latte
fa30153c0d
Expand workflow triggers to push/pull_request on main and dev and to PR reviews. Run lint/test only for non-review events or when a review is approved. Add a docker-test job that smoke-tests the built image. Add a docker-publish job that resolves SHA and stable tags (latest/dev), builds the releasable image, and optionally pushes when PUSH_IMAGE=true. Update docs/deployment.md
52 lines
1.4 KiB
Markdown
52 lines
1.4 KiB
Markdown
# Deployment
|
|
|
|
## Secure Defaults
|
|
|
|
- Default bind is `127.0.0.1`.
|
|
- Binding `0.0.0.0` requires `ALLOW_INSECURE_BIND=true`.
|
|
- Write mode disabled by default.
|
|
- Policy checks run before tool execution.
|
|
- OAuth-protected MCP challenge responses are enabled by default for tool calls.
|
|
|
|
## Local Development
|
|
|
|
```bash
|
|
make install-dev
|
|
cp .env.example .env
|
|
make run
|
|
```
|
|
|
|
## Docker
|
|
|
|
Use `docker/Dockerfile`:
|
|
|
|
- Multi-stage image build.
|
|
- Non-root runtime user.
|
|
- Production env flags (`NODE_ENV=production`, `ENVIRONMENT=production`).
|
|
- Only required app files copied.
|
|
- Healthcheck on `/health`.
|
|
|
|
Run examples:
|
|
|
|
```bash
|
|
docker compose --profile prod up -d
|
|
docker compose --profile dev up -d
|
|
```
|
|
|
|
## CI/CD (Gitea Workflows)
|
|
|
|
Workflows live in `.gitea/workflows/`:
|
|
|
|
- `lint.yml`: ruff + format checks + mypy.
|
|
- `test.yml`: lint + tests + coverage fail-under `80`.
|
|
- `docker.yml`: lint + test + docker smoke-test gating; image publish on push to `main`/`dev` and on approved PR review targeting `main`/`dev`; tags include commit SHA plus `latest` (`main`) or `dev` (`dev`).
|
|
|
|
## Production Recommendations
|
|
|
|
- Place MCP behind TLS reverse proxy.
|
|
- Set `PUBLIC_BASE_URL=https://<your-mcp-domain>` so OAuth metadata advertises HTTPS endpoints.
|
|
- Restrict inbound traffic to expected clients.
|
|
- Persist and monitor audit logs.
|
|
- Monitor `/metrics` and auth-failure events.
|
|
- Rotate OAuth client credentials when required.
|