chore(mcp): raise default session and rate-limit caps

Higher defaults reduce config friction for self-hosters while
staying within reasonable server limits.

- MCP_MAX_SESSION_PER_USER: 5 → 20
- MCP_RATE_LIMIT: 60 → 300 req/min

README.md

@@ -166,8 +166,8 @@ services:
       # - DEMO_MODE=false # Enable demo mode (resets data hourly)
       # - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
       # - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
-      # - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+      # - MCP_RATE_LIMIT=300 # Max MCP API requests per user per minute (default: 300)
-      # - MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
+      # - MCP_MAX_SESSION_PER_USER=20 # Max concurrent MCP sessions per user (default: 20)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads
@@ -311,8 +311,8 @@ trek.yourdomain.com {
 | `ADMIN_PASSWORD` | Password for the first admin account created on initial boot. Must be set together with `ADMIN_EMAIL`. | random |
 | **Other** | | |
 | `DEMO_MODE` | Enable demo mode (hourly data resets) | `false` |
-| `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `60` |
+| `MCP_RATE_LIMIT` | Max MCP API requests per user per minute | `300` |
-| `MCP_MAX_SESSION_PER_USER` | Max concurrent MCP sessions per user | `5` |
+| `MCP_MAX_SESSION_PER_USER` | Max concurrent MCP sessions per user | `20` |
 
 ## Optional API Keys
 

chart/values.yaml

@@ -51,10 +51,10 @@ env:
   # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik).
   # DEMO_MODE: "false"
   # Enable demo mode (hourly data resets).
-  # MCP_RATE_LIMIT: "60"
+  # MCP_RATE_LIMIT: "300"
-  # Max MCP API requests per user per minute. Defaults to 60.
+  # Max MCP API requests per user per minute. Defaults to 300.
-  # MCP_MAX_SESSION_PER_USER: "5"
+  # MCP_MAX_SESSION_PER_USER: "20"
-  # Max concurrent MCP sessions per user. Defaults to 5.
+  # Max concurrent MCP sessions per user. Defaults to 20.
 
 
 # Secret environment variables stored in a Kubernetes Secret.

docker-compose.yml

@@ -38,8 +38,8 @@ services:
 #      - OIDC_DISCOVERY_URL= # Override the OIDC discovery endpoint for providers with non-standard paths (e.g. Authentik)
 #      - ADMIN_EMAIL=admin@trek.local # Initial admin e-mail — only used on first boot when no users exist
 #      - ADMIN_PASSWORD=changeme      # Initial admin password — only used on first boot when no users exist
-#      - MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+#      - MCP_RATE_LIMIT=300 # Max MCP API requests per user per minute (default: 300)
-#      - MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
+#      - MCP_MAX_SESSION_PER_USER=20 # Max concurrent MCP sessions per user (default: 20)
     volumes:
       - ./data:/app/data
       - ./uploads:/app/uploads

server/.env.example

@@ -28,8 +28,8 @@ OIDC_SCOPE=openid email profile # Fully overrides the default. Add extra scopes
 
 DEMO_MODE=false # Demo mode - resets data hourly
 
-# MCP_RATE_LIMIT=60 # Max MCP API requests per user per minute (default: 60)
+# MCP_RATE_LIMIT=300 # Max MCP API requests per user per minute (default: 300)
-# MCP_MAX_SESSION_PER_USER=5 # Max concurrent MCP sessions per user (default: 5)
+# MCP_MAX_SESSION_PER_USER=20 # Max concurrent MCP sessions per user (default: 20)
 
 # Initial admin account — only used on first boot when no users exist yet.
 # If both are set the admin account is created with these credentials.

server/src/mcp/index.ts

@@ -94,10 +94,10 @@ const STATIC_TOKEN_DEPRECATION_NOTICE =
 
 const SESSION_TTL_MS = 60 * 60 * 1000; // 1 hour
 const sessionParsed = Number.parseInt(process.env.MCP_MAX_SESSION_PER_USER ?? "");
-const MAX_SESSIONS_PER_USER = Number.isFinite(sessionParsed) && sessionParsed > 0 ? sessionParsed : 5;
+const MAX_SESSIONS_PER_USER = Number.isFinite(sessionParsed) && sessionParsed > 0 ? sessionParsed : 20;
 const RATE_LIMIT_WINDOW_MS = 60 * 1000; // 1 minute
 const parsed = Number.parseInt(process.env.MCP_RATE_LIMIT ?? "");
-const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 60; // requests per minute per user
+const RATE_LIMIT_MAX = Number.isFinite(parsed) && parsed > 0 ? parsed : 300; // requests per minute per user
 
 interface RateLimitEntry {
   count: number;

unraid-template.xml

@@ -57,6 +57,6 @@
 
   <!-- Other -->
   <Config Name="DEMO_MODE" Target="DEMO_MODE" Default="false" Mode="" Description="Enable demo mode (resets all data hourly). Not intended for regular use." Type="Variable" Display="advanced" Required="false" Mask="false">false</Config>
-  <Config Name="MCP_RATE_LIMIT" Target="MCP_RATE_LIMIT" Default="60" Mode="" Description="Max MCP API requests per user per minute." Type="Variable" Display="advanced" Required="false" Mask="false">60</Config>
+  <Config Name="MCP_RATE_LIMIT" Target="MCP_RATE_LIMIT" Default="300" Mode="" Description="Max MCP API requests per user per minute." Type="Variable" Display="advanced" Required="false" Mask="false">300</Config>
-  <Config Name="MCP_MAX_SESSION_PER_USER" Target="MCP_MAX_SESSION_PER_USER" Default="5" Mode="" Description="Max concurrent MCP sessions per user." Type="Variable" Display="advanced" Required="false" Mask="false">5</Config>
+  <Config Name="MCP_MAX_SESSION_PER_USER" Target="MCP_MAX_SESSION_PER_USER" Default="20" Mode="" Description="Max concurrent MCP sessions per user." Type="Variable" Display="advanced" Required="false" Mask="false">20</Config>
 </Container>