feat: harden gateway with policy engine, secure tools, and governance docs

2026-02-14 16:05:56 +01:00
parent e17d34e6d7
commit 5969892af3
55 changed files with 4711 additions and 1587 deletions
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
  aegis-mcp:
    build:
@@ -7,53 +5,27 @@ services:
      dockerfile: docker/Dockerfile
    container_name: aegis-gitea-mcp
    restart: unless-stopped
-    
+    env_file:
+      - ../.env
    environment:
-      # Gitea configuration (REQUIRED)
-      GITEA_URL: ${GITEA_URL}
-      GITEA_TOKEN: ${GITEA_TOKEN}
-      
-      # MCP server configuration
-      MCP_HOST: ${MCP_HOST:-0.0.0.0}
-      MCP_PORT: ${MCP_PORT:-8080}
-      
-      # Logging configuration
-      LOG_LEVEL: ${LOG_LEVEL:-INFO}
-      AUDIT_LOG_PATH: ${AUDIT_LOG_PATH:-/var/log/aegis-mcp/audit.log}
-      
-      # Security configuration
-      MAX_FILE_SIZE_BYTES: ${MAX_FILE_SIZE_BYTES:-1048576}
-      REQUEST_TIMEOUT_SECONDS: ${REQUEST_TIMEOUT_SECONDS:-30}
-      RATE_LIMIT_PER_MINUTE: ${RATE_LIMIT_PER_MINUTE:-60}
-    
+      ENVIRONMENT: production
+      MCP_HOST: ${MCP_HOST:-127.0.0.1}
+      ALLOW_INSECURE_BIND: ${ALLOW_INSECURE_BIND:-false}
    ports:
-      - "${MCP_PORT:-8080}:8080"
-    
+      - "127.0.0.1:${MCP_PORT:-8080}:8080"
    volumes:
-      # Persist audit logs
      - aegis-mcp-logs:/var/log/aegis-mcp
-      # Optional: mount config file
-      # - ./.env:/app/.env:ro
-    
-    networks:
-      - aegis-network
-    
-    # Security options
+      - ../policy.yaml:/app/policy.yaml:ro
+    read_only: true
+    tmpfs:
+      - /tmp
    security_opt:
      - no-new-privileges:true
-    
-    # Resource limits
-    deploy:
-      resources:
-        limits:
-          cpus: '1.0'
-          memory: 512M
-        reservations:
-          cpus: '0.25'
-          memory: 128M
-    
+    cap_drop:
+      - ALL
+    user: "1000:1000"
    healthcheck:
-      test: ["CMD", "python", "-c", "import httpx; httpx.get('http://localhost:8080/health')"]
+      test: ["CMD", "python", "-c", "import httpx; httpx.get('http://127.0.0.1:8080/health', timeout=5)"]
      interval: 30s
      timeout: 10s
      retries: 3
@@ -62,7 +34,3 @@ services:
 volumes:
  aegis-mcp-logs:
    driver: local
-
-networks:
-  aegis-network:
-    driver: bridge