Deployment Compatibility Matrix¶

This document provides a comprehensive view of Code Scalpel's compatibility with all known MCP server deployment methods.

📋 Full Compliance Audit: See the MCP Compliance Audit for point-by-point validation against official MCP requirements.

Transport Layer Support¶

Transport	Status	Security	Use Case	Documentation
stdio	✅ Fully Supported	Process isolation	Local AI clients (Claude Desktop, Cursor, VS Code)	MCP Transports
SSE	✅ Fully Supported	HTTPS/TLS	Network deployments, Docker, remote teams	MCP Transports
streamable-http	✅ Fully Supported	HTTPS/TLS	Production systems, load balancers, proxies	MCP Transports

Local Deployment Methods¶

Desktop/Development Environments¶

Method	Status	Notes	Example
Direct Python Execution	✅ Supported	Requires Python 3.10+	`uvx codescalpel mcp`
pip Installation	✅ Supported	Global or venv	`pip install codescalpel && codescalpel mcp`
uv Tool	✅ Supported	Recommended for isolation	`uvx codescalpel mcp`
Docker Local	✅ Supported	Full isolation with dependencies	`docker run -i code-scalpel mcp`
Windows cmd.exe	✅ Supported	Works with standard Windows shells	See Windows guide
WSL (Windows)	✅ Supported	Linux environment on Windows	Standard Linux commands

Client-Specific Configurations¶

Client	Status	Transport	Configuration
Claude Desktop	✅ Supported	stdio	Setup Guide
VS Code + Copilot	✅ Supported	stdio	Setup Guide
Cursor	✅ Supported	stdio	Setup Guide
Continue.dev	✅ Supported	stdio or HTTP	Standard MCP config
Cline	✅ Supported	stdio or HTTP	Standard MCP config
Gemini CLI	⚠️ Partial	HTTP with auth	See Authentication

Network & Cloud Deployment¶

Container Platforms¶

Platform	Status	Transport	Notes
Docker	✅ Supported	stdio, SSE, HTTP	Docker Guide
Docker Compose	✅ Supported	SSE, HTTP	Multi-service deployments
Kubernetes	✅ Supported	SSE, HTTP	Requires LoadBalancer/Ingress
Podman	✅ Supported	Same as Docker	Drop-in Docker replacement
Fly.io	✅ Supported	SSE, HTTP	Fly.io deployment

Cloud Platforms¶

Platform	Status	Hosting Type	Notes
AWS EC2	✅ Supported	VM	Standard Linux deployment
AWS ECS/Fargate	✅ Supported	Container	Use SSE or HTTP transport
AWS Lambda	⚠️ Limited	Serverless	See Serverless Considerations
Google Cloud Run	✅ Supported	Container	HTTP transport required
Azure Container Instances	✅ Supported	Container	Standard container deployment
Azure Functions	⚠️ Limited	Serverless	See Serverless Considerations
DigitalOcean Droplets	✅ Supported	VM	Standard Linux deployment
Heroku	✅ Supported	Container	Use HTTP transport
Railway	✅ Supported	Container	Use HTTP transport
Render	✅ Supported	Container/Web Service	Use HTTP transport

Platform as a Service¶

Platform	Status	Notes
Apify	🔄 Experimental	MCP Actor deployment pattern possible
Replit	✅ Supported	Can run as background process
CodeSandbox	⚠️ Limited	Container environments only
Gitpod	✅ Supported	Workspace integration

Authentication Support¶

⚠️ Critical Limitation for Remote Deployments

Code Scalpel currently implements authorization (tier-based feature gating) but not authentication (identity verification) for HTTP endpoints.

Current Support¶

Auth Method	Status	Use Case
License JWT	✅ Supported	Tier-based feature gating (Pro/Enterprise)
Environment Variables	✅ Supported	`CODE_SCALPEL_LICENSE_PATH`
Host Validation	✅ Supported	`--allow-lan` flag for network access control
HTTPS/TLS	✅ Supported	`--ssl-cert/--ssl-key` for encrypted transport

Not Yet Implemented¶

Auth Method	Status	Priority	Workaround
Bearer Tokens	❌ Not Implemented	High	✅ Use reverse proxy with auth (nginx, Caddy)
OAuth 2.0/2.1	❌ Not Implemented	Medium	✅ Use Cloudflare Tunnel or reverse proxy
API Keys	❌ Not Implemented	Medium	✅ Use VPN or SSH tunnels
SAML	❌ Not Implemented	Low	✅ Use enterprise reverse proxy

What This Means¶

For local development (stdio): ✅ No authentication needed - process isolation provides security

For network deployments (SSE/HTTP): ⚠️ Must use workaround

✅ LAN/Team: Use VPN, SSH tunnel, or private network
✅ Production: REQUIRED - Use reverse proxy (nginx/Caddy) or Cloudflare Tunnel
❌ Public Internet: NEVER expose directly without authentication

Complete Authentication Guide¶

See the Authentication & Security Guide for: - Detailed security analysis for each deployment scenario - Step-by-step reverse proxy configuration (nginx, Caddy, Cloudflare Tunnel) - Production deployment checklist - Authentication implementations (workarounds until native support)

Serverless Limitations¶

Code Scalpel is designed as a stateful, long-running server and has limitations on serverless platforms:

Why Serverless is Limited¶

Issue	Impact	Mitigation
Cold Start Latency	2-5 second delay on first request	Pre-warm functions or use provisioned concurrency
Stateless Execution	No persistent AST cache between calls	Use external cache (Redis, DynamoDB)
Memory Constraints	Large codebases may exceed limits	Process files in batches
Execution Timeout	Lambda/Functions have max execution time	Break large operations into smaller chunks
stdio Not Supported	FaaS uses HTTP/event triggers only	Must use HTTP transport

Recommended Serverless Architecture¶

For serverless deployments:

Use Container-based Serverless (Cloud Run, ECS Fargate) instead of FaaS
Implement External State Store for AST cache persistence
Use Session Management to maintain context across invocations
Deploy as "Always-On" Container with min instances = 1

Example: AWS Lambda Deployment (Experimental)¶

# lambda_handler.py
import json
from code_scalpel.mcp.server import handle_mcp_request

def lambda_handler(event, context):
    """
    Lambda wrapper for Code Scalpel MCP server.
    WARNING: Limited functionality due to stateless constraints.
    """
    try:
        # Parse MCP request from API Gateway
        body = json.loads(event.get('body', '{}'))

        # Handle MCP tool call
        result = handle_mcp_request(body)

        return {
            'statusCode': 200,
            'headers': {'Content-Type': 'application/json'},
            'body': json.dumps(result)
        }
    except Exception as e:
        return {
            'statusCode': 500,
            'body': json.dumps({'error': str(e)})
        }

Note: This requires implementing handle_mcp_request as a stateless interface, which is not currently in the codebase.

Windows Deployment¶

PowerShell Configuration¶

# Claude Desktop config (Windows)
$configPath = "$env:APPDATA\Claude\claude_desktop_config.json"

# With uvx (recommended)
@"
{
  "mcpServers": {
    "code-scalpel": {
      "command": "uvx",
      "args": ["codescalpel", "mcp"]
    }
  }
}
"@ | Out-File -FilePath $configPath -Encoding utf8

cmd.exe Support¶

Code Scalpel works with Windows Command Prompt, but paths must be proper Windows paths:

{
  "mcpServers": {
    "code-scalpel": {
      "command": "cmd",
      "args": ["/c", "python", "-m", "code_scalpel.cli", "mcp"]
    }
  }
}

Fly.io Deployment¶

Fly.io is ideal for stateful MCP servers with single-tenant isolation.

fly.toml Configuration¶

app = "code-scalpel"
primary_region = "sjc"

[build]
  image = "ghcr.io/your-org/code-scalpel:latest"

[env]
  CODE_SCALPEL_TIER = "enterprise"

[http_service]
  internal_port = 8080
  force_https = true
  auto_stop_machines = false
  auto_start_machines = true
  min_machines_running = 1

[[services]]
  protocol = "tcp"
  internal_port = 8080

  [[services.ports]]
    port = 443
    handlers = ["tls", "http"]

  [[services.tcp_checks]]
    interval = "15s"
    timeout = "2s"

Deploy:

fly deploy
flyctl secrets set CODE_SCALPEL_LICENSE_PATH=/etc/code-scalpel/license.jwt

Deployment Decision Tree¶

Need to deploy Code Scalpel?
│
├─ Local AI client? (Claude Desktop, VS Code, Cursor)
│  └─ ✅ Use stdio transport (simplest)
│
├─ Docker/Kubernetes deployment?
│  ├─ Behind load balancer? → ✅ Use streamable-http
│  └─ Direct access? → ✅ Use SSE
│
├─ Cloud VM? (EC2, Droplets, Fly.io)
│  └─ ✅ Use SSE or streamable-http with systemd service
│
├─ Serverless? (Lambda, Azure Functions)
│  ├─ Can use containers? (Cloud Run, Fargate)
│  │  └─ ✅ Use streamable-http transport
│  └─ Pure FaaS? (Lambda, Functions)
│     └─ ⚠️ Limited support - consider VM/container instead
│
└─ On-premises/Enterprise?
   ├─ Need authentication? → Use reverse proxy (nginx/Caddy) + SSE
   ├─ Behind firewall? → ✅ Use HTTP transport + VPN
   └─ Air-gapped? → ✅ Use stdio on local machines

Status Legend¶

Symbol	Meaning
✅	Fully supported and documented
⚠️	Partial support or limitations
🔄	Experimental or community-contributed
❌	Not implemented (may be added in future)

Getting Help¶

If your deployment scenario isn't covered:

Check the MCP Transports Guide for transport-specific details
Review the Installation Guides for platform-specific setup
Open an issue on GitHub describing your deployment environment

Contributing¶

Know of a deployment method not covered here? We welcome contributions:

Documentation improvements
Platform-specific deployment guides
Authentication implementations
Serverless adapters

See Contributing for contribution guidelines.