firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
e6d652e3d2223e68da96ba4ef78db4aae9c650ca
firefrost-operations-manual/docs/tasks-index/task-092-trinity-core-mcp-gateway.md
Claude 35c66099a5 docs(tasks): Create Task #92 - Trinity Core MCP Gateway 
Full task definition with 6 phases:
1. Ubuntu Server Setup (detailed checklist created)
2. SSH Infrastructure (claude_executor users)
3. Cloudflare Tunnel
4. MCP Server Development
5. Arbiter Integration (approval workflow)
6. Testing & Monitoring

Phase 1 checklist has copy-paste friendly commands for:
- Ubuntu install, Cockpit, UFW, fail2ban
- Lid switch ignore (shelf mode)
- Docker and Node.js

Architecture based on Gemini consultations from April 8-9.

Chronicler #73
2026-04-09 14:49:10 +00:00

5.5 KiB
Raw Blame History

task_number, title, status, priority, is_blocker, owner, tags, estimated_hours
task_number title status priority is_blocker owner tags estimated_hours
92 Trinity Core — Desktop MCP Gateway In Progress P1-High false Michael
infrastructure
mcp
security
automation
8

Task #92: Trinity Core — Desktop MCP Gateway

Overview

A dedicated Ubuntu Server on Michael's HP laptop that acts as an MCP gateway, allowing Claude.ai to execute commands on Firefrost servers with approval workflows.

Hardware: HP Laptop (dedicated, shelf-mode)
OS: Ubuntu Server 24.04 LTS
Codename: Trinity Core

The Vision

Claude.ai → MCP Request → Laptop (Trinity Core) → SSH → Firefrost Servers
                              ↓
                    Arbiter (Discord Approval)
                              ↓
                    Michael clicks "Approve"
                              ↓
                    Command executes

No more copy-paste from Claude to MobaXterm. Claude can execute commands directly with Michael's approval.

Architecture (Gemini-Approved)

Component Decision Rationale
MCP Server Docker container Isolation — bugs stay contained
SSH Keys One Ed25519 key claude_executor user on all target servers
Firewall UFW Allow 22, 9090 only; deny all else
Security fail2ban + Cloudflare Access Defense in depth
Approval Arbiter integration Don't reinvent — use existing Discord bot
Tunnel cloudflared Zero incoming ports needed
Startup docker-compose + systemd Auto-recovery on reboot
Monitoring Uptime Kuma CPU temp, disk I/O, endpoint health

Implementation Phases

Phase 1: Ubuntu Server Setup ⬅️ CURRENT

Status: Ready to begin (laptop is wiped)

  1. Download Ubuntu Server 24.04 LTS ISO
  2. Flash to USB with Rufus or balenaEtcher
  3. Install Ubuntu Server on HP laptop
  4. During install: enable OpenSSH server
  5. First boot: update system (apt update && apt upgrade)
  6. Install Cockpit for web management
  7. Configure UFW firewall
  8. Install fail2ban
  9. Configure lid switch behavior
  10. Install Docker and docker-compose

Detailed checklist: docs/tasks/task-092-trinity-core/phase-1-ubuntu-setup.md

Phase 2: SSH Infrastructure

  1. Generate Ed25519 key pair on laptop
  2. Create claude_executor user on Command Center
  3. Create claude_executor user on TX1
  4. Create claude_executor user on NC1
  5. Create claude_executor user on Panel (if needed)
  6. Add public key to all authorized_keys
  7. Test SSH connections
  8. Configure restricted sudo for claude_executor

Phase 3: Cloudflare Tunnel

  1. Install cloudflared
  2. Create tunnel in Cloudflare Zero Trust dashboard
  3. Configure tunnel to point to MCP server port
  4. Set up Cloudflare Access policy (Service Token)
  5. Create systemd service for cloudflared
  6. Test tunnel connectivity

Phase 4: MCP Server Development

  1. Scaffold MCP server (Node.js)
  2. Implement SSH command execution
  3. Add Arbiter webhook integration (approval requests)
  4. Handle approval responses
  5. Add command allowlist/denylist
  6. Containerize with Docker
  7. Create docker-compose.yml
  8. Mount SSH keys as read-only volume

Phase 5: Arbiter Integration

  1. Add MCP approval endpoint to Arbiter
  2. Create #mcp-approvals Discord channel
  3. Implement approval button UI
  4. Add timeout handling (auto-deny after X minutes)
  5. Implement callback to MCP server
  6. Add audit logging

Phase 6: Testing & Monitoring

  1. Add to Uptime Kuma (endpoint health)
  2. Add CPU temp monitoring
  3. Add disk I/O monitoring
  4. Test full flow: Claude → MCP → Approval → Execute
  5. Test failure scenarios
  6. Document troubleshooting guide

Target Servers

Server IP claude_executor needed
Command Center 63.143.34.217 Yes
TX1 Dallas 38.68.14.26 Yes
NC1 Charlotte 216.239.104.130 Yes
Panel VPS 45.94.168.138 Maybe
Dev Panel 64.50.188.128 Maybe

Security Model

Zero-Trust Principles:

  • Cloudflare Access validates identity before traffic reaches laptop
  • MCP server validates request format/signature
  • Arbiter requires Discord button approval for execution
  • claude_executor has restricted sudo (no root)
  • SSH keys mounted read-only in container
  • All commands logged for audit

Command Classification:

  • Safe: Read-only commands (ls, cat, systemctl status) — maybe auto-approve
  • Moderate: Service restarts, git operations — require approval
  • Dangerous: File deletion, user management — require approval + confirmation

Related Tasks

  • Task #93: Trinity Codex (RAG knowledge base) — could query via MCP
  • Task #94: Global Restart Scheduler — could trigger via MCP
  • Task #87: Arbiter lifecycle handlers — approval system extends this

Consultations

  • docs/consultations/gemini-claude-code-workflow-2026-04-08.md — Original architecture
  • docs/consultations/gemini-task-92-ubuntu-setup-2026-04-09.md — Implementation guidance

Success Criteria

  • Laptop runs Ubuntu Server, accessible via Cockpit
  • Claude.ai can send MCP requests through Cloudflare Tunnel
  • Approval buttons appear in Discord
  • Commands execute on target servers after approval
  • Full audit trail exists
  • System auto-recovers from reboots

Fire + Frost + Foundation = Where Love Builds Legacy 💙🔥❄️

Reference in New Issue View Git Blame Copy Permalink