From f0cb75ef360b4bb01e15bcbf984d2a48f44b54ed Mon Sep 17 00:00:00 2001
From: shrkz1 <shrkz1@gmail.com>
Date: Wed, 22 Apr 2026 15:56:29 +0200
Subject: [PATCH 1/3] Add MCP server to simple install compose

---
 docker-compose.simple-install.enterprise.yml |  4 +--
 docker-compose.simple-install.yml            | 37 ++++++++++++++++++--
 2 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/docker-compose.simple-install.enterprise.yml b/docker-compose.simple-install.enterprise.yml
index cdb0db2..882e44c 100644
--- a/docker-compose.simple-install.enterprise.yml
+++ b/docker-compose.simple-install.enterprise.yml
@@ -1,5 +1,5 @@
 services:
   eramba:
-    image: ghcr.io/eramba/eramba-enterprise:3.x
+    image: ghcr.io/eramba/eramba-enterprise:martin-plan-setup-upgrades
   cron:
-    image: ghcr.io/eramba/eramba-enterprise:3.x
+    image: ghcr.io/eramba/eramba-enterprise:martin-plan-setup-upgrades
diff --git a/docker-compose.simple-install.yml b/docker-compose.simple-install.yml
index b54f002..50acfc6 100644
--- a/docker-compose.simple-install.yml
+++ b/docker-compose.simple-install.yml
@@ -24,7 +24,7 @@ services:
       - app_internal
   eramba:
     container_name: eramba
-    image: ghcr.io/eramba/eramba:3.x
+    image: ghcr.io/eramba/eramba:martin-plan-setup-upgrades
     restart: always
     ports:
       - 8443:443
@@ -65,7 +65,7 @@ services:
       - triggers_net
   cron:
     container_name: cron
-    image: ghcr.io/eramba/eramba:3.x
+    image: ghcr.io/eramba/eramba:martin-plan-setup-upgrades
     command: ["cron", "-f"]
     entrypoint: ["/docker-cron-entrypoint.sh"]
     restart: always
@@ -102,7 +102,7 @@ services:
       - app_internal
       - triggers_net
   triggers_caddy:
-    image: ghcr.io/eramba/eramba-triggers:3.x
+    image: ghcr.io/eramba/eramba-triggers:martin-plan-setup-upgrades
     container_name: triggers_caddy
     entrypoint:
       - /app/iptables-entrypoint.sh
@@ -124,6 +124,37 @@ services:
       timeout: 5s
       retries: 3
       start_period: 10s
+  mcp_server:
+    image: ghcr.io/eramba/eramba-mcp-server:martin-plan-setup-upgrades
+    container_name: mcp_server
+    restart: always
+    ports:
+      - 13000:3000
+    depends_on:
+      - eramba
+    environment:
+      MCP_TRANSPORT: http
+      PORT: 3000
+      PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
+      MCP_PUBLIC_URL: ${MCP_PUBLIC_URL:-http://localhost:13000}
+      MCP_RESOURCE: ${MCP_RESOURCE:-http://localhost:13000/mcp}
+      ERAMBA_BASE_URL: https://eramba
+      ERAMBA_OAUTH_ISSUER: ${OAUTH2_ISSUER:-${PUBLIC_ADDRESS}}
+      ERAMBA_OAUTH_INTROSPECTION_URL: ${ERAMBA_OAUTH_INTROSPECTION_URL:-https://eramba/oauth2/introspect}
+      ERAMBA_OAUTH_INTROSPECTION_CLIENT_ID: ${OAUTH2_INTROSPECTION_CLIENT_ID:-}
+      ERAMBA_OAUTH_INTROSPECTION_CLIENT_SECRET: ${OAUTH2_INTROSPECTION_CLIENT_SECRET:-}
+      MCP_REQUIRED_SCOPE: ${OAUTH2_SCOPE:-eramba.full_access}
+      ERAMBA_INSECURE_TLS: 1
+      ERAMBA_REQUEST_TIMEOUT_MS: 15000
+    networks:
+      - app_internal
+      - host_access
+    healthcheck:
+      test: ["CMD-SHELL", "node -e \"fetch('http://127.0.0.1:3000/openapi.json').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))\""]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
 volumes:
   app:
   data:

From f577cb5ae8140d3f3757ab8e5666b48bef1d0c44 Mon Sep 17 00:00:00 2001
From: shrkz1 <shrkz1@gmail.com>
Date: Wed, 22 Apr 2026 16:05:10 +0200
Subject: [PATCH 2/3] Add public proxy for MCP simple install

---
 Caddyfile                         | 16 ++++++++++++++++
 docker-compose.simple-install.yml | 16 ++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 Caddyfile

diff --git a/Caddyfile b/Caddyfile
new file mode 100644
index 0000000..3066d9f
--- /dev/null
+++ b/Caddyfile
@@ -0,0 +1,16 @@
+:80 {
+	# Keep Inspector local-only. Proxying the UI and its local bridge through the
+	# same public origin as Eramba/MCP makes OAuth and app rendering brittle.
+	@mcp path /mcp /openapi /openapi.json /.well-known/oauth-protected-resource /.well-known/oauth-protected-resource/mcp /.well-known/oauth-authorization-server /.well-known/openid-configuration
+	handle @mcp {
+		reverse_proxy {$MCP_UPSTREAM:mcp_server:3000}
+	}
+
+	handle {
+		reverse_proxy {$ERAMBA_UPSTREAM:https://eramba:443} {
+			transport http {
+				tls_insecure_skip_verify
+			}
+		}
+	}
+}
diff --git a/docker-compose.simple-install.yml b/docker-compose.simple-install.yml
index 50acfc6..5f8f4fe 100644
--- a/docker-compose.simple-install.yml
+++ b/docker-compose.simple-install.yml
@@ -155,6 +155,22 @@ services:
       timeout: 5s
       retries: 3
       start_period: 10s
+  public_proxy:
+    container_name: public_proxy
+    image: caddy:2.8-alpine
+    ports:
+      - 8088:80
+    volumes:
+      - ./Caddyfile:/etc/caddy/Caddyfile:ro
+    environment:
+      MCP_UPSTREAM: mcp_server:3000
+      ERAMBA_UPSTREAM: https://eramba:443
+    depends_on:
+      - eramba
+      - mcp_server
+    networks:
+      - app_internal
+      - host_access
 volumes:
   app:
   data:

From 228a0b69301077a14b4ea8e8355d3337e0bd7b1e Mon Sep 17 00:00:00 2001
From: shrkz1 <shrkz1@gmail.com>
Date: Wed, 22 Apr 2026 16:10:58 +0200
Subject: [PATCH 3/3] Enable OAuth for MCP simple install

---
 docker-compose.simple-install.yml | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/docker-compose.simple-install.yml b/docker-compose.simple-install.yml
index 5f8f4fe..ffd7d52 100644
--- a/docker-compose.simple-install.yml
+++ b/docker-compose.simple-install.yml
@@ -55,6 +55,15 @@ services:
       TRIGGER_RUNNER_SHARED_SECRET: ${TRIGGER_RUNNER_SHARED_SECRET}
       DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
       LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
+      OAUTH2_ENABLED: ${OAUTH2_ENABLED:-1}
+      OAUTH2_ISSUER: ${OAUTH2_ISSUER:-${PUBLIC_ADDRESS}}
+      OAUTH2_RESOURCE: ${OAUTH2_RESOURCE:-${PUBLIC_ADDRESS}/mcp}
+      OAUTH2_SCOPE: ${OAUTH2_SCOPE:-eramba.full_access}
+      OAUTH2_AUTH_CODE_TTL: ${OAUTH2_AUTH_CODE_TTL:-120}
+      OAUTH2_ACCESS_TOKEN_TTL: ${OAUTH2_ACCESS_TOKEN_TTL:-900}
+      OAUTH2_REFRESH_TOKEN_TTL: ${OAUTH2_REFRESH_TOKEN_TTL:-2592000}
+      OAUTH2_INTROSPECTION_CLIENT_ID: ${OAUTH2_INTROSPECTION_CLIENT_ID:-eramba-mcp-introspect}
+      OAUTH2_INTROSPECTION_CLIENT_SECRET: ${OAUTH2_INTROSPECTION_CLIENT_SECRET:-Replace-this-with-a-secret}
     links:
       - mysql
       - redis
@@ -92,6 +101,15 @@ services:
       TRIGGER_RUNNER_SHARED_SECRET: ${TRIGGER_RUNNER_SHARED_SECRET}
       DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
       LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
+      OAUTH2_ENABLED: ${OAUTH2_ENABLED:-1}
+      OAUTH2_ISSUER: ${OAUTH2_ISSUER:-${PUBLIC_ADDRESS}}
+      OAUTH2_RESOURCE: ${OAUTH2_RESOURCE:-${PUBLIC_ADDRESS}/mcp}
+      OAUTH2_SCOPE: ${OAUTH2_SCOPE:-eramba.full_access}
+      OAUTH2_AUTH_CODE_TTL: ${OAUTH2_AUTH_CODE_TTL:-120}
+      OAUTH2_ACCESS_TOKEN_TTL: ${OAUTH2_ACCESS_TOKEN_TTL:-900}
+      OAUTH2_REFRESH_TOKEN_TTL: ${OAUTH2_REFRESH_TOKEN_TTL:-2592000}
+      OAUTH2_INTROSPECTION_CLIENT_ID: ${OAUTH2_INTROSPECTION_CLIENT_ID:-eramba-mcp-introspect}
+      OAUTH2_INTROSPECTION_CLIENT_SECRET: ${OAUTH2_INTROSPECTION_CLIENT_SECRET:-Replace-this-with-a-secret}
     links:
       - mysql
       - redis
@@ -141,8 +159,8 @@ services:
       ERAMBA_BASE_URL: https://eramba
       ERAMBA_OAUTH_ISSUER: ${OAUTH2_ISSUER:-${PUBLIC_ADDRESS}}
       ERAMBA_OAUTH_INTROSPECTION_URL: ${ERAMBA_OAUTH_INTROSPECTION_URL:-https://eramba/oauth2/introspect}
-      ERAMBA_OAUTH_INTROSPECTION_CLIENT_ID: ${OAUTH2_INTROSPECTION_CLIENT_ID:-}
-      ERAMBA_OAUTH_INTROSPECTION_CLIENT_SECRET: ${OAUTH2_INTROSPECTION_CLIENT_SECRET:-}
+      ERAMBA_OAUTH_INTROSPECTION_CLIENT_ID: ${OAUTH2_INTROSPECTION_CLIENT_ID:-eramba-mcp-introspect}
+      ERAMBA_OAUTH_INTROSPECTION_CLIENT_SECRET: ${OAUTH2_INTROSPECTION_CLIENT_SECRET:-Replace-this-with-a-secret}
       MCP_REQUIRED_SCOPE: ${OAUTH2_SCOPE:-eramba.full_access}
       ERAMBA_INSECURE_TLS: 1
       ERAMBA_REQUEST_TIMEOUT_MS: 15000