Production Go runtime for OAuth 2.0 + PKCE and MCP proxying. The Go service is authoritative in production.
go build -o bin/mcp-runtime ./cmd/mcp-runtime
go test ./...
systemctl status mcp-runtime --no-pager- OAuth 2.0 Authorization Code + PKCE
- Dynamic Client Registration
- Authenticated MCP reverse proxy
- SQLite WAL token storage
- Structured audit logging
/healthz,/readyz, and loopback metrics
See docs/ARCHITECTURE.md for the package map, OAuth flow, storage model, security model, and historical context.
Highlights:
- mandatory PKCE
- redirect URI validation
- hashed token storage
- trusted-proxy enforcement
- fail-closed persistence and audit paths
- backend TLS validation
The canonical configuration prefix is HUGO_*.
Common settings:
LISTEN_HOST=127.0.0.1LISTEN_PORT=8086HUGO_MCP_URLHUGO_HOSTHUGO_TOKENPROXY_BASE_URLCLIENT_IDCLIENT_SECRETUSE_SQLITE=trueTOKENS_DB=/var/lib/mcp-runtime-go/tokens.dbAUDIT_LOG_FILE=/var/log/mcp-runtime-go/audit.jsonl
Legacy GRAV_* variables remain compatibility fallbacks only.
See docs/OPERATIONS.md for installation, systemd, OpenResty / CrowdSec notes, health checks, metrics, logs, logrotate, backup, rollback, and SQLite migration.
Release validation is enforced by the CI workflow and documented in:
The gate includes:
go test ./...go test -race ./...go vet ./...govulncheck ./...gitleaks detectgitleaks gittrufflehog git file://.- Linux
amd64andarm64builds withCGO_ENABLED=0
See docs/ROADMAP.md for current status, remaining debt, and next steps.
- Production stable since
v1.3.0 - SQLite WAL active in production
- Claude.ai validated end-to-end
- Shadow mode retired
Historical reports, audits, and migration notes live under docs/archive/.
MIT