From 367a9c58e579363c61b8393ed0e2ae2d14c87cb8 Mon Sep 17 00:00:00 2001
From: Ryan Malloy <ryan@supported.systems>
Date: Tue, 20 Jan 2026 19:00:26 -0700
Subject: [PATCH] Fix local file access default for stdio transport

Local files now allowed by default when MCP_TRANSPORT=stdio (or unset).
Only blocked by default for streamable-http transport.
---
 src/mcwaddams/utils/caching.py | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/src/mcwaddams/utils/caching.py b/src/mcwaddams/utils/caching.py
index daa339f..7ce869c 100644
--- a/src/mcwaddams/utils/caching.py
+++ b/src/mcwaddams/utils/caching.py
@@ -14,8 +14,20 @@ from .validation import OfficeFileError
 
 
 # Environment variable to control local file access
-# Default to False (secure) - set to "true" for local stdio transport
-MCP_ALLOW_LOCAL_FILES = os.environ.get("MCP_ALLOW_LOCAL_FILES", "false").lower() == "true"
+# Default depends on transport mode:
+#   - stdio (local): allow local files by default
+#   - streamable-http (remote): block local files by default
+def _get_allow_local_files() -> bool:
+    """Determine if local file access is allowed based on transport mode."""
+    explicit = os.environ.get("MCP_ALLOW_LOCAL_FILES")
+    if explicit is not None:
+        return explicit.lower() == "true"
+
+    # If not explicitly set, default based on transport mode
+    transport = os.environ.get("MCP_TRANSPORT", "stdio").lower()
+    return transport == "stdio"
+
+MCP_ALLOW_LOCAL_FILES = _get_allow_local_files()
 
 
 class OfficeFileCache: