From 639f65602d80ae706ee20f49e80d798311d6b33d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E5=85=AC=E6=98=8E?=
 <83812544+Ed1s0nZ@users.noreply.github.com>
Date: Mon, 9 Mar 2026 22:36:22 +0800
Subject: [PATCH] Add files via upload

---
 README.md    | 44 +++++++++++++++++++++++++++++---------------
 README_CN.md | 44 +++++++++++++++++++++++++++++---------------
 2 files changed, 58 insertions(+), 30 deletions(-)

diff --git a/README.md b/README.md
index 692f7148..e7908439 100644
--- a/README.md
+++ b/README.md
@@ -262,21 +262,33 @@ go build -o cyberstrike-ai cmd/server/main.go
    ```
    Replace the paths with your local locations; Cursor will launch the stdio server automatically.
 
-#### MCP HTTP quick start
-1. Ensure `config.yaml` has `mcp.enabled: true` and adjust `mcp.host` / `mcp.port` if you need a non-default binding (localhost:8081 works well for local Cursor usage).
-2. Start the main service (`./run.sh` or `go run cmd/server/main.go`); the MCP endpoint lives at `http://<host>:<port>/mcp`.
-3. In Cursor, choose **Add Custom MCP → HTTP** and set `Base URL` to `http://127.0.0.1:8081/mcp`.
-4. Prefer committing the setup via `.cursor/mcp.json` so teammates can reuse it:
-   ```json
-   {
-     "mcpServers": {
-       "cyberstrike-ai-http": {
-         "transport": "http",
-         "url": "http://127.0.0.1:8081/mcp"
-       }
-     }
-   }
-   ```
+#### MCP HTTP quick start (Cursor / Claude Code)
+The HTTP MCP server runs on a separate port (default `8081`) and supports **header-based authentication** so only clients that send the correct header can call tools.
+
+1. **Enable MCP in config** – In `config.yaml` set `mcp.enabled: true` and optionally `mcp.host` / `mcp.port`. For auth (recommended if the port is reachable from the network), set:
+   - `mcp.auth_header` – header name (e.g. `X-MCP-Token`);
+   - `mcp.auth_header_value` – secret value. **Leave it empty** if you want the server to **auto-generate** a random token on first start and write it back to the config.
+2. **Start the service** – Run `./run.sh` or `go run cmd/server/main.go`. The MCP endpoint is `http://<host>:<port>/mcp` (e.g. `http://localhost:8081/mcp`).
+3. **Copy the JSON from the terminal** – When MCP is enabled, the server prints a **ready-to-paste** JSON block. If `auth_header_value` was empty, it will have been generated and saved; the printed JSON includes the URL and headers.
+4. **Use in Cursor or Claude Code**:
+   - **Cursor**: Paste the block into `~/.cursor/mcp.json` (or your project’s `.cursor/mcp.json`) under `mcpServers`, or merge it into your existing `mcpServers`.
+   - **Claude Code**: Paste into `.mcp.json` or `~/.claude.json` under `mcpServers`.
+
+Example of what the terminal prints (with auth enabled):
+```json
+{
+  "mcpServers": {
+    "cyberstrike-ai": {
+      "url": "http://localhost:8081/mcp",
+      "headers": {
+        "X-MCP-Token": "<auto-generated-or-your-value>"
+      },
+      "type": "http"
+    }
+  }
+}
+```
+If you do not set `auth_header` / `auth_header_value`, the endpoint accepts requests without authentication (suitable only for localhost or trusted networks).
 
 #### External MCP federation (HTTP/stdio/SSE)
 CyberStrikeAI supports connecting to external MCP servers via three transport modes:
@@ -396,6 +408,8 @@ mcp:
   enabled: true
   host: "0.0.0.0"
   port: 8081
+  auth_header: "X-MCP-Token"       # optional; leave empty for no auth
+  auth_header_value: ""            # optional; leave empty to auto-generate on first start
 openai:
   api_key: "sk-xxx"
   base_url: "https://api.deepseek.com/v1"
diff --git a/README_CN.md b/README_CN.md
index 5d3d46bf..223baae5 100644
--- a/README_CN.md
+++ b/README_CN.md
@@ -260,21 +260,33 @@ go build -o cyberstrike-ai cmd/server/main.go
    ```
    将路径替换成你本地的实际地址，Cursor 会自动启动 stdio 版本的 MCP。
 
-#### MCP HTTP 快速集成
-1. 确认 `config.yaml` 中 `mcp.enabled: true`，按照需要调整 `mcp.host` / `mcp.port`（本地建议 `127.0.0.1:8081`）。
-2. 启动主服务（`./run.sh` 或 `go run cmd/server/main.go`），MCP 端点默认暴露在 `http://<host>:<port>/mcp`。
-3. 在 Cursor 内 `Add Custom MCP → HTTP`，将 `Base URL` 设置为 `http://127.0.0.1:8081/mcp`。
-4. 也可以在项目根目录创建 `.cursor/mcp.json` 以便团队共享：
-   ```json
-   {
-     "mcpServers": {
-       "cyberstrike-ai-http": {
-         "transport": "http",
-         "url": "http://127.0.0.1:8081/mcp"
-       }
-     }
-   }
-   ```
+#### MCP HTTP 快速集成（Cursor / Claude Code）
+HTTP MCP 服务在独立端口（默认 `8081`）运行，支持 **Header 鉴权**：仅携带正确 header 的客户端可调用工具。
+
+1. **在配置中启用 MCP** – 在 `config.yaml` 中设置 `mcp.enabled: true`，并按需设置 `mcp.host` / `mcp.port`。若需鉴权（端口对外暴露时建议开启），可设置：
+   - `mcp.auth_header`：鉴权用的 header 名（如 `X-MCP-Token`）；
+   - `mcp.auth_header_value`：鉴权密钥。**留空**时，首次启动会自动生成随机密钥并写回配置文件。
+2. **启动服务** – 执行 `./run.sh` 或 `go run cmd/server/main.go`。MCP 端点为 `http://<host>:<port>/mcp`（例如 `http://localhost:8081/mcp`）。
+3. **从终端复制 JSON** – 启用 MCP 后，启动时会在终端打印一段 **可直接复制的 JSON**。若 `auth_header_value` 留空，会自动生成并写入配置，打印内容中会包含 URL 与 headers。
+4. **在 Cursor 或 Claude Code 中使用**：
+   - **Cursor**：将整段 JSON 粘贴到 `~/.cursor/mcp.json` 或项目下的 `.cursor/mcp.json` 的 `mcpServers` 中（或合并进现有 `mcpServers`）。
+   - **Claude Code**：粘贴到 `.mcp.json` 或 `~/.claude.json` 的 `mcpServers` 中。
+
+终端打印示例（开启鉴权时）：
+```json
+{
+  "mcpServers": {
+    "cyberstrike-ai": {
+      "url": "http://localhost:8081/mcp",
+      "headers": {
+        "X-MCP-Token": "<自动生成或你配置的值>"
+      },
+      "type": "http"
+    }
+  }
+}
+```
+若不配置 `auth_header` / `auth_header_value`，则端点不鉴权（仅适合本机或可信网络）。
 
 #### 外部 MCP 联邦（HTTP/stdio/SSE）
 CyberStrikeAI 支持通过三种传输模式连接外部 MCP 服务器：
@@ -395,6 +407,8 @@ mcp:
   enabled: true
   host: "0.0.0.0"
   port: 8081
+  auth_header: "X-MCP-Token"       # 可选；留空则不鉴权
+  auth_header_value: ""            # 可选；留空则首次启动自动生成并写回
 openai:
   api_key: "sk-xxx"
   base_url: "https://api.deepseek.com/v1"