# ----------------------------------------------------------------- # Environment # ----------------------------------------------------------------- # Environment: "development", "production", or "testing" NODE_ENV=development # ----------------------------------------------------------------- # MCP Server Configuration # ----------------------------------------------------------------- # Transport type: "stdio" or "http" MCP_TRANSPORT_TYPE=http # Session mode: "stateless", "stateful", or "auto" (only used if MCP_TRANSPORT_TYPE=http) MCP_SESSION_MODE=auto # Log level: "debug", "info", "notice", "warning", "error", "crit", "alert", "emerg" MCP_LOG_LEVEL=debug # Directory for log files LOGS_DIR=logs/ # ----------------------------------------------------------------- # HTTP Transport Configuration (only used if MCP_TRANSPORT_TYPE=http) # ----------------------------------------------------------------- MCP_HTTP_HOST=127.0.0.1 MCP_HTTP_PORT=3010 # HTTP endpoint path where the MCP server is mounted # MCP_HTTP_ENDPOINT_PATH=/mcp # Public origin override for deployments behind a TLS-terminating reverse proxy # (Cloudflare Tunnel, Caddy, nginx, ALB). When set, landing page connect snippets, # SEP-1649 Server Card, and RFC 9728 protected-resource metadata use this origin # instead of the inbound request URL. Leave unset for direct deployments. # MCP_PUBLIC_URL=https://mcp.example.com # Comma-separated list of allowed origins for CORS MCP_ALLOWED_ORIGINS=http://localhost:8080 # Opt-in forced-GC pressure loop (Bun only). When set to a positive integer, # the framework calls Bun.gc(true) every N ms to drain the per-request # McpServer/McpSessionTransport reference cycle that V8's major GC fires too # rarely to clear under sustained low-traffic SSE. Default 0 (disabled). # Recommended starting point if heap growth is observed: 60000. # MCP_GC_PRESSURE_INTERVAL_MS=0 # ----------------------------------------------------------------- # Authentication Configuration # ----------------------------------------------------------------- # Authentication mode: "none", "jwt", or "oauth" MCP_AUTH_MODE=none # --- JWT Auth (required when MCP_AUTH_MODE=jwt) --- # MCP_AUTH_SECRET_KEY=your-super-secret-key-that-is-at-least-32-characters-long # DEV_MCP_AUTH_BYPASS=false # --- OAuth Auth (required when MCP_AUTH_MODE=oauth) --- # OAUTH_ISSUER_URL=https://your-idp.example.com # OAUTH_AUDIENCE=your-api-audience # --- Scope-check bypass (operator escape hatch) --- # When MCP_AUTH_MODE=jwt|oauth, granted scopes are read from the union of `scp`, # `scope`, and the `mcp_tool_scopes` custom claim (the latter is the supported # path for OIDC providers that can't override `scope` in authorization_code flow: # Authentik, Keycloak <26.5, Zitadel). For deployments where no claim-injection # path exists at all, set the flag below to bypass per-tool and runtime scope # enforcement after the auth-context presence check. Token signature, audience, # issuer, and expiry validation remain intact. Combine with server-side ACLs — # without one, every authenticated user effectively has every scope. # MCP_AUTH_DISABLE_SCOPE_CHECKS=false # ----------------------------------------------------------------- # Workflow Library Configuration # ----------------------------------------------------------------- # Absolute or relative path to the workflows root directory. # Permanent workflows live under /categories/, temporary under /temp/. WORKFLOWS_DIR=./workflows-yaml # Path to the global instructions markdown file. Injected into every workflow_get response. # Defaults to /global_instructions.md when not set. # GLOBAL_INSTRUCTIONS_PATH= # Milliseconds to debounce filesystem change events before rebuilding the index. # Lower values make the index respond faster to writes; higher values reduce # rebuild churn when many files change at once. # WATCHER_DEBOUNCE_MS=500 # ----------------------------------------------------------------- # Storage Configuration # ----------------------------------------------------------------- # Storage backend: "in-memory", "filesystem", "supabase", "cloudflare-r2", "cloudflare-kv", "cloudflare-d1" STORAGE_PROVIDER_TYPE="filesystem" STORAGE_FILESYSTEM_PATH="./.storage" # ----------------------------------------------------------------- # Database Configuration (required if STORAGE_PROVIDER_TYPE=supabase) # ----------------------------------------------------------------- # SUPABASE_URL= # SUPABASE_ANON_KEY= # SUPABASE_SERVICE_ROLE_KEY= # ----------------------------------------------------------------- # OpenTelemetry Configuration (optional) # ----------------------------------------------------------------- # OTEL_ENABLED=false # OTEL_EXPORTER_OTLP_TRACES_ENDPOINT=http://localhost:4318/v1/traces # OTEL_EXPORTER_OTLP_METRICS_ENDPOINT=http://localhost:4318/v1/metrics