@mintmcp/private-network-reverse-proxy 0.1.1

package/README.md

@@ -0,0 +1,94 @@
+# MintMCP Private Network Reverse Proxy Server
+
+This package contains the customer-side reverse proxy server for MintMCP private
+network tunnels. It runs inside a customer's network and opens an outbound
+WebSocket connection to the MintMCP tunnel proxy URL. MintMCP then forwards HTTP
+requests for private MCP server origins through that outbound connection.
+
+The reverse proxy server does not require inbound firewall access and does not
+expose a Kubernetes Service.
+
+## NPM
+
+Run the reverse proxy server with Node 22 or newer:
+
+```bash
+MINTMCP_TUNNEL_PROXY_URL='https://<tunnel proxy host>' \
+MINTMCP_TUNNEL_REVERSE_PROXY_SHARED_SECRET='<reverse proxy shared secret>' \
+npx @mintmcp/private-network-reverse-proxy
+```
+
+## Helm Install
+
+Create a namespace and store the shared secret from MintMCP in Kubernetes:
+
+```bash
+kubectl create namespace mintmcp
+kubectl -n mintmcp create secret generic mintmcp-private-network-reverse-proxy \
+  --from-literal=reverse-proxy-shared-secret='<reverse proxy shared secret>'
+```
+
+Install the chart:
+
+```bash
+helm install mintmcp-private-network-reverse-proxy \
+  oci://ghcr.io/mintmcp/charts/mintmcp-private-network-reverse-proxy \
+  --namespace mintmcp \
+  --set tunnel.proxyUrl='https://<tunnel proxy host>' \
+  --set tunnel.existingSecret.name='mintmcp-private-network-reverse-proxy'
+```
+
+For local testing, the chart can also create the Secret from values:
+
+```bash
+helm install mintmcp-private-network-reverse-proxy ./helm \
+  --namespace mintmcp \
+  --create-namespace \
+  --set tunnel.proxyUrl='https://<tunnel proxy host>' \
+  --set tunnel.reverseProxySharedSecret='<reverse proxy shared secret>'
+```
+
+Avoid the inline-secret form for production installs because Helm stores values
+in release history.
+
+## Values
+
+Required values:
+
+- `tunnel.proxyUrl`: MintMCP tunnel proxy URL shown in the Enterprise settings UI.
+- One of:
+  - `tunnel.existingSecret.name`
+  - `tunnel.reverseProxySharedSecret`
+
+Common optional values:
+
+- `image.repository`: reverse proxy image repository.
+- `image.tag`: reverse proxy image tag. Defaults to the chart app version.
+- `imagePullSecrets`: pull secrets for custom private registries.
+- `resources`: pod resource requests and limits.
+- `extraEnv`: additional container environment variables.
+- `envFrom`: additional `envFrom` sources.
+- `nodeSelector`, `tolerations`, `affinity`: scheduling controls.
+
+## Operations
+
+Check rollout:
+
+```bash
+kubectl -n mintmcp rollout status deployment/mintmcp-private-network-reverse-proxy
+```
+
+Check logs:
+
+```bash
+kubectl -n mintmcp logs deployment/mintmcp-private-network-reverse-proxy
+```
+
+Expected startup log:
+
+```text
+reverse proxy server connected to MintMCP tunnel proxy
+```
+
+If the shared secret is wrong, the proxy reconnects and MintMCP will show the
+tunnel as disconnected.

package/bin/mintmcp-private-network-reverse-proxy.js

@@ -0,0 +1,2 @@
+#!/usr/bin/env node
+import "../dist/index.js";

package/package.json

@@ -0,0 +1,36 @@
+{
+  "name": "@mintmcp/private-network-reverse-proxy",
+  "version": "0.1.1",
+  "type": "module",
+  "bin": {
+    "mintmcp-private-network-reverse-proxy": "bin/mintmcp-private-network-reverse-proxy.js"
+  },
+  "files": [
+    "bin/",
+    "dist/",
+    "README.md"
+  ],
+  "engines": {
+    "node": ">=22"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.build.json",
+    "prepack": "npm run build",
+    "start": "tsx src/index.ts",
+    "typecheck": "tsc --noEmit"
+  },
+  "dependencies": {
+    "pino": "10.3.1",
+    "ws": "8.20.0",
+    "zod": "4.4.1"
+  },
+  "devDependencies": {
+    "@types/node": "20.19.39",
+    "@types/ws": "8.18.1",
+    "tsx": "4.21.0",
+    "typescript": "5.9.3"
+  }
+}