|
| 1 | +# Deploying the ATS backend |
| 2 | + |
| 3 | +The [`render.yaml`](../render.yaml) blueprint at the repo root deploys the whole |
| 4 | +ATS backend with one click (see the [Deploy it yourself](../README.md#deploy-it-yourself) |
| 5 | +section of the main README). This guide explains what gets created, how the |
| 6 | +security works, how to connect your agent, and how to run the same pieces on |
| 7 | +your own machine instead. |
| 8 | + |
| 9 | +## What the blueprint creates |
| 10 | + |
| 11 | +| Service | Type | Public? | What it is | |
| 12 | +| --- | --- | --- | --- | |
| 13 | +| `ats-qdrant` | private | no | **Search memory** — a [Qdrant](https://qdrant.tech) vector database holding task embeddings. | |
| 14 | +| `ats-ollama` | private | no | **Embedding engine** — [Ollama](https://ollama.com) serving `nomic-embed-text` (768-dim). Turns text into vectors for the search memory. | |
| 15 | +| `ats-mcp` | web | **yes, token-gated** | **MCP server** — the door your AI agent connects to. Speaks MCP over HTTP + SSE. | |
| 16 | +| `ats-operator-backend` | web | yes | **Operator deck backend** — the swipe-to-approve card UI's backend. Demo mode by default. | |
| 17 | + |
| 18 | +The search memory and embedding engine are **private services**: they have no |
| 19 | +public address and can only be reached by your other services over Render's |
| 20 | +internal network. The only thing exposed to the internet is the MCP server, and |
| 21 | +that is locked behind a bearer token. |
| 22 | + |
| 23 | +``` |
| 24 | + your AI agent |
| 25 | + │ Authorization: Bearer <ATS_MCP_TOKEN> |
| 26 | + ▼ |
| 27 | + ats-mcp (public) ──► auth gateway ──► mcp-proxy ──► ATS stdio server |
| 28 | + │ │ |
| 29 | + │ private network │ |
| 30 | + ├────────────────────────────► ats-qdrant (private, vectors) |
| 31 | + └────────────────────────────► ats-ollama (private, embeddings) |
| 32 | +``` |
| 33 | + |
| 34 | +## How "safely" works |
| 35 | + |
| 36 | +A Render web service exposes exactly one public port. For `ats-mcp` that port is |
| 37 | +a small **bearer-token gateway** ([`deploy/mcp/auth-gateway.mjs`](mcp/auth-gateway.mjs)): |
| 38 | + |
| 39 | +- Every request must carry `Authorization: Bearer <ATS_MCP_TOKEN>`. Without it |
| 40 | + the gateway returns `401` and never touches the MCP server. |
| 41 | +- `ATS_MCP_TOKEN` is **auto-generated** by Render (`generateValue: true`), so each |
| 42 | + deploy gets a strong, unique secret. You read it from the dashboard; it is |
| 43 | + never committed to the repo. |
| 44 | +- The only unauthenticated route is `GET /healthz`, which returns a static `ok` |
| 45 | + and proxies nothing. |
| 46 | +- Inside the container, `mcp-proxy` bridges the stdio MCP server to HTTP (`/mcp`, |
| 47 | + streamable) and SSE (`/sse`) on localhost only — it is never publicly bound. |
| 48 | + |
| 49 | +## Connect your agent |
| 50 | + |
| 51 | +Point your MCP client at `https://<your-mcp-url>/mcp` and send the bearer token. |
| 52 | + |
| 53 | +**Claude Code / Desktop** (`~/.claude.json` or the desktop config), as a remote |
| 54 | +MCP server: |
| 55 | + |
| 56 | +```jsonc |
| 57 | +{ |
| 58 | + "mcpServers": { |
| 59 | + "ats": { |
| 60 | + "type": "http", |
| 61 | + "url": "https://ats-mcp.onrender.com/mcp", |
| 62 | + "headers": { "Authorization": "Bearer YOUR_ATS_MCP_TOKEN" } |
| 63 | + } |
| 64 | + } |
| 65 | +} |
| 66 | +``` |
| 67 | + |
| 68 | +Quick liveness check (no token needed): |
| 69 | + |
| 70 | +```bash |
| 71 | +curl https://ats-mcp.onrender.com/healthz # -> {"ok":true,"service":"ats-mcp"} |
| 72 | +``` |
| 73 | + |
| 74 | +## Environment variables (`ats-mcp`) |
| 75 | + |
| 76 | +| Variable | Set by | Purpose | |
| 77 | +| --- | --- | --- | |
| 78 | +| `ATS_MCP_TOKEN` | Render (generated) | The bearer token your agent must send. | |
| 79 | +| `ATS_ADAPTER` | blueprint | Which task system to expose (default `@reneza/ats-adapter-ticktick`). | |
| 80 | +| `QDRANT_HOST` / `OLLAMA_HOST` | `fromService` | Private hostnames of the two backend services; the entrypoint composes `QDRANT_URL` / `OLLAMA_URL` from them. | |
| 81 | +| `TICKTICK_ACCESS_TOKEN` | you (optional) | Your task-system token. Paste it to make the server read your real tasks. | |
| 82 | +| `TICKTICK_CLIENT_ID` / `TICKTICK_CLIENT_SECRET` | you (optional) | Only needed if you want the token to auto-refresh. A long-lived Open API token does not. | |
| 83 | + |
| 84 | +Without a token the server still boots and `tools/list` works; tools that need |
| 85 | +credentials simply error until you add one. |
| 86 | + |
| 87 | +## Run it on your own machine instead |
| 88 | + |
| 89 | +The services are plain containers — the same images, no Render required: |
| 90 | + |
| 91 | +```bash |
| 92 | +# 1) Search memory + embedding engine |
| 93 | +docker run -d --name qdrant -p 6333:6333 -v qdrant_storage:/qdrant/storage qdrant/qdrant |
| 94 | +docker run -d --name ollama -p 11434:11434 -v ollama_models:/root/.ollama ollama/ollama |
| 95 | +docker exec ollama ollama pull nomic-embed-text |
| 96 | + |
| 97 | +# 2) MCP server (built from this repo's deploy/mcp/Dockerfile) |
| 98 | +docker build -f deploy/mcp/Dockerfile -t ats-mcp . |
| 99 | +docker run -d --name ats-mcp -p 8443:10000 \ |
| 100 | + -e PORT=10000 \ |
| 101 | + -e ATS_MCP_TOKEN="pick-a-long-secret" \ |
| 102 | + -e QDRANT_HOST=host.docker.internal \ |
| 103 | + -e OLLAMA_HOST=host.docker.internal \ |
| 104 | + -e TICKTICK_ACCESS_TOKEN="your-token" \ |
| 105 | + ats-mcp |
| 106 | +``` |
| 107 | + |
| 108 | +Your agent then connects to `http://localhost:8443/mcp` with the same bearer |
| 109 | +token. For a no-container dev loop, the MCP server also runs straight over stdio |
| 110 | +(`npx @reneza/ats-mcp`) — see [`packages/mcp`](../packages/mcp/). |
0 commit comments