Hiddenden/AegisGitea-MCP
3
0
Fork 0
Code Issues 2 Pull Requests Actions Packages Projects Releases 1 Wiki Activity
Page: Deployment
Pages
API Reference Architecture Audit Automation Configuration Deployment Getting Started Governance Hardening Home Observability Policy Raw API Roadmap Security Troubleshooting Write Mode
Clone
1
Deployment
Latte edited this page 2026-06-26 12:58:15 +02:00
Table of Contents

Deployment

Secure Defaults

  • Default bind is 127.0.0.1.
  • Binding 0.0.0.0 requires ALLOW_INSECURE_BIND=true.
  • Write mode disabled by default.
  • Policy checks run before tool execution.
  • OAuth-protected MCP challenge responses are enabled by default for tool calls.

Local Development

make install-dev
cp .env.example .env
make run

Docker

Use docker/Dockerfile:

  • Multi-stage image build.
  • Non-root runtime user.
  • Production env flags (NODE_ENV=production, ENVIRONMENT=production).
  • Only required app files copied.
  • Healthcheck on /health.

Run examples:

docker compose --profile prod up -d
docker compose --profile dev up -d

CI/CD (Gitea Workflows)

Workflows live in .gitea/workflows/:

  • lint.yml: ruff + format checks + mypy.
  • test.yml: lint + tests + coverage fail-under 80.
  • docker.yml: lint + test + docker smoke-test gating; image publish on push to main/dev and on approved PR review targeting main/dev; tags include commit SHA plus latest (main) or dev (dev).

Docker publish settings:

  • vars.PUSH_IMAGE=true enables registry push.
  • vars.REGISTRY_IMAGE sets the target image name (for example registry.example.com/org/aegis-gitea-mcp).
  • vars.REGISTRY_HOST is optional and overrides the login host detection.
  • secrets.REGISTRY_USER and secrets.REGISTRY_TOKEN are required when push is enabled.

Production Recommendations

  • Place MCP behind TLS reverse proxy.
  • Set PUBLIC_BASE_URL=https://<your-mcp-domain> so OAuth metadata advertises HTTPS endpoints.
  • Restrict inbound traffic to expected clients.
  • Persist and monitor audit logs.
  • Monitor /metrics and auth-failure events.
  • Rotate OAuth client credentials when required.

AegisGitea-MCP

Start

Operating

Internals

Security

Reference

Generated from the docs/ directory. Edit the docs, not the wiki, then re-run the wiki sync.