@@ -18,6 +18,27 @@ organization:
1818
1919# Disable AI Notebooks feature by default
2020lightspeed :
21+ # MCP Servers available to the Lightspeed assistant via LCORE.
22+ # Names must match the 'name' field in lightspeed-stack.yaml mcp_servers.
23+ #
24+ # Authentication modes per server:
25+ # auth: dcr — Backstage mints a per-user token automatically (for
26+ # Backstage-internal MCP servers with DCR enabled).
27+ # The corresponding lightspeed-stack.yaml entry should use
28+ # authorization_headers: { Authorization: "client" }.
29+ # Any static 'token' field is ignored when auth: dcr is set.
30+ #
31+ # (no auth) — Static-token mode (legacy). Uses the 'token' field from
32+ # this config, or the user's personal token set in the UI.
33+ # The corresponding lightspeed-stack.yaml entry should use
34+ # authorization_headers: { Authorization: "client" }.
35+ #
36+ # Example:
37+ # mcpServers:
38+ # - name: mcp-integration-tools
39+ # auth: dcr
40+ # - name: test-mcp-server
41+ # token: ${MCP_TOKEN_1}
2142 notebooks :
2243 enabled : ${NOTEBOOKS_ENABLED:-false}
2344 queryDefaults :
@@ -31,6 +52,16 @@ backend:
3152 # auth:
3253 # keys:
3354 # - secret: ${BACKEND_SECRET}
55+ #
56+ # To expose MCP tools locally, uncomment the following. pluginSources lists
57+ # the pluginIds whose actions are exposed as MCP tools. Requires
58+ # @backstage/plugin-mcp-actions-backend and the mcp-extras plugins in index.ts.
59+ # In production RHDH the overlay renames these to 'software-catalog-mcp-tool' etc.
60+ # actions:
61+ # pluginSources:
62+ # - 'software-catalog-mcp-extras'
63+ # - 'techdocs-mcp-extras'
64+ # - 'scaffolder-mcp-extras'
3465 baseUrl : http://localhost:7007
3566 listen :
3667 port : 7007
@@ -63,6 +94,12 @@ backend:
6394 # password: ${POSTGRES_PASSWORD}
6495 # workingDirectory: /tmp # Use this to configure a working directory for the scaffolder, defaults to the OS temp-dir
6596
97+ # Disable dotted tool names (e.g. "software-catalog-mcp-extras.query-catalog-entities")
98+ # so they pass OpenAI's strict tool name pattern ^[a-zA-Z0-9_-]+$ (dots are rejected).
99+ # In production RHDH, add this under the backstage appConfig in values.yaml.
100+ # mcpActions:
101+ # namespacedToolNames: false
102+
66103integrations :
67104 github :
68105 - host : github.com
@@ -95,6 +132,14 @@ techdocs:
95132auth :
96133 # see https://backstage.io/docs/auth/ to learn about auth providers
97134 environment : development
135+ # Enable Dynamic Client Registration (DCR) for MCP.
136+ # This allows MCP clients (e.g. Cursor, VS Code) to register OAuth2 clients
137+ # dynamically and obtain per-user tokens via the Backstage auth system.
138+ # Requires @backstage/plugin-auth (frontend) and @backstage/plugin-mcp-actions-backend.
139+ # experimentalDynamicClientRegistration:
140+ # enabled: true
141+ # allowedRedirectUriPatterns:
142+ # - '*'
98143 providers :
99144 # See https://backstage.io/docs/auth/guest/provider
100145 guest : {}
@@ -110,6 +155,19 @@ auth:
110155 # # Since we do not have a User entity, for local development, uncomment the following line to allow sign-in without a user in the catalog
111156 # dangerouslyAllowSignInWithoutUserInCatalog: true
112157
158+ # RBAC permission configuration.
159+ # Enables fine-grained role-based access control for Lightspeed and catalog.
160+ # Requires @backstage/plugin-permission-backend and @backstage-community/plugin-rbac-backend
161+ # in packages/backend/src/index.ts, plus an rbac-policy.csv file.
162+ # permission:
163+ # enabled: true
164+ # rbac:
165+ # policies-csv-file: ../../rbac-policy.csv
166+ # policyFileReload: true
167+ # admin:
168+ # superUsers:
169+ # - name: user:default/breanna.davison
170+
113171scaffolder : {}
114172 # see https://backstage.io/docs/features/software-templates/configuration for software template options
115173
0 commit comments