[Unit]
Description=Expose MCP Browser via HTTP bridge
Documentation=https://github.com/Xilope0/mcp-browser
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Environment="PYTHONUNBUFFERED=1"
Environment="MCP_PROXY_BIN=%h/.local/bin/mcp-proxy"
Environment="MCP_PROXY_ALLOW_ORIGIN=https://platform.openai.com"
Environment="MCP_PROXY_PORT=14001"
Environment="MCP_PROXY_CONFIG=%h/.config/mcp-browser/proxy.yaml"
Environment="MCP_PROXY_EXTRA_ARGS="
EnvironmentFile=-%h/.config/mcp-browser/proxy.env

ExecStart=/usr/bin/env sh -c '\
  set -eu; \
  exec "$MCP_PROXY_BIN" \
    --allow-origin "$MCP_PROXY_ALLOW_ORIGIN" \
    --port "$MCP_PROXY_PORT" \
    --named-server-config "$MCP_PROXY_CONFIG" \
    $MCP_PROXY_EXTRA_ARGS'

Restart=on-failure
RestartSec=5
NoNewPrivileges=yes
ProtectSystem=strict
ProtectHome=read-only
PrivateTmp=yes
ProtectControlGroups=yes
ProtectKernelTunables=yes
ProtectKernelModules=yes
LockPersonality=yes
MemoryDenyWriteExecute=yes
RestrictSUIDSGID=yes
RestrictRealtime=yes
RestrictNamespaces=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6

[Install]
WantedBy=default.target