自托管团队服务器
通过单个自托管 HTTP 服务器与团队共享所有 58 个 lean-ctx MCP 工具。基于令牌的认证、工作区隔离、速率限制和完整的审计日志--集中运行 lean-ctx 所需的一切。
Prerequisites
- LeanCTX installed on each developer's machine (Installation Guide)
- Docker (for containerized deployment) or a Linux/macOS server
- Network connectivity between developer machines and the server
快速入门(4 步)
5 分钟内启动团队服务器。您需要:lean-ctx 二进制文件(使用 --all-features 构建)和一个 JSON 配置文件。
1. 创建配置文件(team.json)
{
"host": "0.0.0.0",
"port": 9877,
"defaultWorkspaceId": "main",
"auditLogPath": "/var/log/lean-ctx/audit.log",
"workspaces": [
{
"id": "main",
"label": "Main Project",
"root": "/home/team/project"
}
],
"tokens": []
}2. 生成 API 令牌
# Generate a token with specific scopes
TOKEN="$(lean-ctx team token create \
--config team.json \
--id dev-alice \
--scopes search,graph,artifacts,index,events,sessionMutations,knowledge
)"
# TOKEN is the Bearer token (printed once; config stores only sha256Hex).3. 启动服务器
lean-ctx team serve --config team.json
# Team Server - 0.0.0.0:9877
# Workspaces: 1 (main)
# Tokens: 1 active
# Tools: 58 available4. 从任意客户端连接
# Health check
curl http://your-server:9877/health
# List available tools (requires token)
curl -H "Authorization: Bearer $TOKEN" \
http://your-server:9877/v1/manifest
# Call a tool (workspace defaults to defaultWorkspaceId)
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"name":"ctx_tree","arguments":{"path":".","depth":2}}' \
http://your-server:9877/v1/tools/call
# Call a tool in a specific workspace (header overrides default)
curl -X POST -H "Authorization: Bearer $TOKEN" \
-H "x-leanctx-workspace: main" \
-H "Content-Type: application/json" \
-d '{"name":"ctx_read","arguments":{"path":"README.md","mode":"signatures"}}' \
http://your-server:9877/v1/tools/callDocker Deployment
Run the Team Server as a Docker container for quick deployment without compiling from source.
docker run -d --name leanctx-team \
-p 7700:7700 \
-v leanctx-data:/data \
ghcr.io/yvgude/lean-ctx:latest \
serve --team --data-dir /dataOr run directly from the binary:
lean-ctx serve --team --bind 0.0.0.0:7700 --data-dir ./team-dataVerify the server is running:
curl http://your-server:7700/healthz
# {"status":"ok","version":"3.5.1","uptime":"2m"}配置参考
团队服务器通过单个 JSON 文件配置。所有设置无需重启即可调整--只需修改文件并重启服务器。
| 字段 | 类型 | 描述 | 默认值 |
|---|---|---|---|
host | string | 绑定地址(使用 0.0.0.0 启用远程访问) | 127.0.0.1 |
port | u16 | HTTP 端口 | 9877 |
defaultWorkspaceId | string | 请求未指定时使用的默认工作区 | - |
auditLogPath | path | JSON Lines 审计日志文件路径 | - |
disableHostCheck | bool | 禁用来源/主机头验证(仅限开发环境) | false |
allowedHosts | string[] | CORS 允许的来源主机名 | [] |
maxBodyBytes | usize | 最大请求体大小(字节)(默认:10 MB) | 2097152 |
maxConcurrency | usize | 最大并发请求数 | 32 |
maxRps | u32 | 每秒最大请求数 | 50 |
rateBurst | u32 | 超出 maxRps 的突发容量(吸收短暂峰值) | 100 |
requestTimeoutMs | u64 | 请求超时时间(毫秒) | 30000 |
令牌与权限范围
每个团队成员获得一个具有细粒度权限范围的唯一 API 令牌。令牌以 SHA-256 哈希形式存储在配置文件中--明文令牌仅在创建时显示一次。
可用权限范围
| 权限范围 | 描述 |
|---|---|
search | 读取工具:ctx_read、ctx_search、ctx_tree、ctx_overview、ctx_pack、ctx_proof、ctx_verify 及所有面向读取的工具 |
graph | 图谱工具:ctx_graph、ctx_graph_diagram、ctx_impact、ctx_callgraph、ctx_callers、ctx_callees、ctx_routes |
artifacts | ctx_artifacts、ctx_semantic_search(artifacts=true) |
index | 图谱索引构建(ctx_graph action=index-build*)、语义重索引 |
events | 订阅 SSE 事件流(GET /v1/events) |
sessionMutations | 会话写入:ctx_session(save、task、checkpoint、decision、reset)、ctx_handoff、ctx_workflow、ctx_share |
knowledge | 知识写入:ctx_knowledge(remember、feedback、remove、consolidate)、ctx_knowledge_relations |
audit | GET /v1/metrics、完整有效负载事件访问、审计日志读取 |
# Create token with all scopes
lean-ctx team token create \
--config team.json \
--id ci-bot \
--scopes search,graph,artifacts,index,events,sessionMutations,knowledge,audit
# Create read-only token (search + graph only)
lean-ctx team token create \
--config team.json \
--id reviewer \
--scopes search,graph
# Create agent token (read + write + events)
lean-ctx team token create \
--config team.json \
--id agent-alice \
--scopes search,graph,events,sessionMutations,knowledge令牌在存储前使用 SHA-256 进行哈希处理。明文在创建时仅输出一次到 stdout。如果丢失令牌,请生成新令牌--无法恢复原始令牌。
Connecting Agents
Each developer configures their local LeanCTX to connect to the Team Server via a config file or environment variables.
Add to .lean-ctx/config.toml:
[team]
server = "http://your-server:7700"
token = "lctx_t_alice_a3f8..."
workspace = "my-team"Or set via environment variables:
export LEANCTX_TEAM_SERVER="http://your-server:7700"
export LEANCTX_TEAM_TOKEN="lctx_t_alice_a3f8..."
export LEANCTX_WORKSPACE="my-team"多工作区配置
通过单个服务器实例提供多个项目服务。每个工作区指向不同的项目根目录,并维护自己的图索引和会话状态。
{
"workspaces": [
{ "id": "frontend", "label": "React Frontend", "root": "/srv/frontend" },
{ "id": "backend", "label": "Rust API", "root": "/srv/backend" },
{ "id": "infra", "label": "Infrastructure", "root": "/srv/infra" }
],
"defaultWorkspaceId": "frontend"
}客户端通过在请求中添加 <code>X-Workspace</code> 头来选择工作区。如果省略,则使用 <code>defaultWorkspaceId</code>。
Shared Sessions
Once connected, sessions are automatically shared. Agents on the same workspace and channel see each other's context in real time.
lean-ctx session list --workspace my-team
# workspace: my-team
# channel: feat/auth-refactor rev:14 agents: cursor, claude-code
# channel: fix/api-timeout rev:7 agents: windsurf
# channel: main rev:42 agents: copilot, kiroGovernance & Budgets
Configure per-agent budgets, roles, and policies in your team profile to control spending and access.
[budget]
max_context_tokens = 200000
max_cost_usd = 5.0
alert_threshold = 0.8
[roles]
default = "developer"
[roles.ci]
scope = "read"
max_cost_usd = 1.0Monitoring
The Team Server exposes Prometheus metrics and a status endpoint. Use the observatory dashboard for a visual overview.
lean-ctx observatory --open认证
每个请求(/health 除外)都需要在 Authorization 头中包含有效的 Bearer 令牌。服务器根据配置文件中的 SHA-256 哈希验证令牌,并检查令牌的权限范围是否覆盖请求的工具。
Authorization: Bearer $TOKEN
# Without token → HTTP 401 + JSON {error_code:"unauthorized", ...}
# Invalid token → HTTP 401 + JSON {error_code:"unauthorized", ...}
# Valid token, wrong scope → HTTP 403 + JSON {error_code:"scope_denied", ...}速率限制与防护
团队服务器内置速率限制、并发控制、请求大小限制和超时机制。这些可防止失控的 Agent 和意外的拒绝服务。
{
"maxRps": 50,
"rateBurst": 100,
"maxConcurrency": 32,
"requestTimeoutMs": 30000,
"maxBodyBytes": 2097152
}审计日志
每次经过认证的工具调用都会记录到 JSON Lines 文件中。每条记录包含时间戳、令牌 ID、工具名称、工作区、耗时和状态。用于调试、合规和成本归因。
Audit log is JSONL (one JSON object per line). It never stores raw tool arguments — only
argumentsMd5 of a canonicalized JSON representation.
# Inspect the latest audit entry
tail -n 1 /var/log/lean-ctx/audit.log | jq .
# Keys per entry:
# ts, tokenId, workspaceId, tool, method, allowed, deniedReason, argumentsMd5工作区同步
通过运行同步命令保持工作区索引最新。这会对每个工作区执行 git fetch 并重建过时的图索引。通过 cron 或 CI 作业运行可实现完全自动化的团队工作流。
# Sync all workspaces (git fetch + rebuild indexes)
lean-ctx team sync --config team.json
# Sync a specific workspace
lean-ctx team sync --config team.json --workspace backendNext Steps
- API Reference — REST endpoints and SDK
- Profiles — Preconfigured governance presets
- Shared Sessions — Deep dive into session sharing
- Context Bus — Event-driven multi-agent coordination
- Remote Setup — Advanced remote deployment options
- Observatory — Dashboard & monitoring