RHEcosystemAppEng · luis5tb · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -45,9 +45,15 @@ GMA_CLIENT_SECRET=your_gma_client_secret
 # Red Hat Lightspeed MCP Server Configuration
 # -----------------------------------------------------------------------------
 # The MCP server provides tools to access Red Hat Insights APIs.
-# It runs as a sidecar container. The agent forwards the caller's JWT token
-# to the MCP server, which uses it to authenticate with console.redhat.com
-# on behalf of the calling user.
+# It runs as a separate service (ingress: internal) in Cloud Run by default,
+# or as a sidecar container inside the agent pod (MCP_DEPLOY_MODE=sidecar).
+# The agent forwards the caller's JWT token to the MCP server, which uses
+# it to authenticate with console.redhat.com on behalf of the calling user.
+#
+# MCP deployment mode for Cloud Run (deploy-time only, not used by Python):
+#   service  - MCP runs as a separate Cloud Run service (default)
+#   sidecar  - MCP runs as a second container in the agent pod
+# MCP_DEPLOY_MODE=service
 #
 # The MCP server can access:
 #   - Advisor (recommendations)
@@ -65,7 +71,7 @@ GMA_CLIENT_SECRET=your_gma_client_secret
 MCP_TRANSPORT_MODE=http
 
 # MCP server URL (for http/sse modes)
-# In Podman deployments, the MCP server runs as a sidecar on localhost:8081
+# In Podman deployments, the MCP server runs on localhost:8081
 # (port 8081 avoids conflict with A2A Inspector which uses 8080)
 MCP_SERVER_URL=http://localhost:8081
 

@@ -4,7 +4,7 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 
 ## Project Overview
 
-Red Hat Lightspeed Agent for Google Cloud — an A2A-ready (Agent-to-Agent protocol) AI agent providing access to Red Hat Insights, built on Google Agent Development Kit (ADK), Gemini 2.5 Flash, and a Red Hat Lightspeed MCP server sidecar. Integrates with Google Cloud Marketplace for provisioning, billing, and metering.
+Red Hat Lightspeed Agent for Google Cloud — an A2A-ready (Agent-to-Agent protocol) AI agent providing access to Red Hat Insights, built on Google Agent Development Kit (ADK), Gemini 2.5 Flash, and a Red Hat Lightspeed MCP server. Integrates with Google Cloud Marketplace for provisioning, billing, and metering.
 
 ## Common Commands
 
@@ -78,14 +78,16 @@ CI blocks merge on lint/test failures — catching issues locally saves round-tr
 
 ## Architecture
 
-### Two-Service Design
+### Three-Service Design
 
-The system runs as two separate FastAPI services with separate concerns:
+The system runs as three separate services:
 
-1. **Lightspeed Agent** (port 8000, `src/lightspeed_agent/main.py`) — The AI agent service. Scales to zero on Cloud Run. Handles A2A protocol requests (JSON-RPC 2.0 at `/`), serves the AgentCard at `/.well-known/agent.json`. Uses ADK `LlmAgent` with MCP tools loaded from the sidecar.
+1. **Lightspeed Agent** (port 8000, `src/lightspeed_agent/main.py`) — The AI agent service. Scales to zero on Cloud Run. Handles A2A protocol requests (JSON-RPC 2.0 at `/`), serves the AgentCard at `/.well-known/agent.json`. Uses ADK `LlmAgent` with MCP tools loaded from the MCP server.
 
 2. **Marketplace Handler** (port 8001, `src/lightspeed_agent/marketplace/app.py`) — Always-on service for Google Cloud Marketplace Pub/Sub provisioning events and Dynamic Client Registration (DCR). Has a single hybrid `/dcr` endpoint that routes Pub/Sub messages vs DCR requests based on request content.
 
+3. **MCP Server** — Red Hat Lightspeed MCP server providing Insights API tools. Runs as a separate Cloud Run service with `ingress: internal` (only reachable by the agent's service account).
+
 ### Database Isolation
 
 Two separate PostgreSQL databases (security boundary):
@@ -105,7 +107,7 @@ Setting `SKIP_JWT_VALIDATION=true` bypasses auth (dev only, blocked when running
 
 ### MCP Integration
 
-The agent loads tools from a Red Hat Lightspeed MCP server running as a sidecar:
+The agent loads tools from a Red Hat Lightspeed MCP server (separate Cloud Run service):
 - Transport modes: `stdio` (dev), `http` (prod), `sse` (streaming) — configured via `MCP_TRANSPORT_MODE`
 - Read-only mode (`MCP_READ_ONLY=true`) filters to a safe subset of tools
 - Tool categories: Advisor, Inventory, Vulnerability, Remediations, Planning, Image Builder, Subscription Management, Content Sources

@@ -46,24 +46,34 @@ The system consists of **two separate services**:
                                  │
                                  │ Shared PostgreSQL
                                  ▼
-┌────────────────────────────────────────────────────────────────────────┐
-│                    Lightspeed Agent (Port 8000)                        │
-│                     ──────────────────────────                         │
-│  ┌─────────────────────┐      ┌─────────────────────────────┐          │
-│  │  Lightspeed Agent   │ HTTP │   Red Hat Lightspeed MCP    │          │
-│  │   (Gemini + ADK)    │◄────►│   Server (Sidecar)          │          │
-│  │                     │      │                             │          │
-│  │   - A2A protocol    │      │   - Advisor, Inventory      │          │
-│  │   - OAuth 2.0       │      │   - Vulnerability, Patch    │          │
-│  │   - Session mgmt    │      │   - Remediations            │          │
-│  └─────────────────────┘      └──────────────┬──────────────┘          │
-└──────────────────────────────────────────────┼─────────────────────────┘
-                                               │
-                                               ▼
-                                       ┌───────────────────┐
-                                       │ console.redhat.com│
-                                       │ (Insights APIs)   │
-                                       └───────────────────┘
+┌─────────────────────────────────────┐
+│    Lightspeed Agent (Port 8000)    │
+│     ──────────────────────────     │
+│  ┌─────────────────────┐           │
+│  │  Lightspeed Agent   │           │
+│  │   (Gemini + ADK)    │           │
+│  │                     │           │
+│  │   - A2A protocol    │           │
+│  │   - OAuth 2.0       │           │
+│  │   - Session mgmt    │           │
+│  └──────────┬──────────┘           │
+└─────────────┼──────────────────────┘
+              │ HTTPS
+              ▼
+┌─────────────────────────────────────┐
+│  Red Hat Lightspeed MCP Server     │
+│  (Cloud Run - ingress: internal)   │
+│                                     │
+│   - Advisor, Inventory              │
+│   - Vulnerability, Patch            │
+│   - Remediations                    │
+└──────────────┬──────────────────────┘
+               │
+               ▼
+       ┌───────────────────┐
+       │ console.redhat.com│
+       │ (Insights APIs)   │
+       └───────────────────┘
 ```
 
 ### Service Responsibilities
@@ -696,10 +706,10 @@ This separation ensures:
 
 ### How the MCP Server Works
 
-The MCP server runs as a sidecar container and provides tools for the agent to interact with Red Hat Insights APIs:
+The MCP server runs as a separate Cloud Run service and provides tools for the agent to interact with Red Hat Insights APIs:
 
 1. **Agent receives a request** (e.g., "Show me my system vulnerabilities")
-2. **Agent calls MCP tools** via HTTP to the MCP server (localhost:8081), forwarding the caller's JWT token in the Authorization header
+2. **Agent calls MCP tools** via HTTPS to the MCP server, forwarding the caller's JWT token in the Authorization header
 3. **MCP server authenticates** with console.redhat.com using the forwarded JWT token
 4. **MCP server calls Insights APIs** and returns results to the agent
 5. **Agent formats the response** and returns it to the user