Hiddenden/AegisGitea-MCP

Files

latte c0357ceb69

lint / lint (push) Failing after 2m15s

Details

test / test (push) Failing after 11s

Details

Add configurable registry push to Docker workflow

2026-02-27 15:50:12 +01:00

1.7 KiB

Raw Blame History

Deployment

Secure Defaults

Default bind is 127.0.0.1.
Binding 0.0.0.0 requires ALLOW_INSECURE_BIND=true.
Write mode disabled by default.
Policy checks run before tool execution.
OAuth-protected MCP challenge responses are enabled by default for tool calls.

Local Development

make install-dev
cp .env.example .env
make run

Docker

Use docker/Dockerfile:

Multi-stage image build.
Non-root runtime user.
Production env flags (NODE_ENV=production, ENVIRONMENT=production).
Only required app files copied.
Healthcheck on /health.

Run examples:

docker compose --profile prod up -d
docker compose --profile dev up -d

CI/CD (Gitea Workflows)

Workflows live in .gitea/workflows/:

lint.yml: ruff + format checks + mypy.
test.yml: lint + tests + coverage fail-under 80.
docker.yml: lint + test + docker smoke-test gating; image publish on push to main/dev and on approved PR review targeting main/dev; tags include commit SHA plus latest (main) or dev (dev).

Docker publish settings:

vars.PUSH_IMAGE=true enables registry push.
vars.REGISTRY_IMAGE sets the target image name (for example registry.example.com/org/aegis-gitea-mcp).
vars.REGISTRY_HOST is optional and overrides the login host detection.
secrets.REGISTRY_USER and secrets.REGISTRY_TOKEN are required when push is enabled.

Production Recommendations

Place MCP behind TLS reverse proxy.
Set PUBLIC_BASE_URL=https://<your-mcp-domain> so OAuth metadata advertises HTTPS endpoints.
Restrict inbound traffic to expected clients.
Persist and monitor audit logs.
Monitor /metrics and auth-failure events.
Rotate OAuth client credentials when required.