# Deployment

## Secure Defaults

- Default bind: `MCP_HOST=127.0.0.1`.
- Binding `0.0.0.0` requires explicit `ALLOW_INSECURE_BIND=true`.
- Write mode disabled by default.
- Policy file path configurable via `POLICY_FILE_PATH`.

## Local Development

```bash
make install-dev
cp .env.example .env
make generate-key
make run
```

## Docker

- Use `docker/Dockerfile` (non-root runtime).
- Use compose profiles:
  - `prod`: hardened runtime profile.
  - `dev`: local development profile (localhost-only port bind).

Run examples:

```bash
docker compose --profile prod up -d
docker compose --profile dev up -d
```

## Environment Validation

Startup validates:
- Required Gitea settings.
- API keys (when auth enabled).
- Insecure bind opt-in.
- Write whitelist when write mode enabled (unless `WRITE_ALLOW_ALL_TOKEN_REPOS=true`).

## Production Recommendations

- Run behind TLS-terminating reverse proxy.
- Restrict network exposure.
- Persist and rotate audit logs.
- Enable external monitoring for `/metrics`.