans_up_tokens(self, client: httpx.AsyncClient):
diff --git a/everyrow-mcp/tests/test_http_real.py b/everyrow-mcp/tests/test_http_real.py
index a8ea5291..ec49655b 100644
--- a/everyrow-mcp/tests/test_http_real.py
+++ b/everyrow-mcp/tests/test_http_real.py
@@ -55,7 +55,7 @@
 def _http_mode(fake_redis):
     """Configure settings for HTTP mode with the shared test Redis."""
     with (
-        override_settings(transport="streamable-http"),
+        override_settings(transport="streamable-http", upload_secret="test-secret"),
         patch.object(redis_store, "get_redis_client", return_value=fake_redis),
     ):
         yield
diff --git a/everyrow-mcp/tests/test_mcp_e2e.py b/everyrow-mcp/tests/test_mcp_e2e.py
index e160e0d6..1eeb17ca 100644
--- a/everyrow-mcp/tests/test_mcp_e2e.py
+++ b/everyrow-mcp/tests/test_mcp_e2e.py
@@ -33,6 +33,12 @@
 from everyrow_mcp import redis_store
 from everyrow_mcp.app import mcp as mcp_app
 from everyrow_mcp.tool_helpers import SessionContext
+from everyrow_mcp.tools import (
+    _RESULTS_ANNOTATIONS,
+    _RESULTS_META,
+    everyrow_results_http,
+    everyrow_results_stdio,
+)
 from tests.conftest import override_settings
 
 # ── Fixtures / helpers ────────────────────────────────────────
@@ -50,15 +56,35 @@ def _fake_access_token():
 
 @pytest.fixture
 def _http_state(fake_redis):
-    """Configure settings for HTTP mode and patch Redis."""
+    """Configure settings for HTTP mode and patch Redis.
+
+    Also swaps everyrow_results from stdio to HTTP variant, matching server.py startup.
+    """
+    mcp_app._tool_manager.remove_tool("everyrow_results")
+    mcp_app.tool(
+        name="everyrow_results",
+        structured_output=False,
+        annotations=_RESULTS_ANNOTATIONS,
+        meta=_RESULTS_META,
+    )(everyrow_results_http)
+
     with (
-        override_settings(transport="streamable-http"),
+        override_settings(transport="streamable-http", upload_secret="test-secret"),
         patch.object(redis_store, "get_redis_client", return_value=fake_redis),
         patch("everyrow_mcp.tools.get_access_token", _fake_access_token),
         patch("everyrow_mcp.tool_helpers.get_access_token", _fake_access_token),
     ):
         yield
 
+    # Restore stdio variant
+    mcp_app._tool_manager.remove_tool("everyrow_results")
+    mcp_app.tool(
+        name="everyrow_results",
+        structured_output=False,
+        annotations=_RESULTS_ANNOTATIONS,
+        meta=_RESULTS_META,
+    )(everyrow_results_stdio)
+
 
 @asynccontextmanager
 async def mcp_client():
diff --git a/everyrow-mcp/tests/test_middleware.py b/everyrow-mcp/tests/test_middleware.py
index 3f470f18..7bd80711 100644
--- a/everyrow-mcp/tests/test_middleware.py
+++ b/everyrow-mcp/tests/test_middleware.py
@@ -6,7 +6,6 @@
 from contextlib import asynccontextmanager
 from unittest.mock import AsyncMock, MagicMock, patch
 
-from redis.exceptions import ConnectionError as RedisConnectionError
 from starlette.applications import Starlette
 from starlette.requests import Request
 from starlette.responses import PlainTextResponse
@@ -159,30 +158,6 @@ def test_rejects_unknown_client_ip(self):
             assert resp.status_code == 400
             assert resp.json() == {"detail": "Could not determine client IP"}
 
-    def test_in_memory_fallback_when_redis_unavailable(self):
-        """In-memory fallback rate-limits when Redis is down."""
-
-        @asynccontextmanager
-        async def _failing_pipeline():
-            raise RedisConnectionError("Redis down")
-            yield
-
-        redis_mock = AsyncMock()
-        redis_mock.pipeline = _failing_pipeline
-
-        app = _make_app(redis_mock, max_requests=3)
-        client = TestClient(app)
-
-        # First 3 requests should pass via in-memory fallback
-        for _ in range(3):
-            resp = client.get("/")
-            assert resp.status_code == 200
-
-        # 4th request should be rate-limited by in-memory fallback
-        resp = client.get("/")
-        assert resp.status_code == 429
-        assert resp.json() == {"detail": "Rate limit exceeded"}
-
     def test_counter_resets_after_window(self):
         """Requests in a new time window should not be blocked."""
         redis_mock = _make_redis_mock()
diff --git a/everyrow-mcp/tests/test_result_store.py b/everyrow-mcp/tests/test_result_store.py
index 3335d7c1..7c26af02 100644
--- a/everyrow-mcp/tests/test_result_store.py
+++ b/everyrow-mcp/tests/test_result_store.py
@@ -46,7 +46,7 @@ def sample_df() -> pd.DataFrame:
 def _http_state(fake_redis):
     """Configure settings for HTTP mode and patch Redis."""
     with (
-        override_settings(transport="streamable-http"),
+        override_settings(transport="streamable-http", upload_secret="test-secret"),
         patch.object(redis_store, "get_redis_client", return_value=fake_redis),
     ):
         yield
diff --git a/everyrow-mcp/tests/test_routes.py b/everyrow-mcp/tests/test_routes.py
index 95e0de13..2dd25723 100644
--- a/everyrow-mcp/tests/test_routes.py
+++ b/everyrow-mcp/tests/test_routes.py
@@ -15,8 +15,7 @@
 from everyrow.generated.models.task_status_response import TaskStatusResponse
 
 from everyrow_mcp import redis_store
-from everyrow_mcp.config import settings
-from everyrow_mcp.routes import api_progress
+from everyrow_mcp.routes import _cors_headers, api_progress
 
 # ── Helpers ────────────────────────────────────────────────────
 
@@ -84,7 +83,7 @@ async def test_options_returns_204(self):
         req = FakeRequest(method="OPTIONS", path_params={"task_id": "abc"})
         resp = await api_progress(req)  # pyright: ignore[reportArgumentType]
         assert resp.status_code == 204
-        assert resp.headers["Access-Control-Allow-Origin"] == settings.mcp_server_url
+        assert resp.headers["Access-Control-Allow-Origin"] == "*"
 
     @pytest.mark.asyncio
     async def test_invalid_poll_token_via_header_returns_403(self):
@@ -160,7 +159,7 @@ async def test_valid_progress_via_auth_header(self):
         assert body["running"] == 2
         assert "elapsed_s" in body
         assert "session_url" in body
-        assert resp.headers["Access-Control-Allow-Origin"] == settings.mcp_server_url
+        assert resp.headers["Access-Control-Allow-Origin"] == "*"
 
     @pytest.mark.asyncio
     async def test_backward_compat_query_param_for_download(self):
@@ -195,7 +194,7 @@ async def test_backward_compat_query_param_for_download(self):
         assert body["running"] == 2
         assert "elapsed_s" in body
         assert "session_url" in body
-        assert resp.headers["Access-Control-Allow-Origin"] == settings.mcp_server_url
+        assert resp.headers["Access-Control-Allow-Origin"] == "*"
 
     @pytest.mark.asyncio
     async def test_completed_task_pops_tokens(self):
@@ -248,3 +247,13 @@ async def test_api_error_returns_500(self):
         assert resp.status_code == 500
         body = json.loads(bytes(resp.body).decode())
         assert body["error"] == "Internal server error"
+
+
+class TestCorsHeaders:
+    """Tests for CORS headers on widget endpoints."""
+
+    def test_returns_wildcard_origin(self):
+        headers = _cors_headers()
+        assert headers["Access-Control-Allow-Origin"] == "*"
+        assert headers["Access-Control-Allow-Methods"] == "GET"
+        assert headers["Access-Control-Allow-Headers"] == "Authorization"
diff --git a/everyrow-mcp/tests/test_security_hardening.py b/everyrow-mcp/tests/test_security_hardening.py
new file mode 100644
index 00000000..98efd647
--- /dev/null
+++ b/everyrow-mcp/tests/test_security_hardening.py
@@ -0,0 +1,100 @@
+"""Tests for security hardening changes across config and redis_store."""
+
+from __future__ import annotations
+
+import pytest
+
+from everyrow_mcp.config import Settings
+from everyrow_mcp.redis_store import decrypt_value, encrypt_value
+from tests.conftest import override_settings
+
+
+class TestConfigHttpsValidation:
+    """H4 — HTTPS scheme required for non-localhost URLs."""
+
+    def test_https_url_accepted(self):
+        s = Settings(mcp_server_url="https://mcp.example.com")  # pyright: ignore[reportCallIssue]
+        assert s.mcp_server_url == "https://mcp.example.com"
+
+    def test_http_localhost_accepted(self):
+        s = Settings(mcp_server_url="http://localhost:8000")  # pyright: ignore[reportCallIssue]
+        assert s.mcp_server_url == "http://localhost:8000"
+
+    def test_http_127_accepted(self):
+        s = Settings(mcp_server_url="http://127.0.0.1:8000")  # pyright: ignore[reportCallIssue]
+        assert s.mcp_server_url == "http://127.0.0.1:8000"
+
+    def test_http_remote_rejected(self):
+        with pytest.raises(ValueError, match="must use https://"):
+            Settings(mcp_server_url="http://remote.example.com")  # pyright: ignore[reportCallIssue]
+
+    def test_http_supabase_url_rejected(self):
+        with pytest.raises(ValueError, match="must use https://"):
+            Settings(supabase_url="http://remote.supabase.co")  # pyright: ignore[reportCallIssue]
+
+    def test_trailing_slash_stripped(self):
+        s = Settings(mcp_server_url="https://mcp.example.com/")  # pyright: ignore[reportCallIssue]
+        assert s.mcp_server_url == "https://mcp.example.com"
+
+    def test_empty_url_accepted(self):
+        s = Settings(mcp_server_url="")  # pyright: ignore[reportCallIssue]
+        assert s.mcp_server_url == ""
+
+
+class TestRedisSslRequired:
+    """Remote Redis without SSL must fail in HTTP mode, warn in stdio."""
+
+    def test_remote_redis_no_ssl_fails_in_http(self):
+        with pytest.raises(ValueError, match="redis_ssl"):
+            Settings(
+                transport="streamable-http",
+                redis_host="redis.example.com",
+                redis_ssl=False,
+            )  # pyright: ignore[reportCallIssue]
+
+    def test_remote_redis_with_ssl_accepted(self):
+        s = Settings(
+            transport="streamable-http", redis_host="redis.example.com", redis_ssl=True
+        )  # pyright: ignore[reportCallIssue]
+        assert s.redis_ssl is True
+
+    def test_localhost_redis_no_ssl_accepted(self):
+        s = Settings(
+            transport="streamable-http", redis_host="localhost", redis_ssl=False
+        )  # pyright: ignore[reportCallIssue]
+        assert s.redis_ssl is False
+
+    def test_remote_redis_no_ssl_warns_in_stdio(self):
+        # Should not raise — only warns
+        s = Settings(transport="stdio", redis_host="redis.example.com", redis_ssl=False)  # pyright: ignore[reportCallIssue]
+        assert s.redis_ssl is False
+
+
+class TestEncryptionHttpGuard:
+    """H1 — encrypt/decrypt must not silently fall back in HTTP mode."""
+
+    def test_encrypt_raises_without_secret_in_http_mode(self):
+        with override_settings(transport="streamable-http", upload_secret=""):
+            with pytest.raises(RuntimeError, match="UPLOAD_SECRET must be set"):
+                encrypt_value("sensitive-data")
+
+    def test_decrypt_raises_without_secret_in_http_mode(self):
+        with override_settings(transport="streamable-http", upload_secret=""):
+            with pytest.raises(RuntimeError, match="UPLOAD_SECRET must be set"):
+                decrypt_value("some-data")
+
+    def test_encrypt_noop_in_stdio_mode(self):
+        with override_settings(transport="stdio", upload_secret=""):
+            assert encrypt_value("plaintext") == "plaintext"
+
+    def test_decrypt_noop_in_stdio_mode(self):
+        with override_settings(transport="stdio", upload_secret=""):
+            assert decrypt_value("plaintext") == "plaintext"
+
+    def test_encrypt_decrypt_roundtrip_with_secret(self):
+        with override_settings(
+            transport="streamable-http", upload_secret="test-secret-32chars"
+        ):
+            encrypted = encrypt_value("my-token")
+            assert encrypted != "my-token"
+            assert decrypt_value(encrypted) == "my-token"
diff --git a/everyrow-mcp/tests/test_server.py b/everyrow-mcp/tests/test_server.py
index 83f65dfc..ad7e4971 100644
--- a/everyrow-mcp/tests/test_server.py
+++ b/everyrow-mcp/tests/test_server.py
@@ -1217,7 +1217,9 @@ def test_upload_rejects_local_path_in_http_mode(self, tmp_path: Path):
         csv_file = tmp_path / "test.csv"
         csv_file.write_text("x,y\n1,2\n")
 
-        with override_settings(transport="streamable-http"):
+        with override_settings(
+            transport="streamable-http", upload_secret="test-secret"
+        ):
             with pytest.raises(
                 ValidationError, match="Local file paths are not supported"
             ):
@@ -1225,7 +1227,9 @@ def test_upload_rejects_local_path_in_http_mode(self, tmp_path: Path):
 
     def test_upload_accepts_url_in_http_mode(self):
         """Test that URLs are accepted in HTTP mode."""
-        with override_settings(transport="streamable-http"):
+        with override_settings(
+            transport="streamable-http", upload_secret="test-secret"
+        ):
             params = UploadDataInput(source="https://example.com/data.csv")
             assert params.source == "https://example.com/data.csv"
 
@@ -1420,7 +1424,7 @@ async def test_submit_http_returns_widget_and_text(self, fake_redis):
         fake_token.client_id = "test-user-123"
 
         with (
-            override_settings(transport="streamable-http"),
+            override_settings(transport="streamable-http", upload_secret="test-secret"),
             patch(
                 "everyrow_mcp.tools.agent_map_async", new_callable=AsyncMock
             ) as mock_op,
@@ -1482,7 +1486,7 @@ async def test_progress_http_returns_text_only(self):
         )
 
         with (
-            override_settings(transport="streamable-http"),
+            override_settings(transport="streamable-http", upload_secret="test-secret"),
             patch(
                 "everyrow_mcp.tools.get_task_status_tasks_task_id_status_get.asyncio",
                 new_callable=AsyncMock,
diff --git a/everyrow-mcp/tests/test_stdio_content.py b/everyrow-mcp/tests/test_stdio_content.py
index 526bd989..f9cada23 100644
--- a/everyrow-mcp/tests/test_stdio_content.py
+++ b/everyrow-mcp/tests/test_stdio_content.py
@@ -51,7 +51,7 @@
     SingleAgentInput,
     StdioResultsInput,
 )
-from everyrow_mcp.redis_store import Transport
+from everyrow_mcp.redis_store import Transport, _get_fernet
 from everyrow_mcp.tool_helpers import SessionContext
 from everyrow_mcp.tools import (
     everyrow_agent,
@@ -620,19 +620,24 @@ async def test_submit_http_has_widget_json(self, fake_redis):
         )
         fake_token = MagicMock()
         fake_token.client_id = "test-user-123"
-        with (
-            patches[0],
-            patches[1],
-            patch.object(settings, "transport", Transport.HTTP),
-            patch.object(redis_store, "get_redis_client", return_value=fake_redis),
-            patch(
-                "everyrow_mcp.tool_helpers.get_access_token",
-                return_value=fake_token,
-            ),
-        ):
-            result = await everyrow_agent(
-                AgentInput(task="Find HQ", data=[{"name": "TechStart"}]), ctx
-            )
+        _get_fernet.cache_clear()
+        try:
+            with (
+                patches[0],
+                patches[1],
+                patch.object(settings, "transport", Transport.HTTP),
+                patch.object(settings, "upload_secret", "test-secret"),
+                patch.object(redis_store, "get_redis_client", return_value=fake_redis),
+                patch(
+                    "everyrow_mcp.tool_helpers.get_access_token",
+                    return_value=fake_token,
+                ),
+            ):
+                result = await everyrow_agent(
+                    AgentInput(task="Find HQ", data=[{"name": "TechStart"}]), ctx
+                )
+        finally:
+            _get_fernet.cache_clear()
 
         assert len(result) == 2
         widget = json.loads(result[0].text)
diff --git a/everyrow-mcp/tests/test_uploads.py b/everyrow-mcp/tests/test_uploads.py
index b78d6641..5ecda6a2 100644
--- a/everyrow-mcp/tests/test_uploads.py
+++ b/everyrow-mcp/tests/test_uploads.py
@@ -9,6 +9,7 @@
 import pytest
 from pydantic import ValidationError
 
+from everyrow_mcp.redis_store import decrypt_value, encrypt_value
 from everyrow_mcp.uploads import (
     RequestUploadUrlInput,
     _validate_upload,
@@ -168,9 +169,10 @@ async def capture_store(upload_id, meta_json, ttl):  # noqa: ARG001
             params = RequestUploadUrlInput(filename="data.csv")
             await tool_fn(params, ctx)
 
-        assert stored_meta
-        meta = json.loads(stored_meta[0])
-        assert meta["api_token"] == "user-api-token-123"
+            # Decrypt inside the override context where the Fernet key is available
+            assert stored_meta
+            meta = json.loads(stored_meta[0])
+            assert decrypt_value(meta["api_token"]) == "user-api-token-123"
 
 
 class TestHandleUpload:
@@ -181,6 +183,22 @@ def _with_upload_secret(self):
         with override_settings(upload_secret="test-secret-for-hmac"):
             yield
 
+    @pytest.fixture(autouse=True)
+    def _mock_redis_client(self):
+        mock_pipe = MagicMock()
+        mock_pipe.incr = MagicMock()
+        mock_pipe.expire = MagicMock()
+        mock_pipe.execute = AsyncMock(return_value=[1, True])
+        mock_pipe.__aenter__ = AsyncMock(return_value=mock_pipe)
+        mock_pipe.__aexit__ = AsyncMock(return_value=False)
+        mock_client = AsyncMock()
+        mock_client.pipeline = MagicMock(return_value=mock_pipe)
+        with patch(
+            "everyrow_mcp.uploads.redis_store.get_redis_client",
+            return_value=mock_client,
+        ):
+            yield
+
     def _make_upload_request(
         self,
         upload_id: str,
@@ -271,7 +289,7 @@ async def test_error_messages_are_generic(self, fake_redis):  # noqa: ARG002
                 "upload_id": upload_id,
                 "filename": "data.csv",
                 "expires_at": expires_at,
-                "api_token": "user-tok",
+                "api_token": encrypt_value("user-tok"),
             }
         )
 
@@ -301,7 +319,7 @@ async def test_artifact_creation_error_is_generic(self, fake_redis):  # noqa: AR
                 "upload_id": upload_id,
                 "filename": "data.csv",
                 "expires_at": expires_at,
-                "api_token": "user-tok",
+                "api_token": encrypt_value("user-tok"),
             }
         )
 
@@ -325,3 +343,67 @@ async def test_artifact_creation_error_is_generic(self, fake_redis):  # noqa: AR
         body = json.loads(resp.body.decode())
         assert body["error"] == "Failed to create artifact. Please try again."
         assert "DB connection" not in body["error"]
+
+
+class TestContentTypeValidation:
+    """Tests for Content-Type validation on upload endpoint (M8)."""
+
+    @pytest.fixture(autouse=True)
+    def _with_upload_secret(self):
+        with override_settings(upload_secret="test-secret-for-hmac"):
+            yield
+
+    @pytest.fixture(autouse=True)
+    def _mock_redis_client(self):
+        mock_pipe = MagicMock()
+        mock_pipe.incr = MagicMock()
+        mock_pipe.expire = MagicMock()
+        mock_pipe.execute = AsyncMock(return_value=[1, True])
+        mock_pipe.__aenter__ = AsyncMock(return_value=mock_pipe)
+        mock_pipe.__aexit__ = AsyncMock(return_value=False)
+        mock_client = AsyncMock()
+        mock_client.pipeline = MagicMock(return_value=mock_pipe)
+        with patch(
+            "everyrow_mcp.uploads.redis_store.get_redis_client",
+            return_value=mock_client,
+        ):
+            yield
+
+    @pytest.mark.asyncio
+    async def test_wrong_content_type_returns_415(self):
+        """Reject uploads with unsupported Content-Type."""
+        upload_id = "test-upload-ct"
+        expires_at = int(time.time()) + 300
+        sig = sign_upload_url(upload_id, expires_at)
+        meta = json.dumps(
+            {
+                "upload_id": upload_id,
+                "filename": "data.csv",
+                "expires_at": expires_at,
+                "api_token": encrypt_value("user-tok"),
+            }
+        )
+
+        request = MagicMock()
+        request.path_params = {"upload_id": upload_id}
+        request.query_params = {"expires": str(expires_at), "sig": sig}
+        request.headers = {"content-type": "application/json"}
+        request.body = AsyncMock(return_value=b"a,b\n1,2\n")
+
+        with patch(
+            "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+            new_callable=AsyncMock,
+            return_value=meta,
+        ):
+            resp = await handle_upload(request)
+
+        assert resp.status_code == 415
+        body = json.loads(resp.body.decode())
+        assert "Unsupported Content-Type" in body["error"]
+
+    @pytest.mark.asyncio
+    async def test_missing_content_type_is_accepted(self):
+        """Uploads without Content-Type header are accepted (existing tests verify this)."""
+        # Existing TestHandleUpload tests don't set Content-Type and pass,
+        # which implicitly tests that missing Content-Type is accepted.
+        pass

From 614f6f101c4b087dad038f080264af126836f89f Mon Sep 17 00:00:00 2001
From: Rafael Poyiadzi <rafael@futuresearch.ai>
Date: Tue, 24 Feb 2026 23:40:11 +0000
Subject: [PATCH 2/2] Fix upload URL consumed before rate-limit check

Peek upload metadata (non-destructive GET) during validation, then
atomically pop (GETDEL) only after content-type, token, and rate-limit
checks pass. This makes 429/415/403 responses retryable without burning
the one-time upload URL.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 everyrow-mcp/src/everyrow_mcp/redis_store.py |  5 ++
 everyrow-mcp/src/everyrow_mcp/uploads.py     | 10 ++-
 everyrow-mcp/tests/test_uploads.py           | 92 ++++++++++++++++++--
 3 files changed, 99 insertions(+), 8 deletions(-)

diff --git a/everyrow-mcp/src/everyrow_mcp/redis_store.py b/everyrow-mcp/src/everyrow_mcp/redis_store.py
index d4f11eda..3f2dc528 100644
--- a/everyrow-mcp/src/everyrow_mcp/redis_store.py
+++ b/everyrow-mcp/src/everyrow_mcp/redis_store.py
@@ -286,6 +286,11 @@ async def store_upload_meta(upload_id: str, meta_json: str, ttl: int) -> None:
     await get_redis_client().setex(build_key("upload", upload_id), ttl, meta_json)
 
 
+async def get_upload_meta(upload_id: str) -> str | None:
+    """Read upload metadata without consuming it."""
+    return await get_redis_client().get(build_key("upload", upload_id))
+
+
 async def pop_upload_meta(upload_id: str) -> str | None:
     """Atomically get and delete upload metadata (prevents replay)."""
     key = build_key("upload", upload_id)
diff --git a/everyrow-mcp/src/everyrow_mcp/uploads.py b/everyrow-mcp/src/everyrow_mcp/uploads.py
index ca84f5c5..d8de53ba 100644
--- a/everyrow-mcp/src/everyrow_mcp/uploads.py
+++ b/everyrow-mcp/src/everyrow_mcp/uploads.py
@@ -202,7 +202,7 @@ async def _validate_upload(  # noqa: PLR0911
             JSONResponse({"error": "Invalid or expired signature"}, status_code=403),
         )
 
-    meta_json = await redis_store.pop_upload_meta(upload_id)
+    meta_json = await redis_store.get_upload_meta(upload_id)
     if meta_json is None:
         return (
             None,
@@ -279,6 +279,14 @@ async def handle_upload(request: Request) -> JSONResponse:  # noqa: PLR0911
             status_code=429,
         )
 
+    # All checks passed — atomically consume the upload URL.
+    # If two requests race past the peek, only one wins the pop.
+    upload_id = request.path_params["upload_id"]
+    if await redis_store.pop_upload_meta(upload_id) is None:
+        return JSONResponse(
+            {"error": "Upload URL already used or expired"}, status_code=410
+        )
+
     try:
         df = pd.read_csv(BytesIO(body))  # type: ignore[arg-type]
     except Exception as exc:
diff --git a/everyrow-mcp/tests/test_uploads.py b/everyrow-mcp/tests/test_uploads.py
index 5ecda6a2..8fa338e4 100644
--- a/everyrow-mcp/tests/test_uploads.py
+++ b/everyrow-mcp/tests/test_uploads.py
@@ -233,7 +233,7 @@ async def test_missing_token_returns_403(self, fake_redis):  # noqa: ARG002
         )
 
         with patch(
-            "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+            "everyrow_mcp.uploads.redis_store.get_upload_meta",
             new_callable=AsyncMock,
             return_value=meta_no_token,
         ):
@@ -263,7 +263,7 @@ async def test_content_length_too_large_returns_413(self, fake_redis):  # noqa:
         with (
             override_settings(max_upload_size_bytes=1000),
             patch(
-                "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+                "everyrow_mcp.uploads.redis_store.get_upload_meta",
                 new_callable=AsyncMock,
                 return_value=meta,
             ),
@@ -293,10 +293,17 @@ async def test_error_messages_are_generic(self, fake_redis):  # noqa: ARG002
             }
         )
 
-        with patch(
-            "everyrow_mcp.uploads.redis_store.pop_upload_meta",
-            new_callable=AsyncMock,
-            return_value=meta,
+        with (
+            patch(
+                "everyrow_mcp.uploads.redis_store.get_upload_meta",
+                new_callable=AsyncMock,
+                return_value=meta,
+            ),
+            patch(
+                "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+                new_callable=AsyncMock,
+                return_value=meta,
+            ),
         ):
             request = self._make_upload_request(
                 upload_id, b"not,valid\x00csv\xfe\xff", expires_at=expires_at
@@ -324,6 +331,11 @@ async def test_artifact_creation_error_is_generic(self, fake_redis):  # noqa: AR
         )
 
         with (
+            patch(
+                "everyrow_mcp.uploads.redis_store.get_upload_meta",
+                new_callable=AsyncMock,
+                return_value=meta,
+            ),
             patch(
                 "everyrow_mcp.uploads.redis_store.pop_upload_meta",
                 new_callable=AsyncMock,
@@ -391,7 +403,7 @@ async def test_wrong_content_type_returns_415(self):
         request.body = AsyncMock(return_value=b"a,b\n1,2\n")
 
         with patch(
-            "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+            "everyrow_mcp.uploads.redis_store.get_upload_meta",
             new_callable=AsyncMock,
             return_value=meta,
         ):
@@ -407,3 +419,69 @@ async def test_missing_content_type_is_accepted(self):
         # Existing TestHandleUpload tests don't set Content-Type and pass,
         # which implicitly tests that missing Content-Type is accepted.
         pass
+
+
+class TestUploadRateLimitPreservesUrl:
+    """Verify that a 429 does NOT consume the upload URL."""
+
+    @pytest.fixture(autouse=True)
+    def _with_upload_secret(self):
+        with override_settings(upload_secret="test-secret-for-hmac"):
+            yield
+
+    @pytest.mark.asyncio
+    async def test_rate_limited_upload_does_not_consume_url(self):
+        """When rate-limited (429), the upload metadata is NOT consumed."""
+        upload_id = "rate-limit-test"
+        expires_at = int(time.time()) + 300
+        sig = sign_upload_url(upload_id, expires_at)
+        meta = json.dumps(
+            {
+                "upload_id": upload_id,
+                "filename": "data.csv",
+                "expires_at": expires_at,
+                "api_token": encrypt_value("user-tok"),
+            }
+        )
+
+        # Pipeline mock returns count > limit to trigger 429
+        mock_pipe = MagicMock()
+        mock_pipe.incr = MagicMock()
+        mock_pipe.expire = MagicMock()
+        mock_pipe.execute = AsyncMock(return_value=[999, True])
+        mock_pipe.__aenter__ = AsyncMock(return_value=mock_pipe)
+        mock_pipe.__aexit__ = AsyncMock(return_value=False)
+        mock_client = AsyncMock()
+        mock_client.pipeline = MagicMock(return_value=mock_pipe)
+
+        pop_mock = AsyncMock(return_value=meta)
+
+        request = MagicMock()
+        request.path_params = {"upload_id": upload_id}
+        request.query_params = {"expires": str(expires_at), "sig": sig}
+        request.headers = {}
+        request.body = AsyncMock(return_value=b"a,b\n1,2\n")
+
+        with (
+            override_settings(upload_rate_limit=5),
+            patch(
+                "everyrow_mcp.uploads.redis_store.get_upload_meta",
+                new_callable=AsyncMock,
+                return_value=meta,
+            ),
+            patch(
+                "everyrow_mcp.uploads.redis_store.pop_upload_meta",
+                pop_mock,
+            ),
+            patch(
+                "everyrow_mcp.uploads.redis_store.get_redis_client",
+                return_value=mock_client,
+            ),
+        ):
+            resp = await handle_upload(request)
+
+        assert resp.status_code == 429
+        body = json.loads(resp.body.decode())
+        assert "rate limit" in body["error"].lower()
+        # pop_upload_meta must NOT have been called
+        pop_mock.assert_not_called()