This repository is a small, end-to-end reference: provision a VM, route three MCP backends through one sidecar, expose authenticated URLs, and ship ready-made client configs. The sidecar enforces YAML policy, writes redacted audit lines, and is covered by the same quality gates you would expect in a production service.
| Layer | What you get |
|---|---|
| Edge | Morph-exposed HTTP services with API-key authentication |
| Proxy | Go sidecar: policy checks, reverse proxy, /health, /ready, /metrics |
| Backends | Filesystem, Git, and HTTP MCP servers on localhost inside the VM |
| Clients | Generated Cursor and Claude Desktop configs using supergateway |
| Quality | Ruff, mypy, pytest, and Go tests in CI and via make ci |
Building remote MCP access is more than exposing a port: you need predictable auth boundaries, a single place to enforce rules, and logs you can trust. This demo keeps the provisioning story in Python (fast iteration) and the dataplane in Go (simple, explicit HTTP handling). Policy and config are validated at startup so the process does not run half-configured.
Documentation in this repo: this file is the main guide. Contributor expectations are in CONTRIBUTING.md.
flowchart LR
mcpClient[MCPClient] --> supergateway[Supergateway]
supergateway --> morphEdge[MorphEdgeAuth]
morphEdge --> sidecar[GoSidecar]
sidecar --> policy[PolicyYAML]
sidecar --> audit[AuditJSONL]
sidecar --> metrics[MetricsEndpoint]
sidecar --> fsServer[MCPFilesystem]
sidecar --> gitServer[MCPGit]
sidecar --> httpServer[MCPHTTP]
setupPipeline[SetupPipeline] --> sidecar
Clients speak MCP over stdio; supergateway bridges to SSE URLs. Morph terminates API-key auth at the edge. The sidecar applies policy, proxies to the right local MCP port, and records decisions.
| Path | Role |
|---|---|
| setup/setup_mcp.py | Snapshot, build, deploy sidecar, start services, expose URLs |
| sidecar/main.go | Sidecar: routing, policy, audit, proxy |
| sidecar/config.yaml | Runtime config (timeouts, auth, reload interval) |
| sidecar/policy.yaml | Policy shipped with the sidecar build |
| tests/ | Python unit tests (offline) |
| sidecar/main_test.go | Go unit tests |
| smoke_test.py | Post-deploy smoke checks (requires Morph) |
| test_epoch_rotation.py | Epoch rotation integration test (requires Morph) |
| Makefile | Commands: setup, test, logs, ci, and more |
| .github/workflows/ci.yml | Pull request and push checks |
After make setup, you will have instance_info.json (ignored by git) and refreshed files under clients/.
make install-deps
export MORPH_API_KEY="your-api-key"
make setup
make testEnd-to-end shortcut (install deps, setup, then smoke test):
make demoOutputs:
instance_info.json— instance id and Morph base URLsclients/cursor.jsonandclients/claude-desktop.json—supergatewaywiring for each route
Inside the VM the sidecar listens on port 8080. Morph publishes each service at its own base URL; paths are appended to that base (see smoke_test.py).
| Method | Path | Purpose |
|---|---|---|
GET |
/health |
Liveness |
GET |
/ready |
Readiness |
GET |
/metrics |
Expvar metrics |
GET |
/mcp1/sse |
Filesystem MCP (via proxy) |
GET |
/mcp2/sse |
Git MCP |
GET |
/mcp3/sse |
HTTP MCP |
After make setup, you can probe the first exposed base URL (see instance_info.json):
BASE="$(python -c "import json; print(json.load(open('instance_info.json'))['urls']['mcp1'])")"
curl -fsS -H "Authorization: Bearer $MORPH_API_KEY" "$BASE/health"
curl -fsS -H "Authorization: Bearer $MORPH_API_KEY" "$BASE/ready"SSE endpoints may keep the connection open; interrupt with Ctrl+C when you are done.
- Edge: Morph
auth_mode="api_key"on exposed HTTP services. - Sidecar (optional): bearer checks via
auth.*in sidecar/config.yaml. - Authorization:
defaultrole, epochs, tools, andcallpermission in sidecar/policy.yaml. - Audit: JSONL on the VM at
/opt/sidecar/permits.jsonl; bearer material is never written verbatim.
Config path: set SIDECAR_CONFIG (for example /opt/sidecar/config.yaml on the VM), otherwise ./config.yaml from the process working directory.
The sidecar exits on invalid config or policy instead of running in an undefined state. Examples include missing policy.file, bad durations, bad upstream URLs, invalid RFC3339 epoch expiry, a missing default role, or epoch names that do not exist.
If policy.reload_interval is set, policy is reloaded on that schedule without restarting the process.
make ciRuns Ruff, mypy on selected modules, pytest, and go test under sidecar/. Optional race detection (toolchain-dependent):
make racemake status
make logs
make epoch-rotate
make cleanmake logs uses your saved instance id and Morph credentials to print recent sidecar and permit log tails.
| Component | Version |
|---|---|
| Python | 3.9+ (CI uses 3.11) |
| Go | 1.21+ (sidecar/) |
| Node.js | 18+ (npx, client configs) |
| Morph | Account with MORPH_API_KEY for provision and integration tests |
On Windows, use Git Bash, WSL, or another environment that provides make and a POSIX shell, or invoke the same Python entrypoints as in the Makefile.
| Symptom | What to try |
|---|---|
| Setup or tests say API key missing | export MORPH_API_KEY=... and retry |
| Go build or test failures | cd sidecar && go test ./... |
| Odd runtime behavior | make logs, then re-read sidecar/config.yaml and sidecar/policy.yaml |
make not available |
Install a Make implementation or run the commands from the Makefile manually |
See CONTRIBUTING.md.
Released under the MIT License. See LICENSE.