feat: add MCP_RATE_LIMIT env variable to control MCP request rate

Document MCP_RATE_LIMIT in README, docker-compose, .env.example, Helm values and configmap.

README.md

@@ -160,6 +160,7 @@ services:
       # - DEMO_MODE=false # Enable demo mode (resets data hourly)
       # - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
       # - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
+      # - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads
@@ -301,6 +302,7 @@ trek.yourdomain.com {
 | `ADMIN_PASSWORD` | Password for the first admin account created on initial boot. Must be set together with `ADMIN_EMAIL`. | random |
 | **Other** | | |
 | `DEMO_MODE` | Enable demo mode (hourly data resets) | `false` |
+| `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `60` |
 
 ## Optional API Keys
 

chart/templates/configmap.yaml

@@ -22,3 +22,6 @@ data:
   {{- if .Values.env.OIDC_DISCOVERY_URL }}
   OIDC_DISCOVERY_URL: {{ .Values.env.OIDC_DISCOVERY_URL | quote }}
   {{- end }}
+  {{- if .Values.env.MCP_RATE_LIMIT }}
+  MCP_RATE_LIMIT: {{ .Values.env.MCP_RATE_LIMIT | quote }}
+  {{- end }}

chart/values.yaml

@@ -29,6 +29,8 @@ env:
   # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik).
   # OIDC_SCOPE: "openid email profile groups"
   # Space-separated OIDC scopes to request. Must include scopes for any claim used by OIDC_ADMIN_CLAIM.
+  # MCP_RATE_LIMIT: "60"
+  # Max MCP API requests per user per minute. Defaults to 60.
 
 
 # Secret environment variables stored in a Kubernetes Secret.

docker-compose.yml

@@ -38,6 +38,7 @@ services:
 #      - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik)
 #      - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
 #      - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
+#      - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads

server/.env.example

@@ -28,6 +28,8 @@ OIDC_SCOPE=openid email profile groups # Space-separated OIDC scopes to request
 
 DEMO_MODE=false # Demo mode - resets data hourly
 
+# MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+
 # Initial admin account — only used on first boot when no users exist yet.
 # If both are set the admin account is created with these credentials.
 # If either is omitted a random password is generated and printed to the server log.

server/src/mcp/index.ts

@@ -21,7 +21,8 @@ const sessions = new Map<string, McpSession>();
 const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
 const MAX_SESSIONS_PER_USER = 5;
 const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
-const RATE_LIMIT_MAX = 60; // requests per minute per user
+const parsed = Number.parseInt(process.env.MCP_RATE_LIMIT ?? "");
+const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 60; // requests per minute per user
 
 interface RateLimitEntry {
   count: number;