Ingest API now requires X-Ingest-Key header matching INGEST_SECRET
from credentials. IP-based check was insufficient since NPM proxies
all external traffic from the same internal IP.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Public git.georgsen.dk unreachable from LAN due to hairpin NAT.
Authorization endpoint stays public (browser redirect), but
token exchange and token verification use internal 10.5.0.14:3000.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Uses FastMCP OAuthProxy to proxy OAuth to Forgejo (git.georgsen.dk).
Only users who can authenticate with Forgejo get MCP access.
DCR is still used for client registration, but authorization
requires Forgejo login.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Checks X-Forwarded-For/X-Real-IP from NPM proxy to get real client IP.
Only allows localhost, LAN (10.5.0.x), and NetBird (100.79.x) prefixes.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Replaced hand-rolled OAuth with FastMCP's battle-tested
InMemoryOAuthProvider. Handles DCR, PKCE, token exchange,
refresh tokens, and revocation out of the box.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Parent's authorize() is abstract and returned None, causing /None redirect.
Override creates auth code and redirects to callback immediately.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
OAuthProvider is abstract — subclassed as HomelabOAuth with full
implementation of register_client, get_client, create/exchange
authorization codes, token issuance, PKCE verification, and
refresh token rotation.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
FastMCP's OAuthProvider handles the full OAuth flow including DCR
(Dynamic Client Registration), authorization code + PKCE, token
issuance, and refresh tokens. No more custom auth code.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Claude Desktop needs:
- /.well-known/oauth-protected-resource (RFC 9728)
- GET method on /token endpoint (sends params via query string)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Claude Desktop uses authorization code flow, not client credentials.
Added /authorize endpoint that auto-approves (single-user setup) and
redirects with code. Token endpoint now supports both grant types.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Telegram bots can't see messages from other bots in groups. Added:
- POST /api/ingest - local services log messages into bridge DB
- GET /api/health - status check endpoint
- Fixed post_init not running (manual init lifecycle)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Single-process Python app that:
- Runs a Telegram bot in a group chat, logging all messages/files to libsql
- Exposes send_message, pull_updates, queue_status MCP tools over HTTP
- Downloads and stores file attachments with Telegram file_id + local path
- Accessible via NetBird mesh at mgmt.mg:8321 (no auth needed)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
