Merge branch 'main' into migration/resize-url-slug-columns

Author: nmveeresh

.env.example

@@ -52,13 +52,13 @@ DATABASE_URL=sqlite:///./mcp.db
 # Database Connection Pool Configuration
 # Maximum number of persistent connections (default: 200, optimized for SQLite)
 DB_POOL_SIZE=200
-# Additional connections beyond pool_size (default: 10, reduced for SQLite)
+# Additional connections beyond pool_size (default: 10, reduced to 5 for SQLite)
 DB_MAX_OVERFLOW=5
-# Seconds to wait for connection before timeout (increased for reliability)
+# Seconds to wait for connection before timeout (default: 30, increased to 60 for reliability)
 DB_POOL_TIMEOUT=60
 # Seconds before recreating connection (default: 3600)
 DB_POOL_RECYCLE=3600
-# Maximum database retry attempts (default: 3, increased for stability)
+# Maximum database retry attempts (default: 3, increased to 5 for stability)
 DB_MAX_RETRIES=5
 # Retry interval in milliseconds (default: 2000)
 DB_RETRY_INTERVAL_MS=2000
@@ -215,47 +215,47 @@ OAUTH_DEFAULT_TIMEOUT=3600
 # Enable Dynamic Client Registration (RFC 7591)
 # When enabled, MCP Gateway can automatically register as an OAuth client with Authorization Servers
 # that support DCR, eliminating the need for manual client credential configuration.
-MCPGATEWAY_DCR_ENABLED=true
+DCR_ENABLED=true
 
 # Auto-register when gateway has issuer but no client_id
 # When true, gateway automatically registers with the Authorization Server when configured
 # with an issuer URL but no client credentials.
-MCPGATEWAY_DCR_AUTO_REGISTER_ON_MISSING_CREDENTIALS=true
+DCR_AUTO_REGISTER_ON_MISSING_CREDENTIALS=true
 
 # Default scopes to request during DCR
-# Comma-separated list of OAuth scopes to request when auto-registering
-MCPGATEWAY_DCR_DEFAULT_SCOPES=mcp:read
+# JSON array of OAuth scopes to request when auto-registering
+DCR_DEFAULT_SCOPES=["mcp:read"]
 
 # Optional allowlist of issuer URLs for DCR (empty = allow any)
-# Comma-separated list of trusted Authorization Server issuer URLs
-# Example: https://auth.example.com,https://auth2.example.com
-# Leave empty to allow DCR with any issuer (not recommended for production)
-MCPGATEWAY_DCR_ALLOWED_ISSUERS=
+# JSON array of trusted Authorization Server issuer URLs
+# Example: ["https://auth.example.com", "https://auth2.example.com"]
+# Empty array [] allows DCR with any issuer (not recommended for production)
+DCR_ALLOWED_ISSUERS=[]
 
 # Token endpoint authentication method for DCR
 # Options: client_secret_basic (default), client_secret_post, none
 # - client_secret_basic: Send credentials via HTTP Basic Auth header
 # - client_secret_post: Send credentials in POST body
 # - none: Public client (no client secret, PKCE-only)
-MCPGATEWAY_DCR_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_basic
+DCR_TOKEN_ENDPOINT_AUTH_METHOD=client_secret_basic
 
 # AS metadata cache TTL in seconds (RFC 8414 discovery)
 # How long to cache Authorization Server metadata after discovery
-MCPGATEWAY_DCR_METADATA_CACHE_TTL=3600
+DCR_METADATA_CACHE_TTL=3600
 
 # Template for client_name in DCR requests
 # {gateway_name} will be replaced with the actual gateway name
-MCPGATEWAY_DCR_CLIENT_NAME_TEMPLATE=MCP Gateway ({gateway_name})
+DCR_CLIENT_NAME_TEMPLATE=MCP Gateway ({gateway_name})
 
 # Enable OAuth AS metadata discovery (RFC 8414)
 # When enabled, gateway automatically discovers Authorization Server endpoints
 # from the issuer URL using well-known metadata endpoints
-MCPGATEWAY_OAUTH_DISCOVERY_ENABLED=true
+OAUTH_DISCOVERY_ENABLED=true
 
 # Preferred PKCE code challenge method
 # Options: S256 (SHA-256, recommended), plain (not recommended)
 # PKCE (Proof Key for Code Exchange) is always enabled for Authorization Code flows
-MCPGATEWAY_OAUTH_PREFERRED_CODE_CHALLENGE_METHOD=S256
+OAUTH_PREFERRED_CODE_CHALLENGE_METHOD=S256
 
 # ==============================================================================
 # SSO (Single Sign-On) Configuration
@@ -290,13 +290,49 @@ SSO_OKTA_ENABLED=false
 # SSO_OKTA_CLIENT_SECRET=your-okta-client-secret
 # SSO_OKTA_ISSUER=https://your-okta-domain.okta.com
 
+# Keycloak OIDC Configuration (with auto-discovery)
+SSO_KEYCLOAK_ENABLED=false
+# SSO_KEYCLOAK_BASE_URL=https://keycloak.example.com
+# SSO_KEYCLOAK_REALM=master
+# SSO_KEYCLOAK_CLIENT_ID=mcp-gateway
+# SSO_KEYCLOAK_CLIENT_SECRET=your-keycloak-client-secret
+# SSO_KEYCLOAK_MAP_REALM_ROLES=true
+# SSO_KEYCLOAK_MAP_CLIENT_ROLES=false
+# SSO_KEYCLOAK_USERNAME_CLAIM=preferred_username
+# SSO_KEYCLOAK_EMAIL_CLAIM=email
+# SSO_KEYCLOAK_GROUPS_CLAIM=groups
+
+# Microsoft Entra ID (Azure AD) OIDC Configuration
+SSO_ENTRA_ENABLED=false
+# SSO_ENTRA_CLIENT_ID=your-entra-application-client-id
+# SSO_ENTRA_CLIENT_SECRET=your-entra-client-secret-value
+# SSO_ENTRA_TENANT_ID=your-entra-tenant-id
+
+# Generic OIDC Provider Configuration (Keycloak, Auth0, Authentik, etc.)
+SSO_GENERIC_ENABLED=false
+# SSO_GENERIC_PROVIDER_ID=keycloak
+# SSO_GENERIC_DISPLAY_NAME=Keycloak
+# SSO_GENERIC_CLIENT_ID=your-oidc-client-id
+# SSO_GENERIC_CLIENT_SECRET=your-oidc-client-secret
+# SSO_GENERIC_AUTHORIZATION_URL=https://keycloak.company.com/auth/realms/master/protocol/openid-connect/auth
+# SSO_GENERIC_TOKEN_URL=https://keycloak.company.com/auth/realms/master/protocol/openid-connect/token
+# SSO_GENERIC_USERINFO_URL=https://keycloak.company.com/auth/realms/master/protocol/openid-connect/userinfo
+# SSO_GENERIC_ISSUER=https://keycloak.company.com/auth/realms/master
+# SSO_GENERIC_SCOPE=openid profile email
+
 # SSO General Settings
 SSO_AUTO_CREATE_USERS=true
 # JSON array of trusted email domains, e.g., ["example.com", "company.org"]
 SSO_TRUSTED_DOMAINS=[]
 # Keep local admin authentication when SSO is enabled
 SSO_PRESERVE_ADMIN_AUTH=true
 
+# SSO Issuers Configuration
+# Optional JSON array of issuer URLs for SSO providers
+# Example: ["https://idp1.example.com", "https://idp2.example.com"]
+# Default: null (not set)
+# SSO_ISSUERS=["https://idp.example.com"]
+
 # SSO Admin Assignment Settings
 # Email domains that automatically get admin privileges, e.g., ["yourcompany.com"]
 SSO_AUTO_ADMIN_DOMAINS=[]
@@ -494,6 +530,46 @@ REMOVE_SERVER_HEADERS=true
 # Uses the same credentials as BASIC_AUTH_USER and BASIC_AUTH_PASSWORD
 # DOCS_ALLOW_BASIC_AUTH is already defined in Basic Server Configuration section
 
+#####################################
+# Response Compression Configuration
+#####################################
+
+# Enable response compression (Brotli, Zstd, GZip)
+# Options: true (default), false
+# Reduces bandwidth by 30-70% for text-based responses (JSON, HTML, CSS, JS)
+# Automatically negotiates compression algorithm based on client Accept-Encoding header
+# Priority: Brotli (best compression) > Zstd (fast) > GZip (universal fallback)
+COMPRESSION_ENABLED=true
+
+# Minimum response size in bytes to compress
+# Responses smaller than this won't be compressed (compression overhead not worth it)
+# Default: 500 bytes
+# Set to 0 to compress all responses
+COMPRESSION_MINIMUM_SIZE=500
+
+# GZip compression level (1-9)
+# 1 = fastest compression, larger files
+# 6 = balanced (recommended default)
+# 9 = best compression, slower
+# Default: 6
+COMPRESSION_GZIP_LEVEL=6
+
+# Brotli compression quality (0-11)
+# 0-3 = fast compression (lower quality)
+# 4-9 = balanced compression (recommended)
+# 10-11 = maximum compression (slower)
+# Default: 4 (balanced)
+# Note: Brotli offers 15-20% better compression than GZip at similar speeds
+COMPRESSION_BROTLI_QUALITY=4
+
+# Zstd compression level (1-22)
+# 1-3 = fast compression
+# 4-9 = balanced compression
+# 10+ = slower, maximum compression
+# Default: 3 (fast)
+# Note: Zstd is the fastest algorithm with good compression ratio
+COMPRESSION_ZSTD_LEVEL=3
+
 #####################################
 # Retry Config for HTTP Requests
 #####################################
@@ -537,6 +613,12 @@ LOG_FORMAT=json
 # Options: true, false (default)
 LOG_TO_FILE=false
 
+# Enable request payload logging for debugging
+# Options: true, false (default)
+# When enabled, logs HTTP request method, headers, query params, and body
+# Sensitive data (passwords, tokens, etc.) is automatically masked
+LOG_REQUESTS=false
+
 # File write mode when LOG_TO_FILE=true
 # Options: a+ (append, default), w (overwrite on startup)
 LOG_FILEMODE=a+
@@ -694,6 +776,15 @@ PLUGINS_ENABLED=true
 # Default: plugins/config.yaml
 PLUGIN_CONFIG_FILE=plugins/config.yaml
 
+# Optional defaults for mTLS when connecting to external MCP plugins (STREAMABLEHTTP transport)
+# Provide file paths inside the container. Plugin-specific TLS blocks override these defaults.
+# PLUGINS_MTLS_CA_BUNDLE=/app/certs/plugins/ca.crt
+# PLUGINS_MTLS_CLIENT_CERT=/app/certs/plugins/gateway-client.pem
+# PLUGINS_MTLS_CLIENT_KEY=/app/certs/plugins/gateway-client.key
+# PLUGINS_MTLS_CLIENT_KEY_PASSWORD=
+# PLUGINS_MTLS_VERIFY=true
+# PLUGINS_MTLS_CHECK_HOSTNAME=true
+
 #####################################
 # Well-Known URI Configuration
 #####################################
@@ -840,3 +931,143 @@ REQUIRE_STRONG_SECRETS=false
 # Set to false to allow startup with security warnings
 # NOT RECOMMENDED for production!
 # REQUIRE_STRONG_SECRETS=false
+
+#####################################
+# LLM Chat MCP Client Configuration
+#####################################
+
+# Enable the LLM Chat functionality (true/false)
+# When disabled, LLM chat features will be completely hidden from UI and APIs
+# Default: false (must be explicitly enabled)
+LLMCHAT_ENABLED=false
+
+# LLM Provider Selection
+# Options: azure_openai, openai, anthropic, aws_bedrock, ollama
+# Default: azure_openai
+# LLM_PROVIDER=azure_openai
+
+#####################################
+# Azure OpenAI Configuration
+#####################################
+# Use for Microsoft Azure OpenAI Service deployments
+# AZURE_OPENAI_API_KEY=<your_api_key>
+# AZURE_OPENAI_ENDPOINT=https://your-resource.openai.azure.com
+# AZURE_OPENAI_API_VERSION=2024-02-15-preview
+# AZURE_OPENAI_DEPLOYMENT=gpt-4o
+# AZURE_OPENAI_MODEL=gpt-4o
+# AZURE_OPENAI_TEMPERATURE=0.7
+
+#####################################
+# OpenAI Configuration
+#####################################
+# Use for direct OpenAI API access (non-Azure) or OpenAI-compatible endpoints
+# OPENAI_API_KEY=sk-...
+# OPENAI_MODEL=gpt-4o-mini
+# OPENAI_BASE_URL=https://api.openai.com/v1  # Optional: for OpenAI-compatible endpoints
+# OPENAI_TEMPERATURE=0.7
+# OPENAI_MAX_RETRIES=2
+
+#####################################
+# Anthropic Claude Configuration
+#####################################
+# Use for Anthropic Claude API
+# Requires: pip install langchain-anthropic
+# ANTHROPIC_API_KEY=sk-ant-...
+# ANTHROPIC_MODEL=claude-3-5-sonnet-20241022
+# ANTHROPIC_TEMPERATURE=0.7
+# ANTHROPIC_MAX_TOKENS=4096
+# ANTHROPIC_MAX_RETRIES=2
+
+#####################################
+# AWS Bedrock Configuration
+#####################################
+# Use for AWS Bedrock LLM services
+# Requires: pip install langchain-aws boto3
+# Note: Uses AWS credential chain if credentials not explicitly provided
+# AWS_BEDROCK_MODEL_ID=anthropic.claude-v2
+# AWS_BEDROCK_REGION=us-east-1
+# AWS_BEDROCK_TEMPERATURE=0.7
+# AWS_BEDROCK_MAX_TOKENS=4096
+# Optional AWS credentials (uses default credential chain if not provided):
+# AWS_ACCESS_KEY_ID=<your_access_key>
+# AWS_SECRET_ACCESS_KEY=<your_secret_key>
+# AWS_SESSION_TOKEN=<your_session_token>
+
+#####################################
+# Ollama Configuration
+#####################################
+# Use for local or self-hosted Ollama instances
+# OLLAMA_MODEL=llama3
+# OLLAMA_BASE_URL=http://localhost:11434
+# OLLAMA_TEMPERATURE=0.7
+
+#####################################
+# Pagination Configuration
+#####################################
+
+# Default number of items per page for paginated endpoints
+# Applies to: tools, resources, prompts, servers, gateways, users, teams, tokens, etc.
+# Default: 50, Min: 1, Max: 1000
+PAGINATION_DEFAULT_PAGE_SIZE=50
+
+# Maximum allowed items per page (prevents abuse)
+# Default: 500, Min: 1, Max: 10000
+PAGINATION_MAX_PAGE_SIZE=500
+
+# Minimum items per page
+# Default: 1
+PAGINATION_MIN_PAGE_SIZE=1
+
+# Threshold for switching from offset to cursor-based pagination
+# When result set exceeds this count, use cursor-based pagination for performance
+# Default: 10000
+PAGINATION_CURSOR_THRESHOLD=10000
+
+# Enable cursor-based pagination globally
+# Options: true (default), false
+# When false, only offset-based pagination is used
+PAGINATION_CURSOR_ENABLED=true
+
+# Default sort field for paginated queries
+# Default: created_at
+PAGINATION_DEFAULT_SORT_FIELD=created_at
+
+# Default sort order for paginated queries
+# Options: asc, desc (default)
+PAGINATION_DEFAULT_SORT_ORDER=desc
+
+# Maximum offset allowed for offset-based pagination (prevents abuse)
+# Default: 100000 (100K records)
+PAGINATION_MAX_OFFSET=100000
+
+# Cache pagination counts for performance (seconds)
+# Set to 0 to disable caching
+# Default: 300 (5 minutes)
+PAGINATION_COUNT_CACHE_TTL=300
+
+# Enable pagination links in API responses
+# Options: true (default), false
+PAGINATION_INCLUDE_LINKS=true
+
+# Base URL for pagination links (defaults to request URL)
+# PAGINATION_BASE_URL=https://api.example.com
+
+#####################################
+# gRPC Support Settings (EXPERIMENTAL)
+#####################################
+
+# Enable gRPC to MCP translation support (disabled by default)
+# Requires: pip install mcp-contextforge-gateway[grpc]
+# MCPGATEWAY_GRPC_ENABLED=false
+
+# Enable gRPC server reflection by default for service discovery
+# MCPGATEWAY_GRPC_REFLECTION_ENABLED=true
+
+# Maximum gRPC message size in bytes (4MB default)
+# MCPGATEWAY_GRPC_MAX_MESSAGE_SIZE=4194304
+
+# Default gRPC call timeout in seconds
+# MCPGATEWAY_GRPC_TIMEOUT=30
+
+# Enable TLS for gRPC connections by default
+# MCPGATEWAY_GRPC_TLS_ENABLED=false

.github/tools/check_security.py

@@ -4,12 +4,14 @@
 
 import sys
 import os
+
 # Add the project root to the path (two levels up from .github/tools/)
 project_root = os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
 sys.path.insert(0, project_root)
 
 from mcpgateway.config import get_settings
 
+
 def main():
     """Check security configuration and exit with appropriate code."""
     try:
@@ -19,16 +21,16 @@ def main():
         print(f"Security Score: {status['security_score']}/100")
         print(f"Warnings: {len(status['warnings'])}")
 
-        if status['warnings']:
+        if status["warnings"]:
             print("\nSecurity Warnings:")
-            for warning in status['warnings']:
+            for warning in status["warnings"]:
                 print(f"  - {warning}")
 
         # Exit with error if score is too low
-        if status['security_score'] < 60:
+        if status["security_score"] < 60:
             print("\n❌ Security score too low for deployment")
             sys.exit(1)
-        elif status['security_score'] < 80:
+        elif status["security_score"] < 80:
             print("\n⚠️  Security could be improved")
             sys.exit(0)
         else:
@@ -39,5 +41,6 @@ def main():
         print(f"❌ Security validation failed: {e}")
         sys.exit(2)
 
+
 if __name__ == "__main__":
     main()