From 0c86f07893f8d660b25f43ed575606d53cf0a84b Mon Sep 17 00:00:00 2001 From: "cmeans-claude-dev[bot]" <3223881+cmeans-claude-dev[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 07:48:54 -0500 Subject: [PATCH 1/2] feat: add OAuth staging docker-compose and env template Adds an isolated Docker Compose stack for testing OAuth/WorkOS AuthKit on a separate port (8421) without affecting production. Includes env template and gitignore for secrets. Co-Authored-By: Claude Opus 4.6 (1M context) --- .env.oauth.example | 28 ++++++++ .gitignore | 1 + CHANGELOG.md | 4 ++ docker-compose.oauth.yaml | 140 ++++++++++++++++++++++++++++++++++++++ 4 files changed, 173 insertions(+) create mode 100644 .env.oauth.example create mode 100644 docker-compose.oauth.yaml diff --git a/.env.oauth.example b/.env.oauth.example new file mode 100644 index 0000000..297a7c8 --- /dev/null +++ b/.env.oauth.example @@ -0,0 +1,28 @@ +# OAuth staging environment — copy to .env.oauth and fill in values +# Launch: docker compose -f docker-compose.oauth.yaml --env-file .env.oauth up -d + +# --- WorkOS AuthKit --- +AWARENESS_OAUTH_ISSUER=https://thoughtful-saga-02-staging.authkit.app +AWARENESS_OAUTH_AUDIENCE= +# AWARENESS_OAUTH_JWKS_URI= # defaults to /.well-known/jwks.json + +# --- JWT (for self-signed tokens via mcp-awareness-token CLI) --- +AWARENESS_JWT_SECRET= +# Generate with: mcp-awareness-secret + +# --- Postgres --- +POSTGRES_PASSWORD= + +# --- Cloudflare tunnel --- +CLOUDFLARED_STAGING_CONFIG=~/.cloudflared/staging-config.yml +CLOUDFLARED_STAGING_CREDS=~/.cloudflared/.json + +# --- Secret path (optional, for WAF) --- +# AWARENESS_MOUNT_PATH=/your-secret-path + +# --- Default owner (for stdio/unauthenticated, usually not needed with auth) --- +# AWARENESS_DEFAULT_OWNER= + +# --- Embeddings (optional) --- +# AWARENESS_EMBEDDING_PROVIDER=ollama +# Launch with: docker compose -f docker-compose.oauth.yaml --env-file .env.oauth --profile embeddings up -d diff --git a/.gitignore b/.gitignore index d04c2fd..3401615 100644 --- a/.gitignore +++ b/.gitignore @@ -146,6 +146,7 @@ celerybeat.pid # Environments .env +.env.oauth .envrc .venv env/ diff --git a/CHANGELOG.md b/CHANGELOG.md index 785862a..dc77b39 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Added +- **OAuth staging compose**: `docker-compose.oauth.yaml` for isolated OAuth/WorkOS AuthKit testing with separate Postgres, Cloudflare tunnel, and optional Ollama — runs on port 8421 alongside production +- **OAuth env template**: `.env.oauth.example` with all required/optional variables for staging deployment + ### Fixed - **JSON content rejected by Pydantic validation**: `remember` and `update_entry` now accept `dict` and `list` content in addition to `str` — fixes `string_type` validation error when MCP transport auto-parses JSON strings before they reach the handler (#130) diff --git a/docker-compose.oauth.yaml b/docker-compose.oauth.yaml new file mode 100644 index 0000000..c886e47 --- /dev/null +++ b/docker-compose.oauth.yaml @@ -0,0 +1,140 @@ +# OAuth staging deployment — isolated stack for testing WorkOS AuthKit +# Uses separate containers, volumes, and ports from production. +# +# Setup: +# 1. Create a Cloudflare named tunnel for staging: +# cloudflared tunnel create awareness-staging +# 2. Add DNS route: +# cloudflared tunnel route dns awareness-staging staging.mcpawareness.com +# 3. Create config at ~/.cloudflared/staging-config.yml: +# tunnel: +# credentials-file: /etc/cloudflared/credentials.json +# ingress: +# - hostname: staging.mcpawareness.com +# service: http://awareness-oauth:8421 +# - service: http_status:404 +# 4. Copy .env.oauth.example to .env.oauth and fill in WorkOS values +# 5. Launch: docker compose -f docker-compose.oauth.yaml --env-file .env.oauth up -d +# +# Tear down: docker compose -f docker-compose.oauth.yaml down -v +name: mcp-awareness-oauth + +services: + awareness-oauth: + #image: ghcr.io/cmeans/mcp-awareness:latest + build: . + pull_policy: always + container_name: awareness-oauth + restart: unless-stopped + ports: + - "127.0.0.1:8421:8421" + environment: + - AWARENESS_HOST=0.0.0.0 + - AWARENESS_PORT=8421 + - AWARENESS_TRANSPORT=streamable-http + - AWARENESS_DATABASE_URL=postgresql://awareness:${POSTGRES_PASSWORD:-awareness-oauth}@postgres-oauth:5432/awareness + - AWARENESS_MOUNT_PATH=${AWARENESS_MOUNT_PATH:-} + - AWARENESS_AUTH_REQUIRED=true + - AWARENESS_JWT_SECRET=${AWARENESS_JWT_SECRET:-} + - AWARENESS_JWT_ALGORITHM=${AWARENESS_JWT_ALGORITHM:-HS256} + - AWARENESS_OAUTH_ISSUER=${AWARENESS_OAUTH_ISSUER:?Set AWARENESS_OAUTH_ISSUER to your WorkOS AuthKit domain} + - AWARENESS_OAUTH_AUDIENCE=${AWARENESS_OAUTH_AUDIENCE:-} + - AWARENESS_OAUTH_JWKS_URI=${AWARENESS_OAUTH_JWKS_URI:-} + - AWARENESS_OAUTH_USER_CLAIM=${AWARENESS_OAUTH_USER_CLAIM:-sub} + - AWARENESS_OAUTH_AUTO_PROVISION=true + - AWARENESS_PUBLIC_URL=https://staging.mcpawareness.com + - AWARENESS_DEFAULT_OWNER=${AWARENESS_DEFAULT_OWNER:-} + - AWARENESS_EMBEDDING_PROVIDER=${AWARENESS_EMBEDDING_PROVIDER:-} + - AWARENESS_EMBEDDING_MODEL=${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text} + - AWARENESS_OLLAMA_URL=${AWARENESS_OLLAMA_URL:-http://ollama-oauth:11434} + depends_on: + postgres-oauth: + condition: service_healthy + deploy: + resources: + limits: + cpus: '0.1' + memory: 64M + healthcheck: + test: ["CMD", "python", "-c", "import socket; s = socket.create_connection(('localhost', 8421), timeout=2); s.close()"] + interval: 10s + timeout: 10s + retries: 3 + start_period: 15s + + tunnel-oauth: + image: cloudflare/cloudflared:latest + container_name: awareness-tunnel-oauth + restart: unless-stopped + command: tunnel --no-autoupdate run + volumes: + - ${CLOUDFLARED_STAGING_CONFIG:-~/.cloudflared/staging-config.yml}:/etc/cloudflared/config.yml:ro + - ${CLOUDFLARED_STAGING_CREDS:?Set CLOUDFLARED_STAGING_CREDS to your staging tunnel credentials file}:/etc/cloudflared/credentials.json:ro + depends_on: + awareness-oauth: + condition: service_healthy + deploy: + resources: + limits: + cpus: '0.05' + memory: 64M + + postgres-oauth: + image: pgvector/pgvector:pg17 + container_name: awareness-postgres-oauth + restart: unless-stopped + environment: + POSTGRES_DB: awareness + POSTGRES_USER: awareness + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:-awareness-oauth} + volumes: + - ${AWARENESS_OAUTH_PG_DATA:-~/awareness-oauth-pg}:/var/lib/postgresql/data + command: + - postgres + - -c + - wal_level=logical + - -c + - max_replication_slots=4 + - -c + - shared_preload_libraries=pg_stat_statements + deploy: + resources: + limits: + cpus: '0.5' + memory: 256M + healthcheck: + test: ["CMD-SHELL", "pg_isready -U awareness"] + interval: 10s + timeout: 5s + retries: 5 + start_period: 10s + + # Ollama for staging — shares model cache with production to avoid re-download + ollama-oauth: + image: ollama/ollama:latest + container_name: awareness-ollama-oauth + restart: unless-stopped + entrypoint: ["/bin/sh", "-c"] + command: + - | + ollama serve & + until ollama list > /dev/null 2>&1; do sleep 1; done + ollama pull ${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text} + wait + environment: + - AWARENESS_EMBEDDING_MODEL=${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text} + volumes: + - ${AWARENESS_OLLAMA_DATA:-~/awareness-ollama}:/root/.ollama + deploy: + resources: + limits: + cpus: '1.0' + memory: 2G + healthcheck: + test: ["CMD-SHELL", "ollama list | grep -q ${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text}"] + interval: 30s + timeout: 10s + retries: 10 + start_period: 60s + profiles: + - embeddings From 04abe4015f6767f347956e9f41b3248b4e1a3817 Mon Sep 17 00:00:00 2001 From: "cmeans-claude-dev[bot]" <3223881+cmeans-claude-dev[bot]@users.noreply.github.com> Date: Tue, 31 Mar 2026 08:32:49 -0500 Subject: [PATCH 2/2] fix: address QA review findings for OAuth staging compose MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. Remove pull_policy: always — contradicts build: . (SUBSTANTIVE #1) 2. Default Ollama volume to ~/awareness-ollama-oauth to avoid concurrent access with production (SUBSTANTIVE #2) 3. Parameterize AWARENESS_PUBLIC_URL with env var (OBSERVATION #3) 4. Replace real WorkOS domain with placeholder in template (NIT #4) Co-Authored-By: Claude Opus 4.6 (1M context) --- .env.oauth.example | 2 +- docker-compose.oauth.yaml | 8 +++----- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.env.oauth.example b/.env.oauth.example index 297a7c8..b8909a6 100644 --- a/.env.oauth.example +++ b/.env.oauth.example @@ -2,7 +2,7 @@ # Launch: docker compose -f docker-compose.oauth.yaml --env-file .env.oauth up -d # --- WorkOS AuthKit --- -AWARENESS_OAUTH_ISSUER=https://thoughtful-saga-02-staging.authkit.app +AWARENESS_OAUTH_ISSUER=https://your-app.authkit.app AWARENESS_OAUTH_AUDIENCE= # AWARENESS_OAUTH_JWKS_URI= # defaults to /.well-known/jwks.json diff --git a/docker-compose.oauth.yaml b/docker-compose.oauth.yaml index c886e47..efde00c 100644 --- a/docker-compose.oauth.yaml +++ b/docker-compose.oauth.yaml @@ -21,9 +21,7 @@ name: mcp-awareness-oauth services: awareness-oauth: - #image: ghcr.io/cmeans/mcp-awareness:latest build: . - pull_policy: always container_name: awareness-oauth restart: unless-stopped ports: @@ -42,7 +40,7 @@ services: - AWARENESS_OAUTH_JWKS_URI=${AWARENESS_OAUTH_JWKS_URI:-} - AWARENESS_OAUTH_USER_CLAIM=${AWARENESS_OAUTH_USER_CLAIM:-sub} - AWARENESS_OAUTH_AUTO_PROVISION=true - - AWARENESS_PUBLIC_URL=https://staging.mcpawareness.com + - AWARENESS_PUBLIC_URL=${AWARENESS_PUBLIC_URL:-https://staging.mcpawareness.com} - AWARENESS_DEFAULT_OWNER=${AWARENESS_DEFAULT_OWNER:-} - AWARENESS_EMBEDDING_PROVIDER=${AWARENESS_EMBEDDING_PROVIDER:-} - AWARENESS_EMBEDDING_MODEL=${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text} @@ -109,7 +107,7 @@ services: retries: 5 start_period: 10s - # Ollama for staging — shares model cache with production to avoid re-download + # Ollama for staging — separate volume from production to avoid concurrent access ollama-oauth: image: ollama/ollama:latest container_name: awareness-ollama-oauth @@ -124,7 +122,7 @@ services: environment: - AWARENESS_EMBEDDING_MODEL=${AWARENESS_EMBEDDING_MODEL:-nomic-embed-text} volumes: - - ${AWARENESS_OLLAMA_DATA:-~/awareness-ollama}:/root/.ollama + - ${AWARENESS_OLLAMA_DATA:-~/awareness-ollama-oauth}:/root/.ollama deploy: resources: limits: