e78733d55e
The MCP's port 8000 isn't exposed outside the private mcp-servers_mcp
Docker network, so only the MetaMCP gateway can ever reach it. MetaMCP
itself enforces auth at the gateway → MCP-client edge (bearer token in
its UI), which is the right layer for it. In-container Basic/Bearer was
defense-in-depth that turned out to be friction-in-depth.
Removed:
- ag_bids_mcp/auth.py (HTTP Basic middleware)
- tests/test_auth.py (3 tests covering the middleware)
- AG_BIDS_MCP_USER / AG_BIDS_MCP_PASS env vars from .env.example, README,
docker-compose.snippet.yml, and deploy/README.md
Server.py simplified — direct `mcp.run(transport=...)` like zerto-docs-mcp,
no Starlette wrapping. 21 tests passing.
Live on 192.168.0.2: container recreated, real MCP initialize handshake
returns 200 + capability metadata over the mcp-servers_mcp network with
no auth header.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
17 lines
555 B
Bash
17 lines
555 B
Bash
# --- MCP transport ---
|
|
# stdio for local Claude Desktop dev, streamable-http for the deployed container.
|
|
MCP_TRANSPORT=streamable-http
|
|
MCP_HOST=0.0.0.0
|
|
MCP_PORT=8000
|
|
|
|
# --- Upstream: ag-monitor (where the data actually lives) ---
|
|
# Reuse the same key ag-monitor already issues for /api/brief/* — both clients
|
|
# are internal-trusted, so a separate key is unnecessary friction.
|
|
AG_BIDS_API_URL=https://agbids.paul.farm
|
|
AG_BIDS_API_KEY=
|
|
AG_BIDS_API_TIMEOUT_SECS=20
|
|
|
|
# --- Per-tool-call usage logging ---
|
|
USAGE_LOG_DIR=/app/var/logs
|
|
USAGE_LOG_KEEP_DAYS=90
|