Skip to content

Configuration

Everything has a safe default; all configuration is via environment variables.

Registry behavior

Variable Default Purpose
REGISTRY_TIMEOUT_MS 15000 Per-request timeout for every registry HTTP call.
REGISTRY_CACHE_TTL_MS 300000 TTL for cached registry lookups. Set 0 to disable caching.
GITHUB_TOKEN (unset) Optional. Raises GitHub API rate limits for the github and ghcr registries. Never required.

The server also keeps a per-registry circuit breaker (a registry that is actually down fails fast instead of timing out on every call) and retries with exponential backoff on transient failures. A 4xx / not-found is treated as a healthy response and does not trip the breaker.

HTTP transport (node build/index.js http)

Variable Default Purpose
PORT 3000 Listen port.
HOST 0.0.0.0 Bind address.
ALLOWED_ORIGINS (open) Comma-separated CORS allow-list. When unset, all origins are reflected; set it to lock the server down.
MAX_SESSIONS 1000 Cap on concurrent sessions, to bound memory.
TRUST_PROXY (unset) Set (e.g. 1) behind a reverse proxy so rate limiting keys on the real client IP.

The HTTP server adds helmet security headers and rate limiting (100 requests / 15 min / IP) on /mcp, plus /health and /ready endpoints.

apply_upgrades safety

The only tool that writes to disk defaults to dry_run: true and create_backup: true. When it does write, each modified file is backed up to .dependency-backups/ first, and all edits for a file roll back automatically if an error occurs. You opt in to writing explicitly with dry_run: false.