sync-env.sh was exiting 1 whenever UNRAID_MCP_BEARER_TOKEN was not
configured via plugin userConfig, causing startup hook errors every
session for users not using the plugin config flow.
- docker-compose: align network default fallback (jakenet) so service
reference matches the network name: key value
- entrypoint: match server-side boolean parsing for DISABLE_HTTP_AUTH
(accept true/1/yes, consistent with settings.py)
- ensure-ignore-files: deduplicate pattern list by driving awk from
the REQUIRED shell array via a | -separated -v argument
- sync-env: use grep -qE for ERE .+ instead of BRE .\+ (non-POSIX)
- .codex-plugin/plugin.json: add interface.displayName field required by
lint-plugin.sh validation check
- .env.example: fix dotenv-linter key ordering across all variable groups
(MCP settings, safety flags, Docker vars all now alphabetically sorted)
- hooks/scripts/sync-env.sh: scope lock file to CLAUDE_PLUGIN_ROOT instead
of global /tmp/ to avoid cross-repo lock contention
- entrypoint.sh: only require UNRAID_MCP_BEARER_TOKEN when transport is
not stdio and HTTP auth is not disabled (fixes false startup failures)
- docker-compose.yaml: use fixed network key `unraid-mcp-external` with
`name: ${DOCKER_NETWORK:-unraid-mcp-external}` to avoid compose errors
when DOCKER_NETWORK differs from the declared network name
- docker-compose.yaml: make healthcheck transport-aware — skip HTTP probe
when UNRAID_MCP_TRANSPORT=stdio to prevent false unhealthy status
- docs/unraid.subdomain.conf: fix proxy_pass port from 3000 to 6970
- .codex-plugin/plugin.json: fix MCP URL port from 3000 to 6970
- .env.example: reorder UNRAID_API_KEY before UNRAID_API_URL (alpha);
correct UNRAID_MCP_BEARER_TOKEN comment — required conditionally not always
- hooks/scripts/ensure-ignore-files.sh: write .gitignore atomically via
temp file + mv to prevent truncation on interrupted rewrite
- hooks/scripts/sync-env.sh: chmod 600 .env immediately after touch,
before any early-exit paths that could leave secrets world-readable
- sync-env.sh: replace sed with awk for safe value replacement, add flock
on /tmp/unraid-sync-env.lock, remove auto-token-generation (fail with
clear error if UNRAID_MCP_BEARER_TOKEN not set)
- ensure-ignore-files.sh: rename from ensure-gitignore.sh, add --check mode
that exits non-zero without modifying file (for CI/pre-commit use)
- hooks.json: update both references to new ensure-ignore-files.sh name
- docker-compose.yaml: add user PUID/PGID, external network, deploy.resources
limits (1024M/1cpu), wget healthcheck, start_period=30s
- Dockerfile: install wget, use wget healthcheck, start_period=30s,
add entrypoint.sh, ENTRYPOINT points to /entrypoint.sh
- entrypoint.sh: env validation (UNRAID_API_URL, UNRAID_API_KEY,
UNRAID_MCP_BEARER_TOKEN) with exec for signal forwarding
- .env.example: add PUID, PGID, DOCKER_NETWORK, UNRAID_MCP_ALLOW_DESTRUCTIVE,
UNRAID_MCP_ALLOW_YOLO; fix UNRAID_MCP_BEARER_TOKEN key name
- P1 (78s): _HEADERS is now an immutable tuple; content-length derived from
len(_BODY) rather than a hardcoded magic number
- P1 (92j): Remove no-op SIGTERM/SIGINT handlers that swallowed signals without
stopping the server; delegate shutdown to Uvicorn's built-in handlers
- P2 (37t): HealthMiddleware now only responds 200 to GET /health; all other
methods fall through to the auth layer (returns 401)
- P2 (696): Extract _chmod_safe() helper; remove redundant second chmod block
in ensure_token_exists()
- P3 (6cr): Reorder middleware — HealthMiddleware is now outermost so it
intercepts /health before BearerAuth; removes the need for a bypass condition
in BearerAuthMiddleware.__call__
- P3 (4yz): Add Scope/Receive/Send type hints to HealthMiddleware.__call__
