feat(minecraft): disable debug servers by default (#1193)

Author: shinohara-rin

services/minecraft/.env

@@ -28,3 +28,18 @@ BOT_PORT=''
 # #
 # BOT_AUTH='microsoft'
 BOT_VERSION=''
+
+# ==============================================================================
+# Debug and Development Tools
+# ==============================================================================
+# SECURITY NOTICE:
+# The MCP Server, Debug Server, and Prismarine Viewer endpoints are completely
+# unauthenticated. Enabling these exposes your bot's internal state and
+# capabilities to anyone who can reach the ports. This can lead to Remote
+# Code Execution (RCE) and full compromise of the bot if exposed to the internet
+# or untrusted local networks. Only enable these if you know what you are doing
+# and ensure they are not externally accessible.
+# ==============================================================================
+ENABLE_MCP_SERVER=false
+ENABLE_DEBUG_SERVER=false
+ENABLE_MINECRAFT_VIEWER=false

services/minecraft/src/cognitive/index.ts

@@ -1,6 +1,7 @@
 import type { MineflayerPlugin } from '../libs/mineflayer'
 import type { CognitiveEngineOptions, MineflayerWithAgents } from './types'
 
+import { config } from '../composables/config'
 import { DebugService } from '../debug'
 import { McpReplServer } from '../debug/mcp-repl-server'
 import { ChatMessageHandler } from '../libs/mineflayer'
@@ -25,8 +26,11 @@ export function CognitiveEngine(options: CognitiveEngineOptions): MineflayerPlug
       const reflexManager = container.resolve('reflexManager')
       const taskExecutor = container.resolve('taskExecutor')
       const debugService = DebugService.getInstance()
-      mcpReplServer = new McpReplServer(brain)
-      mcpReplServer.start()
+
+      if (config.debug.mcp) {
+        mcpReplServer = new McpReplServer(brain)
+        mcpReplServer.start()
+      }
 
       debugService.onCommand('request_repl_state', () => {
         debugService.emit('debug:repl_state', brain.getReplState())
@@ -81,11 +85,8 @@ export function CognitiveEngine(options: CognitiveEngineOptions): MineflayerPlug
         // Initialize perception pipeline (raw events + detectors)
         perceptionPipeline.init(botWithAgents)
 
-        let tickCount = 0
         bot.onTick('tick', () => {
-          tickCount++
-          if (tickCount % 5 !== 0)
-            return
+          // Empty listener
         })
 
         // Resolve EventBus for message handling

services/minecraft/src/composables/config.ts

@@ -39,6 +39,11 @@ export const configSchema = z.object({
     model: requiredString('OPENAI_MODEL'),
     reasoningModel: requiredString('OPENAI_REASONING_MODEL'),
   }),
+  debug: z.object({
+    mcp: z.boolean().default(false),
+    server: z.boolean().default(false),
+    viewer: z.boolean().default(false),
+  }),
   bot: z.object({
     username: requiredString('BOT_USERNAME'),
     host: requiredString('BOT_HOSTNAME'),
@@ -86,6 +91,11 @@ const defaultConfig: Omit<Config, 'openai'> = {
     wsBaseUrl: 'ws://localhost:6121/ws',
     clientName: 'minecraft-bot',
   },
+  debug: {
+    mcp: false,
+    server: false,
+    viewer: false,
+  },
 }
 
 // Create a singleton config instance
@@ -103,6 +113,11 @@ export function initEnv(): void {
       model: env.OPENAI_MODEL,
       reasoningModel: env.OPENAI_REASONING_MODEL,
     },
+    debug: {
+      mcp: env.ENABLE_MCP_SERVER === 'true',
+      server: env.ENABLE_DEBUG_SERVER === 'true',
+      viewer: env.ENABLE_MINECRAFT_VIEWER === 'true',
+    },
     bot: {
       username: env.BOT_USERNAME || defaultConfig.bot.username,
       host: env.BOT_HOSTNAME || defaultConfig.bot.host,
@@ -127,6 +142,7 @@ export function initEnv(): void {
   config.openai = parsedConfig.data.openai
   config.bot = parsedConfig.data.bot
   config.airi = parsedConfig.data.airi
+  config.debug = parsedConfig.data.debug
 
   logger.withFields({ config }).log('Environment variables initialized')
 }

services/minecraft/src/main.ts

@@ -23,8 +23,26 @@ async function main() {
   initLogger() // todo: save logs to file
   initEnv()
 
+  if (config.debug.server || config.debug.viewer || config.debug.mcp) {
+    useLogger().warn(
+      [
+        '==============================================================================',
+        'SECURITY NOTICE:',
+        'The MCP Server, Debug Server, and/or Prismarine Viewer endpoints are currently',
+        'enabled. These endpoints are completely unauthenticated. Enabling these exposes',
+        'your bot\'s internal state and capabilities to anyone who can reach the ports.',
+        'This can lead to Remote Code Execution (RCE) and full compromise of the bot',
+        'if exposed to the internet or untrusted local networks. Ensure they are not',
+        'externally accessible.',
+        '==============================================================================',
+      ].join('\n'),
+    )
+  }
+
   // Start debug server
-  DebugService.getInstance().start()
+  if (config.debug.server) {
+    DebugService.getInstance().start()
+  }
 
   const { bot } = await initBot({
     botConfig: config.bot,
@@ -42,7 +60,9 @@ async function main() {
     },
   })
 
-  setupMineflayerViewer(bot, { port: 3007, firstPerson: true })
+  if (config.debug.viewer) {
+    setupMineflayerViewer(bot, { port: 3007, firstPerson: true })
+  }
 
   // Connect airi server
   const airiClient = new Client({