chore(mcp): raise default session and rate-limit caps

Higher defaults reduce config friction for self-hosters while
staying within reasonable server limits.

- MCP_MAX_SESSION_PER_USER: 5 → 20
- MCP_RATE_LIMIT: 60 → 300 req/min

server/.env.example

@@ -28,8 +28,8 @@ OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes
 
 DEMO_MODE=false # Demo mode - resets data hourly
 
-# MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
-# MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
+# MCP_RATE_LIMIT=300 # Max MCP API requests per user per minute (default: 300)
+# MCP_MAX_SESSION_PER_USER=20 # Max concurrent MCP sessions per user (default: 20)
 
 # Initial admin account — only used on first boot when no users exist yet.
 # If both are set the admin account is created with these credentials.

server/src/mcp/index.ts

@@ -94,10 +94,10 @@ const STATIC_TOKEN_DEPRECATION_NOTICE =
 
 const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
 const sessionParsed = Number.parseInt(process.env.MCP_MAX_SESSION_PER_USER ?? "");
-const MAX_SESSIONS_PER_USER = Number.isFinite(sessionParsed) && sessionParsed > 0 ? sessionParsed : 5;
+const MAX_SESSIONS_PER_USER = Number.isFinite(sessionParsed) && sessionParsed > 0 ? sessionParsed : 20;
 const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
 const parsed = Number.parseInt(process.env.MCP_RATE_LIMIT ?? "");
-const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 60; // requests per minute per user
+const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 300; // requests per minute per user
 
 interface RateLimitEntry {
   count: number;