Replaces Bearer-token-only auth on GUI routes with a proper browser
login flow. Visiting /admin or /dashboard now redirects to /gui-login
if no valid session exists. Submitting the OAUTH_PASSWORD sets a
secure httpOnly session cookie (8h TTL). /gui-logout clears it.
- /dashboard/status also accepts session cookie (for the dashboard JS
to call back without needing a separate token)
- API routes (/users/*, /keys/*) still require Bearer token as before
- /gui-login, /gui-logout added as new public routes
/admin, /dashboard, /dashboard/status, and all /users/* and /keys/*
endpoints were publicly accessible with no authentication, exposing
user management, API key generation, and backend topology to anyone.
- /dashboard and /dashboard/status now require Bearer token
- /admin (user management UI) now requires Bearer token
- All /users/* and /keys/revoke routes now require Bearer token
- /health scrubbed of sensitive fields (token counts, client counts)
- /linkedin/* left public (required for OAuth callback flow)
Auth checks use GATEWAY_STATIC_API_KEY or valid OAuth access tokens,
consistent with the existing /mcp and /status endpoints.
SSH access to TrueNAS covers all Docker management needs (docker compose,
logs, restarts) making a dedicated Docker MCP redundant.
- Add ssh-mcp (port 8600): execute shell commands, read files, list dirs,
tail logs, find files, check disk usage on the TrueNAS host via asyncssh
- Remove docker-mcp (port 9000): redundant given SSH access to the host
- Update docker-compose.yml: wire in ssh-mcp service, remove docker-mcp
service and its MCP_BACKEND_DOCKER gateway env var
All tool functions and API helpers were using synchronous httpx.Client,
which blocked FastMCP's async event loop on every tool call — causing
60s timeouts from Claude even though the container appeared healthy.
Converted get_client(), api_get(), api_post(), api_patch() and all 12
@mcp.tool() functions to async/await, matching the pattern used by the
other working backends (truenas-mcp, homeassistant-mcp).
Redeploy with: docker compose up -d --build forgejo-mcp
New MCP servers added to the gateway stack:
- memory-bank-mcp (port 8700): Persistent key-value memory storage with tags, categories, and search
- puppeteer-mcp (port 8800): Headless browser automation via Pyppeteer (navigate, screenshot, click, JS eval, PDF gen)
- sequential-thinking-mcp (port 8900): Structured step-by-step reasoning with branching hypotheses and synthesis
- docker-mcp (port 9000): Docker container/image/network/volume management via Docker socket
All servers follow the existing Python/FastMCP pattern with streamable-http transport.
docker-compose.yml updated with service definitions and gateway backend routes.
