metamcp: docs clarify user requirement when provisioning; add STDIO examples (awsdocs, figma); schema enforces users when provision.enabled; bump to 0.1.23

masterkain · masterkain · commit 700ccb6973a7 · 2025-11-06T04:45:26.000+01:00
diff --git a/charts/metamcp/Chart.yaml b/charts/metamcp/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: metamcp
 description: MetaMCP aggregator Helm chart for Kubernetes
 type: application
-version: 0.1.22
+version: 0.1.23
 appVersion: "latest"
 icon: https://icoretech.github.io/helm/charts/metamcp/logo.png
 keywords:
diff --git a/charts/metamcp/README.md b/charts/metamcp/README.md
@@ -98,9 +98,9 @@ provision:
       enableOauth: false
 ```
 
-## User seeding (optional)
+## User seeding (required when provisioning is enabled)
 
-The chart can create users at install/upgrade and optionally generate API keys (stored in Secrets named like `<release>-metamcp-apikey-<email-slug>`):
+Provisioning authenticates using the first entry in `users`. When `provision.enabled: true`, you must define at least one user (the schema enforces this). The chart can also generate an API key for that user and store it in a Secret named like `<release>-metamcp-apikey-<email-slug>`.
 
 ```yaml
 disablePublicSignup: true
@@ -151,8 +151,40 @@ provision:
 Provisioning authentication
 
 - The provisioning Job authenticates using the first entry in `users` (email/password).
-- If `users` is empty, it falls back to `admin@example.com` / `change-me` for quick‑start only.
-- In production, always set `users[0]` and consider `disablePublicSignup: true`.
+- In production you must set `users[0]`. The jobs mirror the signed session cookie to the in‑cluster host to perform admin tRPC calls.
+- API keys are for endpoint/client auth; they are not used for admin tRPC.
+
+### STDIO examples
+
+Inline env (awsdocs):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: awsdocs
+      type: STDIO
+      command: "uvx"
+      args: ["awslabs.aws-documentation-mcp-server@latest"]
+      env:
+        FASTMCP_LOG_LEVEL: "ERROR"
+        AWS_DOCUMENTATION_PARTITION: "aws"
+```
+
+Secret-backed env (figma):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: figma
+      type: STDIO
+      command: "npx"
+      args: ["-y", "figma-developer-mcp", "--stdio"]
+      envFrom:
+        - secretRef:
+            name: figma-mcp-env
+```
 
 ## Configuration reference
 
diff --git a/charts/metamcp/README.md.gotmpl b/charts/metamcp/README.md.gotmpl
@@ -98,9 +98,9 @@ provision:
       enableOauth: false
 ```
 
-## User seeding (optional)
+## User seeding (required when provisioning is enabled)
 
-The chart can create users at install/upgrade and optionally generate API keys (stored in Secrets named like `<release>-metamcp-apikey-<email-slug>`):
+Provisioning authenticates using the first entry in `users`. When `provision.enabled: true`, you must define at least one user (the schema enforces this). The chart can also generate an API key for that user and store it in a Secret named like `<release>-metamcp-apikey-<email-slug>`.
 
 ```yaml
 disablePublicSignup: true
@@ -151,8 +151,40 @@ provision:
 Provisioning authentication
 
 - The provisioning Job authenticates using the first entry in `users` (email/password).
-- If `users` is empty, it falls back to `admin@example.com` / `change-me` for quick‑start only.
-- In production, always set `users[0]` and consider `disablePublicSignup: true`.
+- In production you must set `users[0]`. The jobs mirror the signed session cookie to the in‑cluster host to perform admin tRPC calls.
+- API keys are for endpoint/client auth; they are not used for admin tRPC.
+
+### STDIO examples
+
+Inline env (awsdocs):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: awsdocs
+      type: STDIO
+      command: "uvx"
+      args: ["awslabs.aws-documentation-mcp-server@latest"]
+      env:
+        FASTMCP_LOG_LEVEL: "ERROR"
+        AWS_DOCUMENTATION_PARTITION: "aws"
+```
+
+Secret-backed env (figma):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: figma
+      type: STDIO
+      command: "npx"
+      args: ["-y", "figma-developer-mcp", "--stdio"]
+      envFrom:
+        - secretRef:
+            name: figma-mcp-env
+```
 
 ## Configuration reference
 
diff --git a/charts/metamcp/values.schema.json b/charts/metamcp/values.schema.json
@@ -1,6 +1,25 @@
 {
   "$schema": "http://json-schema.org/draft-07/schema#",
   "type": "object",
+  "allOf": [
+    {
+      "if": {
+        "properties": {
+          "provision": {
+            "type": "object",
+            "properties": { "enabled": { "const": true } },
+            "required": ["enabled"]
+          }
+        }
+      },
+      "then": {
+        "required": ["users"],
+        "properties": {
+          "users": { "type": "array", "minItems": 1 }
+        }
+      }
+    }
+  ],
   "properties": {
     "env": {
       "type": "object",
