Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion config/mcpproxy.seed.json
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,20 @@
"skip_quarantine": true,
"enabled": true
},
{
"name": "websets",
"protocol": "stdio",
"command": "sh",
"args": [
"-lc",
"exec npx -y mcp-remote \"https://websetsmcp.exa.ai/mcp?exaApiKey=${EXA_API_KEY}\""
],
"env": {
"EXA_API_KEY": "${env:EXA_API_KEY}"
},
"skip_quarantine": true,
"enabled": true
},
{
"name": "fastmail",
"url": "https://api.fastmail.com/mcp",
Expand All @@ -39,4 +53,4 @@
"enabled": true
}
]
}
}
21 changes: 12 additions & 9 deletions docs/2026-06-02-mcpproxy-gateway/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ MCPProxy is the shared gateway for standards-compliant stdio, HTTP, SSE, and Str
servers. MCP-capable hosts connect to one downstream endpoint while MCPProxy manages upstream OAuth
credentials separately. Models do not connect to MCP directly; their host application does.

Fastmail and Exa are the initial upstreams imported from existing client configs. Client wiring is
deliberately deferred until the gateway passes its local and private-HTTPS smoke tests.
Fastmail, Exa search, and Exa Websets are the initial upstreams imported from existing client
configs and Exa's hosted Websets MCP setup. Client wiring is deliberately deferred until the gateway
passes its local and private-HTTPS smoke tests.

## Network and authentication

Expand All @@ -22,8 +23,8 @@ Authentication has two separate boundaries:

- `MCPPROXY_API_KEY` is the administrative secret rendered from
`op://clankers/mcpproxy-admin/password`.
- `EXA_API_KEY` is rendered from `op://clankers/exa/password` and used only by the Exa stdio
upstream process.
- `EXA_API_KEY` is rendered from `op://clankers/exa/password` and used only by the Exa search and
Websets upstream processes.
- MCP clients use a scoped agent token generated by MCPProxy and stored at
`op://clankers/mcpproxy-agents/password`.
- Fastmail receives only MCPProxy's OAuth access token. Downstream bearer tokens are never passed
Expand Down Expand Up @@ -75,11 +76,13 @@ downstream token state together.

1. Confirm an unauthenticated MCP request returns `401`.
2. Complete Fastmail OAuth and verify `just mcpproxy-auth-status`.
3. Confirm Exa tools are discovered after `npx` installs `exa-mcp-server@3.2.1`.
4. Generate and store the scoped agent token.
5. Run authenticated `initialize` and `tools/list` requests through local and private HTTPS routes.
6. Call a harmless Fastmail read tool, restart `mcpproxy`, and repeat the read call.
7. Confirm `/ui/` and `/api/v1/status` return `404` through Caddy and port `3130` is absent from the
3. Confirm Exa search tools are discovered after `npx` installs `exa-mcp-server@3.2.1`.
4. Confirm Exa Websets tools are discovered after `npx` installs `mcp-remote` and connects to
Exa's hosted Websets endpoint with the key supplied from `EXA_API_KEY` at runtime.
5. Generate and store the scoped agent token.
6. Run authenticated `initialize` and `tools/list` requests through local and private HTTPS routes.
7. Call a harmless Fastmail read tool, restart `mcpproxy`, and repeat the read call.
8. Confirm `/ui/` and `/api/v1/status` return `404` through Caddy and port `3130` is absent from the
LAN interface.

The previous LiteLLM Fastmail experiment stays isolated on its existing POC branch. Remove the
Expand Down
2 changes: 2 additions & 0 deletions docs/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,8 @@ Recipes: `just oc-build` / `oc-up` / `oc-logs` / `ab-logs`. Caddy routes:
`openclaw.dev.ankitson.com` → gateway, `agentbrowser.dev.ankitson.com` → noVNC. See [`NOTES.md`](NOTES.md).

## MCPProxy gateway (2026-06-02)
- Added the Exa Websets MCP upstream as `websets`, using Exa's hosted Websets endpoint via
`mcp-remote` and the existing `EXA_API_KEY` secret injection.
- Added the Exa stdio MCP server from live Claude/Pi client configs to the
MCPProxy upstream seed, using `EXA_API_KEY` from 1Password.
- Added a host-networked `mcpproxy` service backed by the shared `ankit/mcpproxy:0.35.0` image.
Expand Down
10 changes: 10 additions & 0 deletions docs/NOTES.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,3 +73,13 @@ contract, and pending work. Full detail:
- **Rollout**: complete Fastmail authorization in a browser running on the devserver host, generate
the shared downstream agent token, store it in 1Password, then smoke-test before wiring clients.
See [`docs/2026-06-02-mcpproxy-gateway/README.md`](2026-06-02-mcpproxy-gateway/README.md).

## 2026-06-04 - Exa Websets MCP upstream
- **Goal**: add Exa Websets to the shared MCPProxy gateway alongside the existing Exa search
upstream.
- **Decision**: use Exa's hosted Websets MCP endpoint through `npx -y mcp-remote` and expand
`EXA_API_KEY` from the process environment at runtime, so the seed config never stores a literal
key.
- **Live config**: because `config/mcpproxy.seed.json` is seed-only after first boot, add or update
the live `websets` upstream in `/data/mcp_config.json` with the MCPProxy CLI when deploying this
change to an already-initialized volume.