Team Limits & Admin Tools

This November 9th update adds team-level limits for stdio MCP servers (giving admins resource control while keeping HTTP servers unlimited), automatic secret masking in satellite logs (protecting API keys from exposure while maintaining debugging context), and a new admin UI for managing teams without database access. The changes focus on resource management, security hardening, and making platform administration more accessible.

DeployStack Team Management

Three platform improvements focused on resource management, security, and admin tools.

Team-Level Non-HTTP MCP Server Limits

We added team-level control for non-HTTP (stdio) MCP server installations. This gives platform administrators fine-grained control over resource consumption while keeping HTTP and SSE servers unlimited.

What Changed

New Global Setting:

  • Setting: `global.default_non_http_mcp_limit`
  • Default Value: 1
  • Purpose: Sets the default limit for new teams when they're created
  • Location: Backend global settings panel

Database Changes:

  • Added `non_http_mcp_limit` column to the `teams` table
  • Each team now stores its own limit value
  • Default teams and manually created teams both get this limit applied automatically

Installation Enforcement:

  • The platform now checks the limit before allowing stdio MCP server installations
  • HTTP and SSE MCP servers remain unlimited (they don't consume server resources)
  • Clear error messages when teams hit their limit

Why This Matters

Resource Management:

Non-HTTP (stdio) MCP servers run as actual processes on your infrastructure. They consume CPU, memory, and I/O resources:

  • Each stdio server requires runtime installation (Node.js, Python, etc.)
  • Without limits, teams could overwhelm your satellite infrastructure

HTTP and SSE servers are just URL proxies:

  • No local processes needed
  • No resource consumption
  • Can scale infinitely

Cost Control:

For platform operators running DeployStack:

  • Prevent unexpected infrastructure costs from runaway process spawning
  • Allocate resources fairly across teams
  • Plan capacity based on actual stdio server usage

Fair Usage:

- Ensures all teams get reliable performance

- Prevents one team from monopolizing server resources

How It Works

For New Teams:

When a team is created (either default team during registration or manually):

  1. System reads `global.default_non_http_mcp_limit` setting
  2. Stores this value in the team's `non_http_mcp_limit` field
  3. Team is now subject to this limit

During MCP Installation:

When a team member tries to install an MCP server:

1. System checks if it's a stdio server (transport_type === 'stdio')

2. If yes:

- Fetches the team's non_http_mcp_limit value

- Counts existing stdio installations for that team

- Blocks installation if limit would be exceeded

3. If no (HTTP/SSE):

- Installation proceeds without limit check

Error Message:

When a team hits their limit:

Team has reached the maximum limit of 1 non-HTTP (stdio) MCP server.
HTTP and SSE servers are not affected by this limit.
Contact your administrator to increase the limit.

Admin Controls

Set Platform Default:

Change the default for all new teams:

  1. Go to Backend Global Settings
  2. Find `global.default_non_http_mcp_limit`
  3. Set your desired default (e.g., 1 for free tier, 10 for paid)

Adjust Individual Teams:

Currently via database (admin UI coming soon):

UPDATE teams
SET non_http_mcp_limit = 5
WHERE id = 'team_id_here';

Use Cases:

  • Freemium Model: Free teams = 1, Pro teams = 5, Enterprise = unlimited (999)
  • Resource Tiers: Small teams = 3, Large teams = 10
  • Trial Limits: New teams = 1, increase after verification

Technical Details

Transport Types:

  • stdio (limited): Node.js, Python, Go MCP servers running as local processes
  • http (unlimited): Remote HTTP endpoints like `https://mcp.brightdata.com/mcp`
  • sse (unlimited): Server-Sent Events endpoints

Backward Compatibility:

Existing teams automatically get the default limit of 1 via the database migration. Teams with more than 1 stdio server already installed are grandfathered in - the limit only applies to new installations.

Satellite Log Secret Masking

We've added automatic secret masking to DeployStack satellites to protect your API keys, tokens, and credentials from exposure in log files and monitoring systems. When satellites connect to MCP servers using authentication credentials, those sensitive values are now automatically masked in all log output while keeping enough context for debugging.

How It Works

When connecting to an MCP server with a URL like https://api.example.com?token=sk_abc123xyz789&region=us-east-1, our satellites now log it as https://api.example.com?token=sk_*****&region=us-east-1 - showing the first 3 characters of secret values followed by asterisks.

The same protection applies to:

  • HTTP headers like Authorization tokens (e.g., `Authorization=Bea*****`)
  • Environment variables marked as secrets
  • Query parameters containing sensitive data

Why This Matters

You can now safely share satellite logs with your team or support staff for troubleshooting without worrying about credential leaks, while still being able to identify which credentials were used.

The system automatically detects which fields contain secrets based on your MCP server configuration schemas, so there's nothing you need to configure - it just works.

Teams Management for Global Admins

We added a Teams Management interface for global admins. If you're a platform administrator, you can now view and manage all teams directly from the admin dashboard.

What You Can Do

View All Teams:

Go to Admin Area → Teams to see a complete list of all teams on your DeployStack instance. The table shows:

  • Team name
  • Slug (unique identifier)
  • Team type (Default or Custom)
  • Creation date
  • Quick actions

You can search across team names, slugs, and descriptions to quickly find what you're looking for.

View Team Details:

Click "View" on any team to see complete information:

  • Basic team information (name, slug, description)
  • Team type (default vs custom)
  • Non-HTTP MCP server limit
  • Team creation and update timestamps
  • Complete member list with roles (Owner, Admin, Member)

Edit Team Settings:

Click "Edit Team" to update:

  • Team Name - Change the display name
  • Description - Add or update team description
  • Non-HTTP MCP Server Limit - Control how many stdio MCP servers the team can install Changes save instantly and you'll see a confirmation message when successful.

Why This Matters

Before this update, managing teams required direct database access. Now you can handle common team management tasks through the dashboard - no technical knowledge needed.

This makes it easier to:

  • Audit team configurations across your organization
  • Adjust MCP server limits as teams grow
  • Update team information without developer intervention
  • See team membership at a glance

You'll need global admin permissions to access this feature.

Share: