Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c79cc1ab9e5373650231d3b352a4638dcbad6f32
AegisGitea-MCP/docs/deployment.md
latte c79cc1ab9e
Some checks failed
docker / lint (push) Has been cancelled
Details
docker / test (push) Has been cancelled
Details
docker / docker-build (push) Has been cancelled
Details
lint / lint (push) Has been cancelled
Details
test / test (push) Has been cancelled
Details
Add PUBLIC_BASE_URL and refine OAuth scopes
2026-02-25 20:49:08 +01:00

1.3 KiB
Raw Blame History

Deployment

Secure Defaults

  • Default bind is 127.0.0.1.
  • Binding 0.0.0.0 requires ALLOW_INSECURE_BIND=true.
  • Write mode disabled by default.
  • Policy checks run before tool execution.
  • OAuth-protected MCP challenge responses are enabled by default for tool calls.

Local Development

make install-dev
cp .env.example .env
make run

Docker

Use docker/Dockerfile:

  • Multi-stage image build.
  • Non-root runtime user.
  • Production env flags (NODE_ENV=production, ENVIRONMENT=production).
  • Only required app files copied.
  • Healthcheck on /health.

Run examples:

docker compose --profile prod up -d
docker compose --profile dev up -d

CI/CD (Gitea Workflows)

Workflows live in .gitea/workflows/:

  • lint.yml: ruff + format checks + mypy.
  • test.yml: lint + tests + coverage fail-under 80.
  • docker.yml: gated Docker build (depends on lint+test), SHA tag, latest on main.

Production Recommendations

  • Place MCP behind TLS reverse proxy.
  • Set PUBLIC_BASE_URL=https://<your-mcp-domain> so OAuth metadata advertises HTTPS endpoints.
  • Restrict inbound traffic to expected clients.
  • Persist and monitor audit logs.
  • Monitor /metrics and auth-failure events.
  • Rotate OAuth client credentials when required.
Reference in New Issue View Git Blame Copy Permalink