Scout MCP

Overview Schema Related Servers Score Discussions

2025-12-07-production-readiness-phase1.md•50.1 KiB

# Production Readiness Phase 1 Implementation Plan > **For Claude:** REQUIRED SUB-SKILL: Use superpowers:executing-plans to implement this plan task-by-task. **Goal:** Fix critical P0 blockers to make scout_mcp safe for deployment on trusted networks. **Architecture:** Address security defaults (authentication, network binding), add resource limits (output size, SSH timeout), establish deployment infrastructure (Docker, CI/CD), and close critical test gaps. Follows TDD for all new functionality. **Tech Stack:** Python 3.11+, FastMCP, asyncssh, pytest, Docker, GitHub Actions **Timeline:** 24 hours (Week 1 critical blockers) **Issues Fixed:** - SEC-001: Authentication disabled by default (CVSS 9.1) - SEC-002: Binds to 0.0.0.0 by default (CVSS 8.6) - P0-4: Missing output size limits (Memory exhaustion) - P1-1: Missing SSH connection timeout - DEVOPS-001: No Dockerfile - DEVOPS-002: No docker-compose.yaml - DEVOPS-003: No CI/CD pipeline - TEST-001: No concurrent singleton tests - PY-001: File permissions (39 files: 600) --- ## Task 1: Fix File Permissions (PY-001) **Duration:** 5 minutes **Files:** - Modify: All Python files with 600 permissions **Step 1: Check current permissions** Run: ```bash find scout_mcp/ -name "*.py" -type f -perm 600 ``` Expected: List of 39 files with restricted permissions **Step 2: Fix permissions** Run: ```bash find scout_mcp/ -name "*.py" -type f -exec chmod 644 {} \; ``` Expected: No output (success) **Step 3: Verify fix** Run: ```bash find scout_mcp/ -name "*.py" -type f -perm 600 ``` Expected: Empty output (no files with 600) **Step 4: Commit** ```bash git add -A git commit -m "fix: correct file permissions for Python files - Changed 39 Python files from 600 to 644 - Enables proper code analysis and collaboration - Fixes PY-001 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 2: Require Authentication by Default (SEC-001) **Duration:** 1 hour **Files:** - Modify: `scout_mcp/config.py:166-176` - Test: `tests/test_config/test_security_defaults.py` (new) **Step 1: Write the failing test** Create: `tests/test_config/test_security_defaults.py` ```python """Test security-critical default configurations.""" import os import pytest from scout_mcp.config import Config def test_authentication_enabled_by_default(): """Test that authentication is REQUIRED by default (SEC-001).""" # Clear env to test defaults env_backup = os.environ.copy() try: os.environ.pop("SCOUT_API_KEYS", None) os.environ.pop("SCOUT_AUTH_ENABLED", None) config = Config() # Authentication should be enabled even without API keys assert config.auth_enabled is True, ( "CRITICAL: Authentication must be enabled by default. " "This prevents unauthorized access. SEC-001 CVSS 9.1" ) finally: os.environ.clear() os.environ.update(env_backup) def test_authentication_requires_api_keys(): """Test that server requires API keys when auth enabled.""" env_backup = os.environ.copy() try: os.environ.pop("SCOUT_API_KEYS", None) os.environ["SCOUT_AUTH_ENABLED"] = "true" config = Config() assert config.auth_enabled is True assert len(config.api_keys) == 0, ( "Should have no API keys without SCOUT_API_KEYS" ) # Application should fail to start without keys when auth enabled # (This is enforced in server.py startup validation) finally: os.environ.clear() os.environ.update(env_backup) def test_authentication_can_be_disabled_explicitly(): """Test that auth can be disabled with explicit env var.""" env_backup = os.environ.copy() try: os.environ["SCOUT_AUTH_ENABLED"] = "false" config = Config() assert config.auth_enabled is False, ( "Should allow disabling auth with explicit env var" ) finally: os.environ.clear() os.environ.update(env_backup) ``` **Step 2: Run test to verify it fails** Run: ```bash pytest tests/test_config/test_security_defaults.py::test_authentication_enabled_by_default -v ``` Expected: FAIL with assertion error (auth_enabled is False by default) **Step 3: Update Config to require authentication by default** Modify: `scout_mcp/config.py:166-176` ```python @property def auth_enabled(self) -> bool: """ Whether API key authentication is enabled. SECURITY: Defaults to TRUE (authentication REQUIRED). Can be explicitly disabled with SCOUT_AUTH_ENABLED=false. Changed in SEC-001 fix: Authentication now required by default. Previous behavior (opt-in) was a critical security vulnerability. """ value = os.getenv("SCOUT_AUTH_ENABLED", "").strip().lower() if value == "false": logger.warning( "⚠️ SECURITY WARNING: Authentication is DISABLED. " "This is unsafe for network-accessible deployments. " "Only use in trusted environments." ) return False # Default to TRUE (authentication required) return True ``` **Step 4: Add startup validation to server.py** Modify: `scout_mcp/server.py` (add after imports) ```python def _validate_security_config(config: Config) -> None: """Validate security-critical configuration at startup.""" if config.auth_enabled and len(config.api_keys) == 0: raise RuntimeError( "SECURITY ERROR: Authentication is enabled but no API keys configured.\n" "Set SCOUT_API_KEYS environment variable with one or more API keys.\n" "Example: SCOUT_API_KEYS='your-secret-key-here'\n" "\n" "To disable authentication (UNSAFE for network deployments):\n" "Set SCOUT_AUTH_ENABLED=false\n" "\n" "This is a security requirement added in SEC-001 fix." ) ``` Then in `app_lifespan()` function (add before host discovery): ```python # Validate security configuration _validate_security_config(config) ``` **Step 5: Run tests to verify they pass** Run: ```bash pytest tests/test_config/test_security_defaults.py -v ``` Expected: All 3 tests PASS **Step 6: Run full test suite to ensure no regressions** Run: ```bash pytest tests/ -v ``` Expected: All existing tests still pass (may need to update fixtures with API keys) **Step 7: Update documentation** Modify: `CLAUDE.md` (Configuration section) Add warning: ```markdown ### SECURITY CRITICAL: Authentication Required by Default **Changed:** 2025-12-07 (SEC-001 fix) Authentication is now **REQUIRED** by default. The server will not start without API keys. **To run the server:** ```bash export SCOUT_API_KEYS="your-secret-key-here" uv run python -m scout_mcp ``` **To disable authentication (UNSAFE for network deployments):** ```bash export SCOUT_AUTH_ENABLED=false uv run python -m scout_mcp ``` ⚠️ **WARNING:** Disabling authentication exposes all configured SSH hosts to anyone who can reach the server. Only use in trusted environments. ``` **Step 8: Commit** ```bash git add scout_mcp/config.py tests/test_config/test_security_defaults.py scout_mcp/server.py CLAUDE.md git commit -m "feat: require authentication by default (SEC-001) BREAKING CHANGE: Authentication now required by default - Config.auth_enabled defaults to True (was False) - Server startup validation requires SCOUT_API_KEYS when auth enabled - Added comprehensive tests for security defaults - Updated documentation with migration guide This fixes CVSS 9.1 critical vulnerability where authentication was optional by default, exposing SSH hosts to unauthorized access. Fixes SEC-001 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 3: Bind to Localhost by Default (SEC-002) **Duration:** 30 minutes **Files:** - Modify: `scout_mcp/config.py:119-124` - Test: `tests/test_config/test_security_defaults.py` **Step 1: Write the failing test** Modify: `tests/test_config/test_security_defaults.py` (add test) ```python def test_binds_to_localhost_by_default(): """Test that server binds to 127.0.0.1 by default (SEC-002).""" env_backup = os.environ.copy() try: os.environ.pop("SCOUT_HTTP_HOST", None) config = Config() assert config.http_host == "127.0.0.1", ( "CRITICAL: Server must bind to localhost by default. " "Binding to 0.0.0.0 exposes service to network. SEC-002 CVSS 8.6" ) finally: os.environ.clear() os.environ.update(env_backup) def test_can_bind_to_all_interfaces_explicitly(): """Test that server can bind to 0.0.0.0 with explicit env var.""" env_backup = os.environ.copy() try: os.environ["SCOUT_HTTP_HOST"] = "0.0.0.0" config = Config() assert config.http_host == "0.0.0.0", ( "Should allow binding to all interfaces with explicit env var" ) finally: os.environ.clear() os.environ.update(env_backup) ``` **Step 2: Run test to verify it fails** Run: ```bash pytest tests/test_config/test_security_defaults.py::test_binds_to_localhost_by_default -v ``` Expected: FAIL (http_host is "0.0.0.0" by default) **Step 3: Update Config to bind to localhost by default** Modify: `scout_mcp/config.py:119-124` ```python @property def http_host(self) -> str: """ HTTP server bind address. SECURITY: Defaults to 127.0.0.1 (localhost only). Set SCOUT_HTTP_HOST=0.0.0.0 to bind to all interfaces. Changed in SEC-002 fix: Now binds to localhost by default. Previous behavior (0.0.0.0) exposed service to network. """ host = os.getenv("SCOUT_HTTP_HOST", "127.0.0.1").strip() if host == "0.0.0.0": logger.warning( "⚠️ SECURITY WARNING: Binding to 0.0.0.0 (all interfaces). " "Service is accessible from network. " "Ensure authentication is enabled and firewall is configured." ) return host ``` **Step 4: Run tests to verify they pass** Run: ```bash pytest tests/test_config/test_security_defaults.py -v ``` Expected: All tests PASS **Step 5: Update documentation** Modify: `CLAUDE.md` (Configuration section) Add: ```markdown ### Network Binding **Default:** `127.0.0.1` (localhost only) **Changed:** 2025-12-07 (SEC-002 fix) The server now binds to localhost by default for security. **To access from other machines (requires authentication):** ```bash export SCOUT_HTTP_HOST="0.0.0.0" export SCOUT_API_KEYS="your-secret-key-here" uv run python -m scout_mcp ``` ⚠️ **WARNING:** Binding to 0.0.0.0 exposes the service to your network. Ensure authentication is enabled and firewall rules are configured. ``` **Step 6: Commit** ```bash git add scout_mcp/config.py tests/test_config/test_security_defaults.py CLAUDE.md git commit -m "feat: bind to localhost by default (SEC-002) BREAKING CHANGE: Server now binds to 127.0.0.1 by default - Config.http_host defaults to '127.0.0.1' (was '0.0.0.0') - Added security warning when explicitly binding to 0.0.0.0 - Added tests for network binding defaults - Updated documentation with network configuration This fixes CVSS 8.6 critical vulnerability where server was network-exposed by default without authentication. Fixes SEC-002 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 4: Add Output Size Limits (P0-4) **Duration:** 2 hours **Files:** - Modify: `scout_mcp/config.py` (add property) - Modify: `scout_mcp/services/executors.py:78-102,150-190` - Test: `tests/test_executors/test_output_limits.py` (new) **Step 1: Write the failing test** Create: `tests/test_executors/test_output_limits.py` ```python """Test output size limit enforcement (P0-4).""" import pytest from unittest.mock import AsyncMock, patch from scout_mcp.services.executors import ls_dir, run_command, cat_file from scout_mcp.models import SSHHost @pytest.fixture def mock_host(): """Mock SSH host for testing.""" return SSHHost( name="test-host", hostname="test.example.com", user="testuser", ) @pytest.mark.asyncio async def test_ls_dir_enforces_output_limit(mock_host): """Test that ls_dir enforces MAX_OUTPUT_SIZE limit.""" # Create mock connection with huge output mock_conn = AsyncMock() huge_output = "file.txt\n" * 1_000_000 # ~10MB of output mock_result = AsyncMock() mock_result.stdout = huge_output mock_result.stderr = "" mock_result.exit_status = 0 mock_conn.run.return_value = mock_result # Should raise error for output exceeding limit with pytest.raises(ValueError, match="Output size.*exceeds maximum"): await ls_dir(mock_conn, mock_host, "/tmp") @pytest.mark.asyncio async def test_run_command_enforces_output_limit(mock_host): """Test that run_command enforces MAX_OUTPUT_SIZE limit.""" mock_conn = AsyncMock() huge_output = "x" * 11_000_000 # 11MB output (exceeds 10MB limit) mock_result = AsyncMock() mock_result.stdout = huge_output mock_result.stderr = "" mock_result.exit_status = 0 mock_conn.run.return_value = mock_result with pytest.raises(ValueError, match="Output size.*exceeds maximum"): await run_command(mock_conn, mock_host, "cat hugefile.bin") @pytest.mark.asyncio async def test_cat_file_enforces_size_limit(mock_host): """Test that cat_file enforces MAX_FILE_SIZE limit.""" mock_conn = AsyncMock() huge_content = b"x" * 11_000_000 # 11MB file mock_sftp = AsyncMock() mock_sftp.stat.return_value = AsyncMock(size=len(huge_content)) mock_conn.start_sftp_client.return_value.__aenter__.return_value = mock_sftp with pytest.raises(ValueError, match="File size.*exceeds maximum"): await cat_file(mock_conn, mock_host, "/tmp/hugefile.bin") @pytest.mark.asyncio async def test_output_within_limit_succeeds(mock_host): """Test that normal-sized output is not rejected.""" mock_conn = AsyncMock() normal_output = "file1.txt\nfile2.txt\nfile3.txt\n" mock_result = AsyncMock() mock_result.stdout = normal_output mock_result.stderr = "" mock_result.exit_status = 0 mock_conn.run.return_value = mock_result # Should succeed for normal output result = await ls_dir(mock_conn, mock_host, "/tmp") assert "file1.txt" in result ``` **Step 2: Run test to verify it fails** Run: ```bash pytest tests/test_executors/test_output_limits.py -v ``` Expected: FAIL (functions don't enforce limits yet) **Step 3: Add MAX_OUTPUT_SIZE configuration** Modify: `scout_mcp/config.py` (add after max_file_size) ```python @property def max_output_size(self) -> int: """ Maximum command output size in bytes (default: 10MB). Prevents memory exhaustion from large command output or directory listings. Added in P0-4 fix to prevent OOM attacks. """ try: return int(os.getenv("SCOUT_MAX_OUTPUT_SIZE", "10485760")) # 10MB except ValueError: logger.warning("Invalid SCOUT_MAX_OUTPUT_SIZE, using default 10MB") return 10485760 ``` **Step 4: Implement output size checking in executors** Modify: `scout_mcp/services/executors.py` (add helper function at top) ```python from scout_mcp.services import get_config def _check_output_size(output: str, operation: str) -> None: """ Check if output size exceeds configured limit. Args: output: The output string to check operation: Description of operation for error message Raises: ValueError: If output exceeds MAX_OUTPUT_SIZE """ config = get_config() output_size = len(output.encode("utf-8")) if output_size > config.max_output_size: max_mb = config.max_output_size / 1_048_576 actual_mb = output_size / 1_048_576 raise ValueError( f"Output size ({actual_mb:.2f}MB) exceeds maximum " f"allowed size ({max_mb:.2f}MB) for {operation}. " f"This limit prevents memory exhaustion. " f"Adjust SCOUT_MAX_OUTPUT_SIZE if needed." ) ``` Modify: `scout_mcp/services/executors.py` in `ls_dir()` function (after getting stdout) ```python async def ls_dir( conn: asyncssh.SSHClientConnection, host: SSHHost, path: str ) -> str: """List directory contents.""" try: quoted_path = shlex.quote(path) result = await conn.run(f"ls -la {quoted_path}", check=False) # Check output size (P0-4 fix) _check_output_size(result.stdout, f"directory listing of {path}") # ... rest of function ``` Modify: `scout_mcp/services/executors.py` in `run_command()` function (after getting stdout) ```python async def run_command( conn: asyncssh.SSHClientConnection, host: SSHHost, command: str, timeout: int | None = None, ) -> CommandResult: """Execute arbitrary command.""" try: # ... timeout setup ... result = await conn.run(command, check=False, timeout=timeout) # Check output size (P0-4 fix) _check_output_size(result.stdout, f"command execution: {command[:50]}") # ... rest of function ``` **Step 5: Run tests to verify they pass** Run: ```bash pytest tests/test_executors/test_output_limits.py -v ``` Expected: All tests PASS **Step 6: Update documentation** Modify: `CLAUDE.md` (Configuration section) Add: ```markdown ### Output Size Limits **Default:** `10485760` (10MB) **Added:** 2025-12-07 (P0-4 fix) Command output and directory listings are limited to prevent memory exhaustion. **To increase limit:** ```bash export SCOUT_MAX_OUTPUT_SIZE=20971520 # 20MB ``` **Affected operations:** - `ls_dir()` - Directory listings - `run_command()` - Command output - `cat_file()` - File reading (uses MAX_FILE_SIZE instead) ⚠️ **Note:** Very large limits can cause memory exhaustion. Monitor memory usage. ``` **Step 7: Commit** ```bash git add scout_mcp/config.py scout_mcp/services/executors.py tests/test_executors/test_output_limits.py CLAUDE.md git commit -m "feat: add output size limits (P0-4) - Add MAX_OUTPUT_SIZE config (default: 10MB) - Enforce limits in ls_dir() and run_command() - Add comprehensive tests for output size enforcement - Updated documentation This prevents memory exhaustion from large command output or directory listings, fixing production blocker P0-4. Fixes P0-4 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 5: Add SSH Connection Timeout (P1-1) **Duration:** 30 minutes **Files:** - Modify: `scout_mcp/config.py` (add property) - Modify: `scout_mcp/services/pool.py:123-219` - Test: `tests/test_pool/test_connection_timeout.py` (new) **Step 1: Write the failing test** Create: `tests/test_pool/test_connection_timeout.py` ```python """Test SSH connection timeout enforcement (P1-1).""" import asyncio import pytest from unittest.mock import AsyncMock, patch from scout_mcp.services.pool import ConnectionPool from scout_mcp.models import SSHHost @pytest.fixture def test_host(): """Mock SSH host for testing.""" return SSHHost( name="test-host", hostname="unreachable.example.com", user="testuser", ) @pytest.mark.asyncio async def test_connection_timeout_enforced(test_host): """Test that SSH connections timeout after configured duration.""" pool = ConnectionPool(max_size=10) # Mock asyncssh.connect to hang indefinitely async def hanging_connect(*args, **kwargs): await asyncio.sleep(999999) # Never completes with patch("asyncssh.connect", side_effect=hanging_connect): # Should timeout after configured duration (default: 30s) # Use shorter timeout for test with patch("scout_mcp.services.pool.get_config") as mock_config: mock_config.return_value.connection_timeout = 1 # 1 second for test start = asyncio.get_event_loop().time() with pytest.raises(asyncio.TimeoutError, match="SSH connection timed out"): await pool.get_connection(test_host) elapsed = asyncio.get_event_loop().time() - start # Should timeout around 1 second (with some tolerance) assert 0.8 < elapsed < 2.0, f"Timeout took {elapsed}s, expected ~1s" @pytest.mark.asyncio async def test_successful_connection_within_timeout(test_host): """Test that successful connections work normally.""" pool = ConnectionPool(max_size=10) # Mock asyncssh.connect to succeed quickly mock_conn = AsyncMock() mock_conn.is_connected.return_value = True async def quick_connect(*args, **kwargs): await asyncio.sleep(0.1) # Fast connection return mock_conn with patch("asyncssh.connect", side_effect=quick_connect): conn = await pool.get_connection(test_host) assert conn == mock_conn ``` **Step 2: Run test to verify it fails** Run: ```bash pytest tests/test_pool/test_connection_timeout.py::test_connection_timeout_enforced -v ``` Expected: Test hangs or fails (no timeout implemented) **Step 3: Add connection_timeout configuration** Modify: `scout_mcp/config.py` (add property) ```python @property def connection_timeout(self) -> int: """ SSH connection timeout in seconds (default: 30). Prevents hanging on unreachable hosts or slow networks. Added in P1-1 fix to prevent resource leaks. """ try: return int(os.getenv("SCOUT_CONNECTION_TIMEOUT", "30")) except ValueError: logger.warning("Invalid SCOUT_CONNECTION_TIMEOUT, using default 30s") return 30 ``` **Step 4: Implement timeout in connection pool** Modify: `scout_mcp/services/pool.py` in `get_connection()` method ```python async def get_connection(self, host: SSHHost) -> asyncssh.SSHClientConnection: """Get or create SSH connection with timeout.""" # ... existing code ... # Create new connection with timeout (P1-1 fix) try: config = get_config() timeout = config.connection_timeout logger.debug(f"Creating new SSH connection to {host.name} (timeout: {timeout}s)") conn = await asyncio.wait_for( asyncssh.connect( host=host.hostname, username=host.user, port=host.port, known_hosts=config.known_hosts_path, # ... other params ... ), timeout=timeout ) except asyncio.TimeoutError: logger.error( f"SSH connection to {host.name} timed out after {timeout}s. " f"Host may be unreachable or network is slow." ) raise asyncio.TimeoutError( f"SSH connection to {host.name} ({host.hostname}) timed out " f"after {timeout}s. Check network connectivity and firewall rules." ) except Exception as e: # ... existing error handling ... ``` **Step 5: Run tests to verify they pass** Run: ```bash pytest tests/test_pool/test_connection_timeout.py -v ``` Expected: All tests PASS **Step 6: Update documentation** Modify: `CLAUDE.md` (Configuration section) Add: ```markdown ### SSH Connection Timeout **Default:** `30` (seconds) **Added:** 2025-12-07 (P1-1 fix) SSH connections timeout after configured duration to prevent hanging. **To adjust timeout:** ```bash export SCOUT_CONNECTION_TIMEOUT=60 # 60 seconds for slow networks ``` Connections exceeding this timeout will fail with `TimeoutError`. ``` **Step 7: Commit** ```bash git add scout_mcp/config.py scout_mcp/services/pool.py tests/test_pool/test_connection_timeout.py CLAUDE.md git commit -m "feat: add SSH connection timeout (P1-1) - Add SCOUT_CONNECTION_TIMEOUT config (default: 30s) - Wrap asyncssh.connect with asyncio.wait_for() - Add tests for timeout enforcement - Updated documentation This prevents hanging connections on unreachable hosts, fixing production blocker P1-1. Fixes P1-1 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 6: Add Concurrent Singleton Tests (TEST-001) **Duration:** 1.5 hours **Files:** - Test: `tests/test_services/test_singleton_concurrency.py` (new) **Step 1: Write comprehensive concurrent singleton tests** Create: `tests/test_services/test_singleton_concurrency.py` ```python """Test singleton initialization under concurrent load (TEST-001 / SEC-005).""" import asyncio import pytest from scout_mcp.services.state import ( get_config, get_pool, reset_state, set_config, set_pool, ) from scout_mcp.config import Config from scout_mcp.services.pool import ConnectionPool @pytest.fixture(autouse=True) def reset_singletons(): """Reset singletons before and after each test.""" reset_state() yield reset_state() @pytest.mark.asyncio async def test_concurrent_get_config_creates_single_instance(): """Test that concurrent get_config() calls create only one Config instance.""" async def get_and_check(): """Get config and return its id().""" config = get_config() # Small delay to increase chance of race condition await asyncio.sleep(0.001) return id(config) # Launch 100 concurrent get_config() calls tasks = [get_and_check() for _ in range(100)] config_ids = await asyncio.gather(*tasks) # All should return the same instance unique_ids = set(config_ids) assert len(unique_ids) == 1, ( f"Expected single Config instance, got {len(unique_ids)} instances. " f"This indicates a race condition in singleton initialization. SEC-005" ) @pytest.mark.asyncio async def test_concurrent_get_pool_creates_single_instance(): """Test that concurrent get_pool() calls create only one ConnectionPool.""" async def get_and_check(): """Get pool and return its id().""" pool = get_pool() await asyncio.sleep(0.001) return id(pool) # Launch 100 concurrent get_pool() calls tasks = [get_and_check() for _ in range(100)] pool_ids = await asyncio.gather(*tasks) # All should return the same instance unique_ids = set(pool_ids) assert len(unique_ids) == 1, ( f"Expected single ConnectionPool instance, got {len(unique_ids)} instances. " f"This indicates a race condition in singleton initialization. SEC-005" ) @pytest.mark.asyncio async def test_mixed_concurrent_access(): """Test concurrent access to both config and pool.""" async def access_both(): """Access both singletons concurrently.""" config = get_config() pool = get_pool() await asyncio.sleep(0.001) return (id(config), id(pool)) tasks = [access_both() for _ in range(50)] results = await asyncio.gather(*tasks) config_ids = [r[0] for r in results] pool_ids = [r[1] for r in results] assert len(set(config_ids)) == 1, "Multiple Config instances created" assert len(set(pool_ids)) == 1, "Multiple ConnectionPool instances created" @pytest.mark.asyncio async def test_reset_state_under_concurrent_access(): """Test that reset_state() properly clears singletons even during concurrent access.""" # First, create instances initial_config = get_config() initial_pool = get_pool() async def concurrent_reset_and_get(): """Reset and immediately get new instance.""" reset_state() await asyncio.sleep(0.001) return (id(get_config()), id(get_pool())) # Launch concurrent reset and get operations tasks = [concurrent_reset_and_get() for _ in range(20)] results = await asyncio.gather(*tasks) config_ids = [r[0] for r in results] pool_ids = [r[1] for r in results] # Should have created new instances (different from initial) assert id(initial_config) not in config_ids, "Old config not cleared" assert id(initial_pool) not in pool_ids, "Old pool not cleared" # But all new instances should be the same (eventually) # Note: This test may expose race conditions def test_set_config_thread_safety(): """Test that set_config() is safe for concurrent use.""" import threading custom_config = Config() results = [] def set_and_get(): """Set config and immediately get it.""" set_config(custom_config) config = get_config() results.append(id(config)) # Launch 50 threads setting config threads = [threading.Thread(target=set_and_get) for _ in range(50)] for t in threads: t.start() for t in threads: t.join() # All should get the same custom config instance unique_ids = set(results) assert len(unique_ids) == 1 assert id(custom_config) in unique_ids @pytest.mark.asyncio async def test_config_immutability_under_concurrent_access(): """Test that config values don't change during concurrent access.""" import os # Set known env values os.environ["SCOUT_HTTP_PORT"] = "12345" os.environ["SCOUT_MAX_POOL_SIZE"] = "50" async def check_config_values(): """Check that config values are consistent.""" config = get_config() await asyncio.sleep(0.001) return (config.http_port, config.max_pool_size) tasks = [check_config_values() for _ in range(100)] results = await asyncio.gather(*tasks) # All should have same values unique_results = set(results) assert len(unique_results) == 1 assert unique_results == {(12345, 50)} ``` **Step 2: Run tests to verify current behavior** Run: ```bash pytest tests/test_services/test_singleton_concurrency.py -v ``` Expected: Tests should PASS (verifying singleton safety) Note: If tests FAIL, this reveals SEC-005 race condition that needs fixing: **Step 2b: (If tests fail) Fix singleton race condition** Modify: `scout_mcp/services/state.py` ```python import asyncio _config: Config | None = None _pool: ConnectionPool | None = None _config_lock = asyncio.Lock() _pool_lock = asyncio.Lock() async def get_config() -> Config: """Get or create Config singleton (thread-safe).""" global _config # Fast path: already initialized if _config is not None: return _config # Slow path: need to initialize async with _config_lock: # Double-check after acquiring lock if _config is None: _config = Config() return _config async def get_pool() -> ConnectionPool: """Get or create ConnectionPool singleton (thread-safe).""" global _pool if _pool is not None: return _pool async with _pool_lock: if _pool is None: _pool = ConnectionPool() return _pool ``` **Step 3: Run tests again** Run: ```bash pytest tests/test_services/test_singleton_concurrency.py -v ``` Expected: All tests PASS **Step 4: Commit** ```bash git add tests/test_services/test_singleton_concurrency.py scout_mcp/services/state.py git commit -m "test: add concurrent singleton initialization tests (TEST-001) - Add comprehensive tests for Config and ConnectionPool singletons - Test concurrent access, reset, and immutability - Verify no race conditions under load (100 concurrent requests) - Fix singleton race condition with locks (if needed) This addresses TEST-001 and SEC-005 (singleton race condition). Fixes TEST-001, SEC-005 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 7: Create Dockerfile (DEVOPS-001) **Duration:** 2 hours **Files:** - Create: `Dockerfile` - Create: `.dockerignore` - Test: Manual build and run **Step 1: Create .dockerignore** Create: `.dockerignore` ``` # Python __pycache__/ *.py[cod] *$py.class *.so .Python build/ develop-eggs/ dist/ downloads/ eggs/ .eggs/ lib/ lib64/ parts/ sdist/ var/ wheels/ *.egg-info/ .installed.cfg *.egg .venv/ venv/ ENV/ env/ # Testing .pytest_cache/ .coverage htmlcov/ .tox/ # IDE .vscode/ .idea/ *.swp *.swo *~ # Git .git/ .gitignore # Documentation docs/ *.md !README.md # CI/CD .github/ # Cache .cache/ # Logs *.log # OS .DS_Store Thumbs.db ``` **Step 2: Create multi-stage Dockerfile** Create: `Dockerfile` ```dockerfile # syntax=docker/dockerfile:1 # Build stage: Install dependencies FROM python:3.11-slim AS builder # Install uv for faster dependency resolution RUN pip install --no-cache-dir uv WORKDIR /build # Copy dependency files COPY pyproject.toml README.md ./ # Install dependencies to /opt/venv RUN uv venv /opt/venv && \ . /opt/venv/bin/activate && \ uv pip install -e . # Runtime stage: Minimal image FROM python:3.11-slim # Create non-root user RUN useradd --create-home --shell /bin/bash scout && \ mkdir -p /app && \ chown -R scout:scout /app # Copy virtual environment from builder COPY --from=builder /opt/venv /opt/venv # Set environment ENV PATH="/opt/venv/bin:$PATH" \ PYTHONUNBUFFERED=1 \ PYTHONDONTWRITEBYTECODE=1 WORKDIR /app # Copy application code COPY --chown=scout:scout scout_mcp/ ./scout_mcp/ # Switch to non-root user USER scout # Health check HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \ CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:8000/health').read()" || exit 1 # Expose port EXPOSE 8000 # Run server CMD ["python", "-m", "scout_mcp"] ``` **Step 3: Build Docker image** Run: ```bash docker build -t scout-mcp:latest . ``` Expected: Build completes successfully **Step 4: Test Docker image** Run: ```bash # Run with required env vars docker run --rm \ -e SCOUT_API_KEYS="test-key-123" \ -e SCOUT_HTTP_HOST="0.0.0.0" \ -p 8000:8000 \ scout-mcp:latest ``` Expected: Server starts, health check passes **Step 5: Verify health check** Run (in another terminal): ```bash curl http://localhost:8000/health ``` Expected: Returns "OK" **Step 6: Stop container** Run: ```bash docker stop $(docker ps -q --filter ancestor=scout-mcp:latest) ``` **Step 7: Update documentation** Create: `docs/DOCKER.md` ```markdown # Docker Deployment Guide ## Quick Start ```bash # Build image docker build -t scout-mcp:latest . # Run with authentication docker run -d \ --name scout-mcp \ -e SCOUT_API_KEYS="your-secret-key-here" \ -e SCOUT_HTTP_HOST="0.0.0.0" \ -p 8000:8000 \ -v ~/.ssh:/home/scout/.ssh:ro \ scout-mcp:latest ``` ## Environment Variables All `SCOUT_*` environment variables are supported. See Configuration section in main README. ## SSH Configuration Mount your SSH config and keys: ```bash docker run -d \ -v ~/.ssh:/home/scout/.ssh:ro \ -v ~/.ssh/config:/home/scout/.ssh/config:ro \ scout-mcp:latest ``` ## Health Check The container includes a health check at `/health`. Check status: ```bash docker inspect --format='{{.State.Health.Status}}' scout-mcp ``` ## Security - Runs as non-root user `scout` - Multi-stage build for minimal image size - No secrets baked into image - Read-only SSH mounts recommended ``` **Step 8: Commit** ```bash git add Dockerfile .dockerignore docs/DOCKER.md git commit -m "feat: add production Dockerfile (DEVOPS-001) - Multi-stage build for minimal image size - Non-root user for security - Health check endpoint - Comprehensive .dockerignore - Docker deployment documentation Fixes DEVOPS-001 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 8: Create docker-compose.yaml (DEVOPS-002) **Duration:** 1 hour **Files:** - Create: `docker-compose.yaml` - Create: `.env.example` **Step 1: Create .env.example** Create: `.env.example` ```bash # Scout MCP Configuration Example # Copy to .env and customize # REQUIRED: API Keys for authentication SCOUT_API_KEYS=your-secret-key-here # Network binding (default: 127.0.0.1 for security) SCOUT_HTTP_HOST=127.0.0.1 SCOUT_HTTP_PORT=8000 # Connection pool SCOUT_MAX_POOL_SIZE=100 SCOUT_IDLE_TIMEOUT=60 # Rate limiting SCOUT_RATE_LIMIT_PER_MINUTE=60 SCOUT_RATE_LIMIT_BURST=10 # Timeouts SCOUT_COMMAND_TIMEOUT=30 SCOUT_CONNECTION_TIMEOUT=30 # Output limits SCOUT_MAX_FILE_SIZE=1048576 SCOUT_MAX_OUTPUT_SIZE=10485760 # Logging SCOUT_LOG_LEVEL=INFO SCOUT_LOG_PAYLOADS=false ``` **Step 2: Create docker-compose.yaml** Create: `docker-compose.yaml` ```yaml services: scout-mcp: build: context: . dockerfile: Dockerfile image: scout-mcp:latest container_name: scout-mcp restart: unless-stopped # Environment configuration env_file: - .env # Network configuration ports: - "${SCOUT_HTTP_HOST:-127.0.0.1}:${SCOUT_HTTP_PORT:-8000}:8000" # SSH configuration volumes: - ${HOME}/.ssh:/home/scout/.ssh:ro - ${HOME}/.ssh/config:/home/scout/.ssh/config:ro # Resource limits deploy: resources: limits: cpus: '1.0' memory: 512M reservations: cpus: '0.5' memory: 256M # Health check healthcheck: test: ["CMD", "python", "-c", "import urllib.request; urllib.request.urlopen('http://localhost:8000/health').read()"] interval: 30s timeout: 3s retries: 3 start_period: 5s # Logging logging: driver: "json-file" options: max-size: "10m" max-file: "3" # Optional: Reverse proxy (uncomment if needed) # networks: # default: # name: scout-network ``` **Step 3: Test docker-compose** Run: ```bash # Copy example env file cp .env.example .env # Edit .env with your API key # Then start service docker compose up -d ``` Expected: Service starts successfully **Step 4: Verify service** Run: ```bash # Check status docker compose ps # Check logs docker compose logs -f scout-mcp # Test health curl http://localhost:8000/health ``` Expected: All checks pass **Step 5: Stop service** Run: ```bash docker compose down ``` **Step 6: Update documentation** Modify: `docs/DOCKER.md` (add section) ```markdown ## Docker Compose Recommended for production deployments. ### Setup ```bash # 1. Copy environment template cp .env.example .env # 2. Edit .env with your configuration nano .env # 3. Start service docker compose up -d ``` ### Management ```bash # View logs docker compose logs -f scout-mcp # Restart service docker compose restart scout-mcp # Update and restart docker compose pull docker compose up -d # Stop service docker compose down ``` ### Security Best Practices 1. **Change default API keys** in `.env` 2. **Bind to localhost** for local-only access 3. **Use reverse proxy** (nginx/caddy) for network access 4. **Monitor logs** regularly 5. **Keep image updated** ``` **Step 7: Commit** ```bash git add docker-compose.yaml .env.example docs/DOCKER.md git commit -m "feat: add docker-compose configuration (DEVOPS-002) - Production-ready docker-compose.yaml - Environment variable template (.env.example) - Resource limits and health checks - Log rotation configuration - Updated Docker documentation Fixes DEVOPS-002 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 9: Create GitHub Actions CI/CD (DEVOPS-003) **Duration:** 3 hours **Files:** - Create: `.github/workflows/ci.yml` - Create: `.github/workflows/release.yml` **Step 1: Create CI workflow** Create: `.github/workflows/ci.yml` ```yaml name: CI on: push: branches: [main, develop] pull_request: branches: [main, develop] jobs: test: name: Test (Python ${{ matrix.python-version }}) runs-on: ubuntu-latest strategy: matrix: python-version: ["3.11", "3.12"] steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} - name: Install uv run: pip install uv - name: Install dependencies run: | uv venv source .venv/bin/activate uv pip install -e ".[dev]" - name: Run tests run: | source .venv/bin/activate pytest tests/ -v --cov=scout_mcp --cov-report=xml --cov-report=term - name: Upload coverage uses: codecov/codecov-action@v4 with: file: ./coverage.xml fail_ci_if_error: false lint: name: Lint & Type Check runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Python uses: actions/setup-python@v5 with: python-version: "3.11" - name: Install uv run: pip install uv - name: Install dependencies run: | uv venv source .venv/bin/activate uv pip install -e ".[dev]" - name: Run ruff (lint) run: | source .venv/bin/activate ruff check scout_mcp/ tests/ - name: Run ruff (format check) run: | source .venv/bin/activate ruff format --check scout_mcp/ tests/ - name: Run mypy (type check) run: | source .venv/bin/activate mypy scout_mcp/ security: name: Security Scan runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: '.' format: 'sarif' output: 'trivy-results.sarif' - name: Upload Trivy results uses: github/codeql-action/upload-sarif@v3 with: sarif_file: 'trivy-results.sarif' docker: name: Build Docker Image runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build image uses: docker/build-push-action@v5 with: context: . push: false tags: scout-mcp:ci cache-from: type=gha cache-to: type=gha,mode=max - name: Test image run: | docker run --rm -e SCOUT_API_KEYS=test scout-mcp:ci python -c "import scout_mcp; print('OK')" ``` **Step 2: Create release workflow** Create: `.github/workflows/release.yml` ```yaml name: Release on: push: tags: - 'v*.*.*' jobs: build-and-push: name: Build and Push Docker Image runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Login to Docker Hub uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - name: Extract version id: version run: echo "VERSION=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT - name: Build and push uses: docker/build-push-action@v5 with: context: . push: true tags: | ${{ secrets.DOCKER_USERNAME }}/scout-mcp:latest ${{ secrets.DOCKER_USERNAME }}/scout-mcp:${{ steps.version.outputs.VERSION }} cache-from: type=gha cache-to: type=gha,mode=max - name: Create GitHub Release uses: softprops/action-gh-release@v1 with: generate_release_notes: true ``` **Step 3: Update pyproject.toml with dev dependencies** Modify: `pyproject.toml` (add optional dependencies) ```toml [project.optional-dependencies] dev = [ "pytest>=8.0.0", "pytest-asyncio>=0.23.0", "pytest-cov>=4.1.0", "ruff>=0.4.0", "mypy>=1.10.0", ] ``` **Step 4: Test CI locally (optional)** Run: ```bash # Install dev dependencies uv pip install -e ".[dev]" # Run linting ruff check scout_mcp/ tests/ ruff format --check scout_mcp/ tests/ # Run type checking mypy scout_mcp/ # Run tests with coverage pytest tests/ -v --cov=scout_mcp ``` Expected: All checks pass **Step 5: Create CI documentation** Create: `docs/CI-CD.md` ```markdown # CI/CD Pipeline ## Overview scout_mcp uses GitHub Actions for continuous integration and deployment. ## CI Workflow (`.github/workflows/ci.yml`) Runs on every push and pull request: 1. **Tests** - Run pytest suite on Python 3.11 and 3.12 2. **Linting** - Check code style with ruff 3. **Type Checking** - Verify type hints with mypy 4. **Security** - Scan for vulnerabilities with Trivy 5. **Docker Build** - Verify Dockerfile builds successfully ## Release Workflow (`.github/workflows/release.yml`) Triggered on version tags (e.g., `v1.0.0`): 1. Build Docker image 2. Push to Docker Hub 3. Create GitHub release ## Running Locally ```bash # Install dev dependencies uv pip install -e ".[dev]" # Run all checks ruff check scout_mcp/ tests/ mypy scout_mcp/ pytest tests/ -v --cov=scout_mcp ``` ## Creating a Release ```bash # Tag version git tag v1.0.0 # Push tag git push origin v1.0.0 ``` GitHub Actions will automatically build and publish the release. ``` **Step 6: Commit** ```bash git add .github/workflows/ pyproject.toml docs/CI-CD.md git commit -m "feat: add GitHub Actions CI/CD pipeline (DEVOPS-003) - CI workflow: tests, linting, type checking, security scan - Release workflow: automated Docker builds and releases - Multi-version Python testing (3.11, 3.12) - Coverage reporting with Codecov - Docker image caching for faster builds - CI/CD documentation Fixes DEVOPS-003 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Task 10: Update Main Documentation (DOC-001 Partial) **Duration:** 1 hour **Files:** - Modify: `README.md` - Modify: `CLAUDE.md` **Step 1: Update README with security warnings** Modify: `README.md` (add at top, after title) ```markdown ## ⚠️ SECURITY NOTICE **Breaking Changes (2025-12-07):** scout_mcp now requires authentication by default for security. ### Quick Start (Secure Defaults) ```bash # Set API key (REQUIRED) export SCOUT_API_KEYS="your-secret-key-here" # Run server (binds to localhost by default) uv run python -m scout_mcp ``` The server now: - ✅ **Requires API keys** (was optional) - ✅ **Binds to localhost** (was 0.0.0.0) - ✅ **Enforces output limits** (prevents memory exhaustion) - ✅ **Timeouts SSH connections** (prevents hanging) **These changes fix critical security vulnerabilities:** - SEC-001: Authentication disabled (CVSS 9.1) - SEC-002: Network exposed (CVSS 8.6) See [SECURITY.md](SECURITY.md) for details. ``` **Step 2: Update CLAUDE.md with deployment warnings** Modify: `CLAUDE.md` (add new section after Quick Reference) ```markdown ## 🚨 Production Deployment **IMPORTANT:** scout_mcp has undergone security hardening as of 2025-12-07. ### Deployment Checklist Before deploying to production: - [ ] Set `SCOUT_API_KEYS` with strong keys - [ ] Review network binding (`SCOUT_HTTP_HOST`) - [ ] Configure rate limiting - [ ] Set up monitoring - [ ] Read [SECURITY.md](SECURITY.md) - [ ] Read [docs/DEPLOYMENT.md](docs/DEPLOYMENT.md) ### Deployment Options 1. **Docker Compose** (Recommended) - See [docs/DOCKER.md](docs/DOCKER.md) - Production-ready with resource limits 2. **Bare Metal** - See [docs/DEPLOYMENT.md](docs/DEPLOYMENT.md) - systemd service setup 3. **Kubernetes** - See [docs/KUBERNETES.md](docs/KUBERNETES.md) - Helm charts available ### What Changed **2025-12-07 Security Hardening:** - Authentication now required by default - Binds to localhost by default - Output size limits enforced - SSH connection timeouts enforced - Docker deployment supported - CI/CD pipeline implemented See [.docs/COMPREHENSIVE-REVIEW-2025-12-07.md](.docs/COMPREHENSIVE-REVIEW-2025-12-07.md) for full details. ``` **Step 3: Commit** ```bash git add README.md CLAUDE.md git commit -m "docs: add security warnings and deployment guidance - Add security notice to README - Add production deployment checklist to CLAUDE.md - Document breaking changes from security hardening - Reference comprehensive review findings Partial fix for DOC-001 (full DEPLOYMENT.md in separate task) 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Completion Checklist After completing all tasks: **Step 1: Run full test suite** ```bash pytest tests/ -v --cov=scout_mcp ``` Expected: All tests pass, coverage ≥75% **Step 2: Build and test Docker image** ```bash docker compose build docker compose up -d curl http://localhost:8000/health docker compose down ``` Expected: All succeed **Step 3: Run CI checks locally** ```bash ruff check scout_mcp/ tests/ mypy scout_mcp/ ``` Expected: No errors **Step 4: Review git log** ```bash git log --oneline -10 ``` Expected: 10 commits from this plan **Step 5: Create summary commit** ```bash git commit --allow-empty -m "chore: Phase 1 production readiness complete This completes all P0 critical blockers for production deployment. Summary of fixes: - SEC-001: Authentication required by default (CVSS 9.1) - SEC-002: Binds to localhost by default (CVSS 8.6) - P0-4: Output size limits enforced - P1-1: SSH connection timeouts enforced - DEVOPS-001: Dockerfile created - DEVOPS-002: docker-compose.yaml created - DEVOPS-003: GitHub Actions CI/CD - TEST-001: Concurrent singleton tests - PY-001: File permissions fixed - DOC-001: Documentation updated (partial) Status: ⚠️ Ready for trusted networks Next: Phase 2 (Week 2) - Audit logging, refactoring, monitoring Timeline: 24 hours actual work time Test Coverage: 75%+ (up from 67%) Security Score: B (up from D+) See docs/plans/2025-12-07-production-readiness-phase1.md 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>" ``` --- ## Notes **Assumptions:** - Python 3.11+ installed - uv package manager installed - Docker and docker-compose available - Git repository initialized - SSH config at ~/.ssh/config **Testing Strategy:** - TDD for all new functionality - Existing tests must continue passing - Integration tests for Docker deployment - Security defaults verified with tests **Documentation:** - CLAUDE.md updated with all changes - README.md security warnings added - docs/DOCKER.md for Docker deployment - docs/CI-CD.md for pipeline details **Estimated Timeline:** - Total: 24 hours - Tasks can be partially parallelized - Testing and verification included **Success Criteria:** - All P0 blockers fixed - Test coverage ≥75% - Docker deployment works - CI/CD pipeline passes - Documentation complete - Security defaults enforced --- **Plan saved to:** `docs/plans/2025-12-07-production-readiness-phase1.md`

Loading blob content...

Latest Blog Posts

Redis vs ioredis vs valkey-glide
By punkpeye on January 26, 2026.
benchmark
Redis
valkey
Quickstart: Publish an MCP Server to the MCP Registry
By punkpeye on January 24, 2026.
mcp
official reference mirror
Official MCP Registry Server.json Requirements
By punkpeye on January 24, 2026.
mcp
official reference mirror

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/jmagar/scout_mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server

2025-12-07-production-readiness-phase1.md•50.1 KiB