obsidian-mcp: 初次落地 Obsidian Vault MCP Server (.NET 10, read+write)
把 Obsidian vault 通过 MCP 暴露给 Claude.ai,OAuth 走 nas-auth。 设计文档见 vault Coding/obsidian-mcp/obsidian-mcp 设计.md。 代码层落地参考 vault Coding/obsidian-mcp/MCP 实现指南.md。 V1+V2 同时实现(用户要求跳过分阶段直接全部): 读 Tools(需 scope=read:obsidian): - list_vault_tree(一次性 vault 地图,限制深度) - list_files / read_file(含 offset/limit 大文件分页) - search(子串匹配 + glob 过滤,最多 50 hits) - get_metadata(size / modified_at / has_frontmatter) 写 Tools(需 scope=write:obsidian): - write_file / append_file - 多重门禁:scope 校验 + 路径黑名单 + 写入白名单 + 永禁文件 - 永禁写:任意目录的 AGENTS.md / PROFILE.md / README.md / CLAUDE.md / 01-Secret/** - 白名单:02-ShengquGames/logs/ + Coding/ + NAS/NAS 待办清单.md - 写入审计日志按天 rotate(JSON line) 安全: - VaultPathResolver chroot:path traversal + symlink 双拒绝 - JwtBearer (HS256, Current+Previous fallback, MapInboundClaims=false) - aud=obsidian, iss=https://auth.zhengchentao.win - 黑名单:01-Secret / .obsidian / .trash / .git 技术栈: - .NET 10 + ModelContextProtocol SDK 1.0 - Streamable HTTP transport (POST /mcp) - JwtBearer 10.0 + IdentityModel.Tokens 8.x 部署: - Dockerfile multi-stage,runtime 装 ripgrep(V3 备用),non-root user - .gitea/workflows/build-image.yml:build + deploy 双 job,buildkit v0.13.2 - 容器内 :8080,宿主端口 9090 - 子域名 obs.zhengchentao.win - vault 挂载 /volume1/docker/webdav/data/Zhengchen:/vault:rw(V2 写入需要 rw) 测试:35/35 单测过(VaultPathResolver path traversal/blacklist/symlink + VaultWriteGuard whitelist/forbidden) Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
+49
@@ -0,0 +1,49 @@
|
||||
# ─── Stage 1: build ───────────────────────────────────────────────────────────
|
||||
FROM mcr.microsoft.com/dotnet/sdk:10.0 AS builder
|
||||
|
||||
WORKDIR /src
|
||||
|
||||
# 先只复制 csproj,利用层缓存加速 restore
|
||||
COPY obsidian-mcp.csproj ./
|
||||
RUN dotnet restore obsidian-mcp.csproj
|
||||
|
||||
# 复制全部源码并 publish
|
||||
COPY . .
|
||||
RUN dotnet publish obsidian-mcp.csproj \
|
||||
--configuration Release \
|
||||
--no-restore \
|
||||
--output /app/publish
|
||||
|
||||
# ─── Stage 2: runtime ─────────────────────────────────────────────────────────
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:10.0 AS runtime
|
||||
|
||||
WORKDIR /app
|
||||
|
||||
# 安装 ripgrep(V3 搜索优化预留,现在不调用但容器里装上备用)
|
||||
RUN apt-get update \
|
||||
&& apt-get install -y --no-install-recommends ripgrep \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# 从 builder 阶段复制 publish 产物
|
||||
COPY --from=builder /app/publish .
|
||||
|
||||
# 日志目录(审计日志挂载点)
|
||||
RUN mkdir -p /app/logs
|
||||
|
||||
# 非 root 运行,安全加固
|
||||
RUN adduser --disabled-password --no-create-home obsidian-mcp \
|
||||
&& chown -R obsidian-mcp:obsidian-mcp /app
|
||||
|
||||
USER obsidian-mcp
|
||||
|
||||
# 容器内监听 0.0.0.0:8080
|
||||
ENV ASPNETCORE_URLS=http://0.0.0.0:8080
|
||||
ENV ASPNETCORE_ENVIRONMENT=Production
|
||||
|
||||
EXPOSE 8080
|
||||
|
||||
# OCI 标签(source/revision 在 CI 构建时通过 --label 覆盖)
|
||||
LABEL org.opencontainers.image.source="https://git.zhengchentao.win/zhengchen.tao/obsidian-mcp"
|
||||
LABEL org.opencontainers.image.description="Obsidian vault MCP server — read/write vault via MCP, auth via nas-auth"
|
||||
|
||||
ENTRYPOINT ["dotnet", "obsidian-mcp.dll"]
|
||||
Reference in New Issue
Block a user