47 lines
1012 B
Markdown
47 lines
1012 B
Markdown
# Deployment
|
|
|
|
## Secure Defaults
|
|
|
|
- Default bind: `MCP_HOST=127.0.0.1`.
|
|
- Binding `0.0.0.0` requires explicit `ALLOW_INSECURE_BIND=true`.
|
|
- Write mode disabled by default.
|
|
- Policy file path configurable via `POLICY_FILE_PATH`.
|
|
|
|
## Local Development
|
|
|
|
```bash
|
|
make install-dev
|
|
cp .env.example .env
|
|
make generate-key
|
|
make run
|
|
```
|
|
|
|
## Docker
|
|
|
|
- Use `docker/Dockerfile` (non-root runtime).
|
|
- Use compose profiles:
|
|
- `prod`: hardened runtime profile.
|
|
- `dev`: local development profile (localhost-only port bind).
|
|
|
|
Run examples:
|
|
|
|
```bash
|
|
docker compose --profile prod up -d
|
|
docker compose --profile dev up -d
|
|
```
|
|
|
|
## Environment Validation
|
|
|
|
Startup validates:
|
|
- Required Gitea settings.
|
|
- API keys (when auth enabled).
|
|
- Insecure bind opt-in.
|
|
- Write whitelist when write mode enabled (unless `WRITE_ALLOW_ALL_TOKEN_REPOS=true`).
|
|
|
|
## Production Recommendations
|
|
|
|
- Run behind TLS-terminating reverse proxy.
|
|
- Restrict network exposure.
|
|
- Persist and rotate audit logs.
|
|
- Enable external monitoring for `/metrics`.
|