latte
59e1ea53a8
Introduce a GiteaOAuthValidator for JWT and userinfo validation and fallbacks, add /oauth/token proxy, and thread per-user tokens through the request context and automation paths. Update config and .env.example for OAuth-first mode, add OpenAPI, extensive unit/integration tests, GitHub/Gitea CI workflows, docs, and lint/test enforcement (>=80% cov).
1.2 KiB
1.2 KiB
Deployment
Secure Defaults
- Default bind is
127.0.0.1. - Binding
0.0.0.0requiresALLOW_INSECURE_BIND=true. - Write mode disabled by default.
- Policy checks run before tool execution.
- OAuth-protected MCP challenge responses are enabled by default for tool calls.
Local Development
make install-dev
cp .env.example .env
make run
Docker
Use docker/Dockerfile:
- Multi-stage image build.
- Non-root runtime user.
- Production env flags (
NODE_ENV=production,ENVIRONMENT=production). - Only required app files copied.
- Healthcheck on
/health.
Run examples:
docker compose --profile prod up -d
docker compose --profile dev up -d
CI/CD (Gitea Workflows)
Workflows live in .gitea/workflows/:
lint.yml: ruff + format checks + mypy.test.yml: lint + tests + coverage fail-under80.docker.yml: gated Docker build (depends on lint+test), SHA tag,latestonmain.
Production Recommendations
- Place MCP behind TLS reverse proxy.
- Restrict inbound traffic to expected clients.
- Persist and monitor audit logs.
- Monitor
/metricsand auth-failure events. - Rotate OAuth client credentials when required.