What's new at DeploysApp

Fixed a gap in the deploysapp-mcp server (v0.6.1): list_projects only returned projects you own. An agent authenticated as a team member therefore couldn't discover the projects shared with it — and since every follow-up tool needs a projectId, the whole integration looked dead for collaborators.

list_projects now returns owned and shared projects in one list, each tagged with isShared and your myRole (owner / maintainer / developer / viewer) so the agent knows what it may do where.

We also tightened project-scoped API keys: a key limited to specific projects no longer reveals other projects merely shared with the key's owner.

Update your MCP config to pin [email protected] to pick this up.

Closed the loop on the AI agent integration with a focused security pass and a productization polish.

Security

• Project-scope API keys are now strictly enforced. A key scoped to one project can no longer touch other projects of the same account — even via crafted requests against project-level endpoints. We added scope-aware variants of all project/service lookup helpers and updated every mutating route to use them.
• Audit log for API-key mutations. Every POST / PATCH / DELETE made with an API key is now recorded with method, path, status code, IP, and user agent. Useful forensic trail if a key is ever compromised.
• Rate limiter has an in-process backstop. Previously a Redis outage would fail-open. Now we fall through to an in-process counter so limits keep applying even when Redis is unavailable.
• Image allowlist hardened. If the ALLOWED_IMAGES env var is ever unset, the platform now falls back to a conservative built-in allowlist (instead of allowing arbitrary registries).
• Project name validation. Names containing HTML angle brackets or ASCII control chars are now rejected at the schema layer — defense-in-depth against future raw-render scenarios.

MCP productization

• "Connect Claude" wizard on the dashboard — a 3-step flow (permission → scope → ready-to-paste config) for setting up Claude Code, Cursor, or any MCP client in under a minute.
• /ai landing page with the full pitch, example conversations, and a 38-tool overview.
• Dashboard config snippet pins to a specific MCP version ([email protected]), instead of latest — protects against supply-chain surprises if a future version is ever compromised.

DeploysApp is now the first hosting platform with native AI agent integration. We shipped deploysapp-mcp, an open-source MCP server that lets Claude Code, Cursor, Copilot CLI, or any MCP-compatible client manage your projects through natural language.

What you can do

• "List my deploysapp projects"
• "Create a postgres database in the kincsemabc project"
• "Restart the szamlazo-web service after I update STRIPE_SECRET_KEY"
• "Add example.com as a custom domain — tell me what DNS records I need"
• "Show me the last build log for nextraktar"

Under the hood

• 43 tools across 8 categories: project lifecycle, service control, env/secrets, custom domains, email, backups, team.
• Permission presets (read-only / service control / full) and project-scope limits.
• Structured error codes so the agent can decide whether to retry.
• Per-API-key rate limits with sensible defaults (120 reads/min, 60 writes/min).

See it in action on the new /ai page. Setup is two minutes from the dashboard's Connect Claude button.

New /status page showing real-time platform component health, 30-day uptime per component, and a 24-hour dot grid history. The page is publicly accessible — no login required — and refreshes every 60 seconds.

Components currently tracked:

• API
• Dashboard
• PostgreSQL
• Build queue depth
• Redis
• Cloudflare-fronted edge

Internally, a new platformChecker worker polls component health and writes results to a PlatformCheck table. The same data backs the dot grid and the uptime aggregation.

Three new public pages to set expectations clearly for users evaluating DeploysApp for production workloads.

• /sla — 99.9% monthly uptime commitment with a credit table for downtime.
• /security — overview of security practices, encryption at rest, RBAC, audit logging, and the responsible disclosure policy (mirrored as SECURITY.md in our public repos).
• /refund — 14-day money-back guarantee for monthly plans, prorated refund for annual plans.

All three are now in the sitemap. Organization and SoftwareApplication Schema.org markup added to improve SEO.

The Email Hosting section in the dashboard got a refresh: cleaner mailbox list, per-mailbox quota usage, and a clearer DNS-records walkthrough when adding a new email domain.

We also added a dedicated SnappyMail-based admin webmail at mymail.deploysapp.com — useful for owners managing multiple mailboxes across domains. The original Roundcube webmail at webmail.deploysapp.com stays for end-user / tenant access.

Smaller tweaks in the same batch:

• "Also create www" checkbox when adding a custom domain — auto-provisions the www → apex 301 redirect.
• Service page (/dashboard/services/[id]) refactored from a 4621-line single component into focused sub-components. No user-visible change, but much easier for us to ship without regressions.
• Volume management: removal split into separate Unmount and Delete actions to prevent accidental data loss.