Commit ed01167
committed
feat(all): implement GitHub-based MCP server deployment with Octokit
Add complete GitHub App integration for deploying MCP servers directly from
private/public repositories. Implements synchronous deployment with real-time
SSE streaming for logs and status updates.
Architecture:
- Backend: GitHub App authentication with ephemeral installation tokens
- Satellite: Octokit-based repository download/build/spawn (no Git/NPX)
- Frontend: 7-step deployment wizard with SSE status streaming
Key Features:
- Deploy from private GitHub repos using GitHub App (not OAuth)
- Satellite downloads tarballs via Octokit API, extracts to /tmp, builds, spawns
- Synchronous validation (2-5s) with streaming logs via SSE
- Auto-deploy on push via webhooks
- Per-user instance isolation
- Team-scoped deployments
Database:
- Add deploymentCredentials table (GitHub App installations)
- Add deploymentSettings table (auto-deploy config)
- Add git_commit_sha to mcpServers, source enum ('github')
- Add satellite_id to mcpServerInstallations
Backend:
- DeploymentCredentialService (GitHub App installation management)
- DeploymentGitHubService (API client with ephemeral tokens)
- Routes: /api/teams/{teamId}/deploy/* (authorize, repositories, deploy)
- Webhook: /api/webhooks/deploy/{teamId} (HMAC validation, auto-deploy)
- Satellite token endpoint: /api/satellites/{id}/github-token/{installationId}
Satellite:
- Parse github:user/repo#sha from config
- Download via Octokit (GET /repos/{owner}/{repo}/tarball/{ref})
- Extract → npm install → npm build → resolve entry → spawn
- Cleanup temp dir on termination
- ReadableStream handling with retry logic
Frontend:
- ConnectGitHub, SelectRepository, SelectSatellite, ConfigureEnvironment steps
- ValidatingDeployment (synchronous HTTP), StreamingLogs (SSE), Success steps
- Real-time status updates (provisioning → online)
- Deployment wizard with navigation breadcrumbs
Security:
- GitHub App credentials in encrypted global settings (not env vars)
- Installation tokens generated on-demand (1-hour expiry, cached)
- Satellite authorization (only assigned satellite gets tokens/config)
- Team isolation (team satellites can't access other teams)
- HMAC webhook validation
Fixes:
- ESLint errors (unused vars, any types, require() imports)
- TypeScript compilation errors (proper type checking)
- Migration timestamps adjusted to outside working hours1 parent 9a7ade6 commit ed01167
File tree
71 files changed
+25959
-75
lines changed- services
- backend
- drizzle/migrations
- meta
- src
- config
- db
- schema-tables
- global-settings
- lib/deployment
- permissions
- routes
- deploy
- mcp/installations
- satellites
- teams
- deploy
- services
- tests/unit/lib/deployment
- frontend
- src
- components
- deploy
- steps
- mcp-server/wizard
- i18n/locales/en
- router
- services
- views/deploy
- satellite
- src
- config
- process
- services
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
71 files changed
+25959
-75
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
73 | 73 | | |
74 | 74 | | |
75 | 75 | | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
76 | 80 | | |
77 | 81 | | |
78 | 82 | | |
| |||
0 commit comments