# Deployment

## Secure Defaults

- Default bind is `127.0.0.1`.
- Binding `0.0.0.0` requires `ALLOW_INSECURE_BIND=true`.
- Write mode disabled by default.
- Policy checks run before tool execution.
- OAuth-protected MCP challenge responses are enabled by default for tool calls.

## Local Development

```bash
make install-dev
cp .env.example .env
make run
```

## Docker

Use `docker/Dockerfile`:

- Multi-stage image build.
- Non-root runtime user.
- Production env flags (`NODE_ENV=production`, `ENVIRONMENT=production`).
- Only required app files copied.
- Healthcheck on `/health`.

Run examples:

```bash
docker compose --profile prod up -d
docker compose --profile dev up -d
```

## CI/CD (Gitea Workflows)

Workflows live in `.gitea/workflows/`:

- `lint.yml`: ruff + format checks + mypy.
- `test.yml`: lint + tests + coverage fail-under `80`.
- `docker.yml`: gated Docker build (depends on lint+test), SHA tag, `latest` on `main`.

## Production Recommendations

- Place MCP behind TLS reverse proxy.
- Restrict inbound traffic to expected clients.
- Persist and monitor audit logs.
- Monitor `/metrics` and auth-failure events.
- Rotate OAuth client credentials when required.