MCP (Model Context Protocol)

MCP services allow the AI layer to call external tools and systems. In this repo, MCPs can be executed in different modes depending on isolation and operational needs.

Execution modes

Orchestrated: lifecycle managed dynamically (start/stop on demand).
Internal: always-on services running locally in the stack.
External: remote MCP servers accessed over HTTP.

Orchestrator configuration (concepts)

Typical knobs:

Max active servers
Max parallel starts
Max parallel requests
Queue size / queue policy
Idle TTL / eviction thresholds

Injection (secrets and user-specific data)

MCP environments usually combine:

Static environment variables (non-secret defaults)
Injected values resolved at runtime (tokens/credentials)

One common pattern is reading user-scoped secrets from Zitadel metadata and injecting them into the MCP environment.

Security note

Avoid mounting the host Docker socket in internet-exposed services. See docs/internal/operations/security-hardening.md.

Zitadel: docs/internal/services/security/zitadel.md
Portal: docs/internal/services/platform/portal.md

Execution modes​

Orchestrator configuration (concepts)​

Injection (secrets and user-specific data)​

Security note​

Related documentation​

Execution modes

Orchestrator configuration (concepts)

Injection (secrets and user-specific data)

Security note

Related documentation