e78733d55e
The MCP's port 8000 isn't exposed outside the private mcp-servers_mcp
Docker network, so only the MetaMCP gateway can ever reach it. MetaMCP
itself enforces auth at the gateway → MCP-client edge (bearer token in
its UI), which is the right layer for it. In-container Basic/Bearer was
defense-in-depth that turned out to be friction-in-depth.
Removed:
- ag_bids_mcp/auth.py (HTTP Basic middleware)
- tests/test_auth.py (3 tests covering the middleware)
- AG_BIDS_MCP_USER / AG_BIDS_MCP_PASS env vars from .env.example, README,
docker-compose.snippet.yml, and deploy/README.md
Server.py simplified — direct `mcp.run(transport=...)` like zerto-docs-mcp,
no Starlette wrapping. 21 tests passing.
Live on 192.168.0.2: container recreated, real MCP initialize handshake
returns 200 + capability metadata over the mcp-servers_mcp network with
no auth header.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
46 lines
1.8 KiB
YAML
46 lines
1.8 KiB
YAML
# Standalone docker-compose for ag-bids-mcp.
|
|
#
|
|
# This file is the ENTIRE compose project — it does NOT belong inside the
|
|
# MetaMCP compose. Put it in /home/justin/ag-bids-mcp/ on the MetaMCP host
|
|
# (192.168.0.2) alongside a .env file with ONE secret:
|
|
# AG_BIDS_API_KEY — copy from ag-monitor's .env (BRIEF_API_KEY) on .0.126
|
|
#
|
|
# No in-container auth is needed because port 8000 is never exposed outside
|
|
# the private `mcp-servers_mcp` Docker network — the only client that can
|
|
# reach it is the MetaMCP gateway, which handles auth at the user-facing
|
|
# edge. Joins the EXISTING `mcp-servers_mcp` network (created by the
|
|
# MetaMCP compose project at /home/justin/mcp-servers/) as external so
|
|
# MetaMCP can reach this container by DNS name `ag-bids-mcp`.
|
|
|
|
services:
|
|
ag-bids-mcp:
|
|
container_name: ag-bids-mcp
|
|
image: git.jpaul.io/justin/ag-bids-mcp:latest
|
|
pull_policy: always
|
|
restart: unless-stopped
|
|
env_file: .env
|
|
environment:
|
|
MCP_TRANSPORT: streamable-http
|
|
MCP_HOST: 0.0.0.0
|
|
MCP_PORT: "8000"
|
|
# Behind a Docker DNS name, FastMCP's localhost-only rebinding-protection
|
|
# would 421 every call from MetaMCP. Disable it; the mcp network is private.
|
|
MCP_DISABLE_DNS_REBINDING_PROTECTION: "1"
|
|
USAGE_LOG_DIR: /app/var/logs
|
|
USAGE_LOG_KEEP_DAYS: "90"
|
|
volumes:
|
|
# Survive container recreates (Watchtower rolls this every ~5 min).
|
|
- ./ag-bids-mcp-logs:/app/var/logs
|
|
networks: [mcp]
|
|
labels:
|
|
# Watchtower (on the same daemon) auto-pulls new images for any container
|
|
# with this label set to "true".
|
|
com.centurylinklabs.watchtower.enable: "true"
|
|
|
|
networks:
|
|
mcp:
|
|
external: true
|
|
# Confirmed on 192.168.0.2 — joined by metamcp, metamcp-pg, zerto-docs-mcp,
|
|
# jina-rerank. Created by the compose project rooted at ~/mcp-servers/.
|
|
name: mcp-servers_mcp
|