latte
fa30153c0d
Expand workflow triggers to push/pull_request on main and dev and to PR reviews. Run lint/test only for non-review events or when a review is approved. Add a docker-test job that smoke-tests the built image. Add a docker-publish job that resolves SHA and stable tags (latest/dev), builds the releasable image, and optionally pushes when PUSH_IMAGE=true. Update docs/deployment.md
1.4 KiB
1.4 KiB
Deployment
Secure Defaults
- Default bind is
127.0.0.1. - Binding
0.0.0.0requiresALLOW_INSECURE_BIND=true. - Write mode disabled by default.
- Policy checks run before tool execution.
- OAuth-protected MCP challenge responses are enabled by default for tool calls.
Local Development
make install-dev
cp .env.example .env
make run
Docker
Use docker/Dockerfile:
- Multi-stage image build.
- Non-root runtime user.
- Production env flags (
NODE_ENV=production,ENVIRONMENT=production). - Only required app files copied.
- Healthcheck on
/health.
Run examples:
docker compose --profile prod up -d
docker compose --profile dev up -d
CI/CD (Gitea Workflows)
Workflows live in .gitea/workflows/:
lint.yml: ruff + format checks + mypy.test.yml: lint + tests + coverage fail-under80.docker.yml: lint + test + docker smoke-test gating; image publish on push tomain/devand on approved PR review targetingmain/dev; tags include commit SHA pluslatest(main) ordev(dev).
Production Recommendations
- Place MCP behind TLS reverse proxy.
- Set
PUBLIC_BASE_URL=https://<your-mcp-domain>so OAuth metadata advertises HTTPS endpoints. - Restrict inbound traffic to expected clients.
- Persist and monitor audit logs.
- Monitor
/metricsand auth-failure events. - Rotate OAuth client credentials when required.