Skip to content

spec(052): mcpproxy behind an MCP tunnel — Anthropic + open-source recipes#485

Open
Dumbris wants to merge 2 commits into
mainfrom
spec/052-mcp-tunnel-recipe
Open

spec(052): mcpproxy behind an MCP tunnel — Anthropic + open-source recipes#485
Dumbris wants to merge 2 commits into
mainfrom
spec/052-mcp-tunnel-recipe

Conversation

@Dumbris
Copy link
Copy Markdown
Member

@Dumbris Dumbris commented May 21, 2026

Summary

Adds the spec for Spec 052 — documenting (and minimally supporting) how to expose mcpproxy through a tunnel so MCP clients on another machine can reach a private mcpproxy without inbound firewall holes.

Four recipes, both editions:

  • Anthropic MCP Tunnel (server edition) — Managed Agents reach mcpproxy-server inside a VPC via the two-container mcp-proxy + cloudflared stack.
  • Cloudflare Tunnel (personal edition) — OpenCode/Cursor/Continue reach a laptop mcpproxy via a stable HTTPS URL.
  • Tailscale and ngrok as additional open-source tunnel options.

One tunnel hostname fronts the full multiplexed /mcp surface; mcpproxy enforces auth via agent tokens; the tunnel only provides transport.

What's in this PR

  • specs/052-mcp-tunnel-recipe/spec.md — feature specification (Draft) with P1 user stories for both Anthropic Managed Agents and open-source tunnel users.

Spec only — no code changes yet. Ready for plan.

🤖 Generated with Claude Code

Dumbris added 2 commits May 20, 2026 09:39
@Dumbris
spec(052): mcpproxy-server behind Anthropic MCP Tunnel — deploy recipe
c099217 
Server-edition only. Adds a tunnel-safe mode (--tunnel-mode / tunnel.enabled
config) for mcpproxy-server that hardens the /mcp listener for use as the
upstream behind an Anthropic MCP Tunnel: agent-token-only auth, no Web UI
on the tunneled port, /healthz enabled, banner log on startup. Ships the
two-container compose recipe under examples/mcp-tunnel/ + a single
deployment doc covering the auth-layer table (outer mTLS / inner TLS /
agent token / upstream OAuth), day-2 ops (cert renewal, token rotation),
and the limitations (not on claude.ai today, 10-tunnels-per-org cap,
Research Preview).

Four P1/P2 user stories with independent tests, 18 FRs, 7 measurable
success criteria. Out of scope: personal-edition integration, replacing
Anthropic's mcp-proxy image, per-end-user identity propagation,
Helm chart, automated tunnel provisioning.

Refs: spec/052
@Dumbris
spec(052): broaden to four MCP-tunnel recipes — Anthropic + open-source
b18bd4f 
Extends scope from server-edition + Anthropic MCP Tunnels only to both
editions + four recipes:

- examples/mcp-tunnel-anthropic/       (server edition, Managed Agents)
- examples/mcp-tunnel-cloudflared/     (both editions, OpenCode and friends)
- examples/mcp-tunnel-tailscale/       (both editions, Funnel + Serve)
- examples/mcp-tunnel-ngrok/           (both editions, ephemeral demos)

Same --tunnel-mode / tunnel.enabled hardening applies to every recipe:
agent-token-only auth on /mcp, no Web UI on tunneled port, /healthz
enabled. The three open-source recipes specifically answer 'how can
OpenCode users (and other non-Anthropic-platform clients) reach a
private mcpproxy without inbound ports', since Anthropic MCP Tunnels
are gated to Managed Agents + Messages API only.

Seven user stories (P1: Anthropic + cloudflared + auth-bridges + tunnel-
safe-mode; P2: Tailscale + day-2 ops; P3: ngrok). Twenty-three FRs.
Eight measurable success criteria. References include Cloudflare,
Tailscale, ngrok docs and OpenCode MCP servers docs.

Spec 053 (mcpproxy expose CLI wrapping the tunnel daemons) is called
out as deferred follow-up, gated on customer demand.

Refs: spec/052
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

📦 Build Artifacts

Workflow Run: View Run
Branch: spec/052-mcp-tunnel-recipe

Available Artifacts

  • archive-darwin-amd64 (26 MB)
  • archive-darwin-arm64 (23 MB)
  • archive-linux-amd64 (15 MB)
  • archive-linux-arm64 (13 MB)
  • archive-windows-amd64 (26 MB)
  • archive-windows-arm64 (23 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (20 MB)
  • installer-dmg-darwin-arm64 (18 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 26203205167 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

@Dumbris
Copy link
Copy Markdown
Member Author

Dumbris commented Jun 1, 2026

Critic (Codex) review — Dumbris's PR #485
Verdict: accept
Strengths: The PR is scoped to the Spec 052 tunnel recipe/spec document, calls out the server-edition-only boundary, explicit auth-layer requirements, day-2 operations, and personal-edition non-goals, and all checks are green at head b18bd4ff0717f252229b7808e926a0b191ce910c.
Findings: none.
Provenance check: ok

@Dumbris
Copy link
Copy Markdown
Member Author

Dumbris commented Jun 1, 2026

Critic (Codex) review — Dumbris's PR #485
Verdict: request_changes
Head: b18bd4ff0717f252229b7808e926a0b191ce910c

Strengths: Spec-only change with concrete tunnel recipes, explicit auth-boundary requirements, smoke-test obligations, and clear out-of-scope boundaries. CI is green for all non-skipped checks.

Findings:

  1. The PR description includes 🤖 Generated with [Claude Code](https://claude.com/claude-code) at spec(052): mcpproxy behind an MCP tunnel — Anthropic + open-source recipes #485, but the spec added by this PR explicitly says no Claude attribution in commits or PR bodies (specs/052-mcp-tunnel-recipe/spec.md:278, specs/052-mcp-tunnel-recipe/spec.md:280). This also conflicts with the repository PR guidance to avoid AI attribution. Remove the attribution from the PR body before this is merge-ready.

Checks: gh pr checks 485 --watch=false is green for all non-skipped checks.

Provenance check: ok

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dumbris