Skip to content

Commit d3a404b

Browse files
committed
docs(mcp): add public API documentation and deployment configuration
- Add MCP public API section to CLAUDE.md with configuration examples - Document MCP_ENABLED, MCP_REQUIRE_AUTH, MCP_RATE_LIMIT settings - Add public deployment example with environment variables - Add rate limiting protection notes for public access deployments - Add MCP endpoints list (/mcp/health, /mcp/tools, /mcp/server-info, /mcp) - Update config/config.exs with enhanced MCP configuration comments - Document public deployment example with recommended rate limit (100 req/hr) - Add rate limiting rationale for abuse protection without authentication - Add complete tasks.md with all 41 tasks marked complete across 7 phases
1 parent b4b1666 commit d3a404b

File tree

10 files changed

+1465
-0
lines changed

10 files changed

+1465
-0
lines changed

CLAUDE.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -402,6 +402,25 @@ The MCP (Model Context Protocol) server provides AI clients with comprehensive p
402402
- `lib/hex_hub/mcp/transport.ex` - HTTP/WebSocket transport layer
403403
- `lib/hex_hub/mcp/tools/` - MCP tool implementations
404404

405+
**Public MCP API**:
406+
The MCP API can be configured for public (unauthenticated) access to allow AI clients to query package information:
407+
408+
```bash
409+
# Enable public access (no authentication required for read-only operations)
410+
export MCP_REQUIRE_AUTH=false
411+
export MCP_RATE_LIMIT=100 # requests per hour per IP
412+
```
413+
414+
Public endpoints:
415+
- `GET /mcp/health` - Health check
416+
- `GET /mcp/tools` - List available tools
417+
- `GET /mcp/server-info` - Server capabilities
418+
- `POST /mcp` - JSON-RPC requests for package queries
419+
420+
Rate limiting: IP-based rate limiting protects against abuse. Returns HTTP 429 with `retry-after` header when exceeded.
421+
422+
See `specs/008-mcp-public-api/quickstart.md` for detailed usage examples.
423+
405424
### Development Patterns
406425

407426
**Always Use Storage Abstraction**: Never access storage directly, use `HexHub.Storage`
@@ -464,6 +483,8 @@ Logger.info("Package #{name} published")
464483
- Mnesia (`:system_settings` or `:publish_configs` table for setting, existing `:users` table for anonymous user) (006-anonymous-publish-config)
465484
- Elixir 1.15+ / OTP 26+ + Phoenix 1.8+, Mnesia (built-in), :erl_tar (Erlang stdlib) (007-admin-backup)
466485
- Mnesia for metadata, HexHub.Storage for package tarballs, local filesystem for backup archives (007-admin-backup)
486+
- Elixir 1.15+ / OTP 26+ + Phoenix 1.8+, Mnesia, `:telemetry` (008-mcp-public-api)
487+
- Mnesia (existing `:packages`, `:package_releases` tables) (008-mcp-public-api)
467488

468489
## Recent Changes
469490
- 001-telemetry-logging: Added Elixir 1.15+ / OTP 26+ + `:telemetry` (already in project), `Logger` (Elixir stdlib)

config/config.exs

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -33,6 +33,27 @@ config :hex_hub, HexHubAdminWeb.Endpoint,
3333
config :hex_hub, HexHub.Mailer, adapter: Swoosh.Adapters.Local
3434

3535
# MCP (Model Context Protocol) configuration
36+
#
37+
# MCP provides a JSON-RPC 2.0 interface for AI clients to interact with HexHub.
38+
#
39+
# Environment variables:
40+
# MCP_ENABLED - Enable/disable MCP server (default: "false")
41+
# MCP_REQUIRE_AUTH - Require API key authentication (default: "true")
42+
# Set to "false" for public read-only access to package info
43+
# MCP_RATE_LIMIT - Requests per hour per IP (default: "1000")
44+
# Rate limiting protects against abuse when auth is disabled
45+
# MCP_DEBUG - Enable debug logging (default: "false")
46+
#
47+
# Public deployment example:
48+
# MCP_ENABLED=true MCP_REQUIRE_AUTH=false MCP_RATE_LIMIT=100 ./bin/hex_hub start
49+
#
50+
# Endpoints (when enabled):
51+
# GET /mcp/health - Health check
52+
# GET /mcp/tools - List available tools
53+
# GET /mcp/server-info - Server capabilities
54+
# POST /mcp - JSON-RPC requests
55+
# WS /mcp/ws - WebSocket transport
56+
#
3657
config :hex_hub, :mcp,
3758
enabled: System.get_env("MCP_ENABLED", "false") == "true",
3859
websocket_path: System.get_env("MCP_WEBSOCKET_PATH", "/mcp/ws"),
Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
# Specification Quality Checklist: Public MCP API for Package Information
2+
3+
**Purpose**: Validate specification completeness and quality before proceeding to planning
4+
**Created**: 2026-01-19
5+
**Feature**: [spec.md](../spec.md)
6+
7+
## Content Quality
8+
9+
- [x] No implementation details (languages, frameworks, APIs)
10+
- [x] Focused on user value and business needs
11+
- [x] Written for non-technical stakeholders
12+
- [x] All mandatory sections completed
13+
14+
## Requirement Completeness
15+
16+
- [x] No [NEEDS CLARIFICATION] markers remain
17+
- [x] Requirements are testable and unambiguous
18+
- [x] Success criteria are measurable
19+
- [x] Success criteria are technology-agnostic (no implementation details)
20+
- [x] All acceptance scenarios are defined
21+
- [x] Edge cases are identified
22+
- [x] Scope is clearly bounded
23+
- [x] Dependencies and assumptions identified
24+
25+
## Feature Readiness
26+
27+
- [x] All functional requirements have clear acceptance criteria
28+
- [x] User scenarios cover primary flows
29+
- [x] Feature meets measurable outcomes defined in Success Criteria
30+
- [x] No implementation details leak into specification
31+
32+
## Notes
33+
34+
- Specification is ready for `/speckit.clarify` or `/speckit.plan`
35+
- The existing MCP infrastructure in the codebase already supports most of the required functionality
36+
- Key focus is on ensuring public accessibility without authentication for read-only operations
37+
- Rate limiting and telemetry logging align with existing project patterns

0 commit comments

Comments
 (0)