-
Notifications
You must be signed in to change notification settings - Fork 21
Expand file tree
/
Copy path.env.example
More file actions
178 lines (146 loc) · 7.89 KB
/
Copy path.env.example
File metadata and controls
178 lines (146 loc) · 7.89 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
# Redmine MCP Configuration
# Copy this file to .env and update the values
# Authentication Options:
# Option 1: Username and Password (traditional)
REDMINE_URL=https://your-redmine-server.com
REDMINE_USERNAME=your_username
REDMINE_PASSWORD=your_password
# Optional: publicly-reachable Redmine URL used to rewrite attachment
# `content_url` values returned to MCP clients. When REDMINE_URL is the
# internal container hostname (e.g. http://redmine:3000), Redmine echoes
# that same hostname back in attachment URLs, which is unreachable from
# clients on the host or the open internet. Set this to the external
# hostname your users actually use to browse Redmine. If unset, the
# raw internal URL is returned and callers must use
# `get_redmine_attachment` for a sandbox-safe download URL via the MCP
# server's proxy.
# REDMINE_PUBLIC_URL=https://redmine.example.com
# Option 2: API Key (alternative to username/password)
# Uncomment and set this if you want to use API key authentication instead
# REDMINE_API_KEY=your_api_key
# Authentication mode: "oauth", "oauth-proxy", or "legacy" (default: legacy)
# - legacy: uses REDMINE_API_KEY or REDMINE_USERNAME/REDMINE_PASSWORD below
# - oauth: validates per-request Bearer tokens against Redmine; requires REDMINE_MCP_BASE_URL
# - oauth-proxy: FastMCP handles DCR/CIMD for MCP clients and uses Redmine as the upstream OAuth provider
REDMINE_AUTH_MODE=legacy
# OAuth2 configuration (required when REDMINE_AUTH_MODE=oauth or oauth-proxy)
# Public base URL of this MCP server (no trailing slash)
# e.g. https://redmine.mcp.example.com or http://localhost:3040
REDMINE_MCP_BASE_URL=http://localhost:3040
# Optional FastMCP streamable HTTP path inside REDMINE_MCP_BASE_URL (default /mcp).
# FASTMCP_STREAMABLE_HTTP_PATH=/mcp
# Doorkeeper introspection client credentials (required when REDMINE_AUTH_MODE=oauth or oauth-proxy).
# Register a confidential OAuth app in Redmine.
# See docs/oauth-setup.md Step 2 for the full walkthrough.
REDMINE_INTROSPECT_CLIENT_ID=
REDMINE_INTROSPECT_CLIENT_SECRET=
# REDMINE_INTROSPECT_CLIENT_SECRET_FILE=/run/secrets/redmine_introspect_client_secret
# OAuthProxy signing key (required when REDMINE_AUTH_MODE=oauth-proxy).
# Use a stable secret value; changing it invalidates FastMCP proxy tokens/storage.
REDMINE_MCP_JWT_SIGNING_KEY=
# REDMINE_MCP_JWT_SIGNING_KEY_FILE=/run/secrets/redmine_mcp_jwt_signing_key
# Optional FastMCP data directory. OAuthProxy stores encrypted client
# registrations, transactions, and upstream tokens below FASTMCP_HOME/oauth-proxy/.
# This store is node-local, so oauth-proxy mode is single-replica / sticky-session
# unless you wire OAuthProxy to a shared client_storage backend.
# FASTMCP_HOME=/app/data/fastmcp
# Optional allowlist of client redirect-URI glob patterns for oauth-proxy.
# Unset = loopback only (http://localhost:* and http://127.0.0.1:*), which suits
# local MCP clients. Set "*" to allow any redirect URI (DCR-permissive), or list
# comma/space separated patterns for hosted clients, e.g. https://app.example.com/*
# REDMINE_MCP_ALLOWED_CLIENT_REDIRECT_URIS=
# Optional separate upstream Redmine OAuth client for oauth-proxy.
# If unset, the introspection client credentials above are reused.
# REDMINE_OAUTH_CLIENT_ID=
# REDMINE_OAUTH_CLIENT_SECRET=
# REDMINE_OAUTH_CLIENT_SECRET_FILE=/run/secrets/redmine_oauth_client_secret
# Optional: cache TTL (seconds) for the /health introspection probe (default 30).
# HEALTH_INTROSPECTION_TTL_SECONDS=30
# Server configuration
SERVER_HOST=0.0.0.0
SERVER_PORT=8000
# Public URL configuration for file serving
# External hostname/IP for generated download URLs
PUBLIC_HOST=localhost
PUBLIC_PORT=8000
# File Management (Optional)
# Directory where downloaded attachments are stored
ATTACHMENTS_DIR=./attachments
# Maximum size for a single attachment download via get_redmine_attachment
# (in bytes; default 200 MB). Exceeding the cap aborts the download
# mid-stream and deletes the partial file. Affects only the attachment
# download path; uploads have their own 50 MiB cap in upload_file.
# ATTACHMENT_MAX_DOWNLOAD_BYTES=209715200
# Automatic cleanup configuration
AUTO_CLEANUP_ENABLED=true
CLEANUP_INTERVAL_MINUTES=10
# Default expiry time for downloaded attachments (in minutes)
ATTACHMENT_EXPIRES_MINUTES=60
# OS path separator (os.pathsep) separated extra directories allowed as `file_path` upload
# sources for create/update issue and upload_file. ATTACHMENTS_DIR is always
# allowed. Leave unset to restrict uploads to ATTACHMENTS_DIR only.
REDMINE_MCP_UPLOAD_FILE_ROOTS=
# Read-only mode (optional)
# When enabled, write operations (create/update/delete) are blocked
# REDMINE_MCP_READ_ONLY=false
# Expose operator/admin tools on the MCP surface (optional)
# Default: false. Currently gates cleanup_attachment_files -- the
# background cleanup task runs regardless of this flag, so an LLM
# agent rarely needs the tool exposed. Operators driving cleanup
# through the MCP surface set this to true to opt in.
# REDMINE_MCP_EXPOSE_ADMIN_TOOLS=false
# RedmineUP Agile plugin support (optional)
# Set to true to include story_points, agile_sprint_id, agile_position in
# get_redmine_issue responses and allow story_points in update_redmine_issue.
# Requires the RedmineUP Agile plugin installed and the 'agile' module enabled
# per project (Project Settings → Modules → Agile).
# REDMINE_AGILE_ENABLED=false
# RedmineUP Checklists plugin support (optional)
# Set to true to enable the get_checklist and update_checklist_item tools.
# Requires the RedmineUP Checklists Pro plugin installed on your Redmine
# instance.
# REDMINE_CHECKLISTS_ENABLED=false
# RedmineUP Products plugin support (optional)
# Set to true to enable the manage_product tool (action=list/get/create/update).
# Requires the RedmineUP Products plugin installed on your Redmine instance.
# REDMINE_PRODUCTS_ENABLED=false
# RedmineUP CRM (Contacts) plugin support (optional)
# Set to true to enable the manage_contact tool
# (action=list/get/create/update/delete/assign_to_project/remove_from_project).
# Requires the RedmineUP CRM plugin installed on your Redmine instance.
# REDMINE_CRM_ENABLED=false
# DMSF (Document Management) plugin support (optional)
# Set to true to enable the manage_document tool
# (action=list/get/create/update). Requires the `redmine_dmsf` plugin
# (GPL v2, https://github.com/danmunn/redmine_dmsf) installed on your
# Redmine server. DMSF replaces Redmine's built-in (web-UI-only)
# Documents module; existing native documents must be migrated with
# `rake redmine:dmsf_convert_documents` on the server.
# REDMINE_DMSF_ENABLED=false
# Required custom field autofill (optional)
# Retries once on relevant create/update validation errors (blank/invalid custom fields)
# REDMINE_AUTOFILL_REQUIRED_CUSTOM_FIELDS=false
# REDMINE_REQUIRED_CUSTOM_FIELD_DEFAULTS={}
# --- legacy-per-user auth (advanced; Redmine too old for OAuth) ---
# Each user's MCP client sends its own Redmine API key in an
# X-Redmine-API-Key header. The server cannot verify TLS itself, so you MUST
# attest that it sits behind a TLS-terminating proxy and that the proxy does
# not forward client X-Forwarded-Proto. Firewall the app port. Prefer
# dedicated limited-permission Redmine accounts. Revoke a user by
# regenerating their API key in Redmine.
# REDMINE_AUTH_MODE=legacy-per-user
# REDMINE_PER_USER_TRUST_PROXY=true
# REDMINE_PER_USER_AUDIT_IDENTITY=false
# SSL Certificate Configuration (Optional)
# Enable/disable SSL certificate verification (default: true)
# WARNING: Only set to false for development/testing environments!
REDMINE_SSL_VERIFY=true
# Path to custom CA certificate file for self-signed certificates
# Supports .pem, .crt, .cer formats
# Example: REDMINE_SSL_CERT=/path/to/ca-bundle.crt
# REDMINE_SSL_CERT=
# Client certificate for mutual TLS authentication
# Single file: REDMINE_SSL_CLIENT_CERT=/path/to/client.pem
# Separate cert and key: REDMINE_SSL_CLIENT_CERT=/path/to/cert.pem,/path/to/key.pem
# Note: Private keys must be unencrypted
# REDMINE_SSL_CLIENT_CERT=