# Tech Context
## Technologies
- **Terraform** (~> 5.0 AWS provider) — all infrastructure
- **Node.js 20 Alpine** — container base image
- **jose** — JWT verification library (ESM)
- **Supergateway** — npm global, Streamable HTTP ↔ stdio bridge
- **github-mcp-server** — official GitHub binary, copied from `ghcr.io/github/github-mcp-server:latest`
- **mcp-remote** — client-side proxy (developer machines), handles OAuth + transport
- **EasyRSA** — self-signed CA and certificates (in `repo/easy-rsa/`)
- **Docker** — multi-stage build, linux/amd64 for Fargate
## Project Structure
```
├── docker/ # Dockerfile, jwt-proxy.mjs, start.sh
├── terraform/ # IaC (modules: infrastructure, application)
├── scripts/ # build-and-push.sh, bootstrap-backend.sh
├── docs/ # architecture.md, mcp-client-config.md
├── repo/ # Vendored repos (easy-rsa, github-mcp-server, supergateway)
└── logs/ # Local log files
```
## Development Setup
1. AWS CLI configured with credentials
2. Terraform >= 1.0
3. Docker
4. AWS Client VPN connected
5. `cp terraform/terraform.tfvars.example terraform/terraform.tfvars` and fill values
6. GitHub PAT in `terraform/secrets.auto.tfvars` (gitignored)
## Build & Deploy
```bash
terraform init && terraform apply # infrastructure
./scripts/build-and-push.sh latest # build, push ECR, rolling ECS deploy
```
## Key Config Values
- Region: `us-east-1`
- Container: 512 CPU / 1024 MB memory
- Desired count: 2 tasks
- Session timeout: 10 minutes (600000ms)
- Sticky sessions: 24h (lb_cookie)
- Health check: `/healthz` on port 8000
## Dependencies
- Okta custom authorization server (`/oauth2/default`)
- GitHub API (via PAT)
- AWS: VPC, ALB, ECS Fargate, ECR, Secrets Manager, NAT Gateway, ACM
