Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Guidelines Server

БесплатноНе проверен

A remote MCP server that serves versioned Enterprise & Architecture guidelines (security, architecture, compliance) to LLM clients via Streamable HTTP with Bear

GitHubEmbed

Описание

A remote MCP server that serves versioned Enterprise & Architecture guidelines (security, architecture, compliance) to LLM clients via Streamable HTTP with Bearer-token authentication.

README

A remote MCP server that serves versioned Enterprise & Architecture guidelines (security / architecture / compliance policies) to LLM clients (Claude Desktop, IDE integrations, …) over Streamable HTTP behind static Bearer-token auth. Guidelines are plain Markdown files with YAML frontmatter, indexed in-memory with SQLite FTS5 for ranked full-text search and hot-reloaded on change. Built on the official mcp SDK (FastMCP) and packaged for Docker (e.g. a Synology NAS behind a reverse proxy / Tailscale).

Features

  • Five core MCP tools + find_applicable and two prompts (see Tools).
  • Ranked full-text + tag search (SQLite FTS5, bm25) with highlighted snippets.
  • Hot-reload: edits in the guidelines directory are picked up without a restart (watchdog), with a POST /reload fallback for filesystems where inotify/FSEvents doesn't fire (NAS shares).
  • Schema validation: malformed frontmatter is logged and skipped — never crashes.
  • Static Bearer-token auth; unauthenticated MCP calls get 401. Scopes are modelled (data-model ready) but not enforced in Phase 1.
  • Structured JSON audit logging per tool call; optional Prometheus /metrics.
  • Per-token rate limiting and a /health endpoint for Docker/reverse-proxy.
  • Read-only by design: the server never writes guidelines.

Project layout

src/mcp_guidelines/
  server.py          # composition root: FastMCP, watcher lifecycle, ops routes, entrypoint
  loader.py          # read dir, parse frontmatter, validate, skip-on-error
  models.py          # Pydantic models (frontmatter contract + I/O shapes)
  index.py           # GuidelineIndex: in-memory cache + SQLite FTS5 search
  auth.py            # static bearer tokens, scope model, rate limiter
  tools.py           # MCP tool + prompt registrations
  config.py          # 12-factor env config
  metrics.py         # dependency-free Prometheus counters
  logging_setup.py   # JSON logging to stdout
guidelines/          # seed guidelines (security / architecture / compliance)
tests/               # loader, index/search, auth, tools (MCP protocol), HTTP (401)
Dockerfile  docker-compose.yml  .env.example  pyproject.toml

Installation

Requires Python ≥ 3.11.

# editable install with dev/test extras
pip install -e ".[dev]"
# or, with uv
uv sync

Running locally

AUTH_TOKENS=dev=secret GUIDELINES_PATH=guidelines mcp-guidelines
# equivalently: python -m mcp_guidelines

The MCP endpoint is served at http://<host>:<port>/mcp (Streamable HTTP). Clients MUST send Authorization: Bearer <token>.

curl -s localhost:8000/health           # {"status":"ok","documents":4,"revision":"…"}
# unauthenticated MCP call is rejected:
curl -s -o /dev/null -w '%{http_code}\n' -X POST localhost:8000/mcp \
  -H 'content-type: application/json' -d '{}'        # -> 401

Docker

# create your token(s) first (see "Token generation")
echo 'AUTH_TOKENS=team=PUT-A-REAL-TOKEN-HERE' > .env
docker compose up --build
curl localhost:8000/health               # -> 200, container reports "healthy"

docker-compose.yml mounts ./guidelines read-only into the container, passes config via env vars, defines a healthcheck against /health, and restarts unless stopped. Put the container behind your reverse proxy (Synology / Traefik / nginx) or expose it over Tailscale; terminate TLS there.

Configuration (environment variables)

All configuration is via env vars (12-factor); a .env file is read when present. See .env.example.

Variable Default Description
GUIDELINES_PATH guidelines Directory of guideline .md files (read-only).
AUTH_TOKENS (empty) Comma-separated name=token pairs. Empty ⇒ every MCP call is 401.
AUTH_TOKENS_FILE (unset) Path to a JSON secrets file (below); entries override AUTH_TOKENS.
LOG_LEVEL INFO DEBUG | INFO | WARNING | ERROR.
HOST 0.0.0.0 Bind address. 0.0.0.0 disables the SDK's DNS-rebind guard (intended behind a proxy).
PORT 8000 Listen port.
RATE_LIMIT 60 Requests per minute per token (0 disables).
ISSUER_URL http://localhost:8000 OAuth issuer URL, used only for WWW-Authenticate/OAuth metadata.
RESOURCE_SERVER_URL (unset) Optional protected-resource metadata URL.
METRICS_ENABLED true Expose Prometheus metrics at /metrics.

Token generation

Generate a strong random token and add it to AUTH_TOKENS:

python -c "import secrets; print(secrets.token_urlsafe(32))"
# AUTH_TOKENS=alice=<token1>,bob=<token2>

Secrets file (AUTH_TOKENS_FILE)

For per-token scopes or to keep tokens out of the environment, point AUTH_TOKENS_FILE at a JSON file. File entries override AUTH_TOKENS.

{
  "tokens": [
    { "name": "alice", "token": "…", "scopes": ["read:all"] },
    { "name": "secaudit", "token": "…", "scopes": ["read:security"] }
  ]
}

Scopes are recorded on the token and surfaced to the audit log. Phase 1 does not enforce them — any valid token may read everything. Enforcement is a later phase (set required_scopes in build_auth_settings and/or check tok.scopes in tools._begin). Swapping in real OAuth is a drop-in replacement of StaticTokenVerifier with an introspection verifier (same TokenVerifier protocol).

Guideline frontmatter schema

Each guideline is a Markdown file with a YAML frontmatter block. Place files under category subdirectories of GUIDELINES_PATH (the directory layout is for humans; category comes from the frontmatter, not the path).

---
id: arch-api-design            # required, unique, stable slug ([a-z0-9-])
title: API Design Guidelines   # required
category: architecture         # required, slug (e.g. security|architecture|compliance)
tags: [rest, versioning, http] # optional
version: 2.1.0                 # required, SemVer
status: active                 # required: draft | active | deprecated
owner: platform-team           # required
updated: 2026-06-01            # required, ISO date
applies_to: [backend, api]     # optional: scope/domains (drives find_applicable)
supersedes: arch-api-v1        # optional
---

# API Design Guidelines

… actual content …
  • id and category must be slugs; version must be SemVer; status is one of the three literals. Files that fail validation (bad YAML or schema) are logged and skipped — the server keeps running.
  • Unknown extra frontmatter keys are allowed and ignored.
  • status: deprecated guidelines still appear in search, flagged with a warning (and supersedes when set).

Tools and prompts

Tool Input Output
list_guidelines category?, tag?, status? summaries (id, title, category, tags, version, status)
get_guideline id { metadata, content, path }
search_guidelines query, category?, limit? ranked hits with score, snippet, deprecation warning
list_categories categories with counts
get_guideline_metadata id frontmatter only (token-sparing)
find_applicable applies_to: [...], category? active guidelines overlapping the context, ranked by overlap

Prompts: apply_guideline(id, code) (check code against one guideline) and review_against_category(category, code) (review against all active guidelines in a category).

Connecting a client

Use any MCP client that speaks Streamable HTTP. Point it at http://<host>:<port>/mcp with header Authorization: Bearer <token>, e.g.:

npx -y @modelcontextprotocol/inspector
# URL: http://localhost:8000/mcp   Header: Authorization: Bearer <token>

Operational endpoints

Endpoint Method Auth Purpose
/health GET public Liveness/readiness: {status, documents, revision} (Docker healthcheck).
/metrics GET public Prometheus text exposition (when METRICS_ENABLED).
/reload POST Bearer Force a full re-read of the guidelines directory (hot-reload fallback).
/mcp POST Bearer The MCP Streamable HTTP endpoint.

Maintaining guidelines

Guidelines live in a versioned Git repo (keep version/updated current). To add or change one:

  1. Drop or edit a .md file under a category directory in GUIDELINES_PATH.

  2. The file watcher applies the change within moments — no restart needed.

  3. If your filesystem doesn't deliver watch events (some NAS shares), trigger a reload explicitly:

    curl -X POST -H 'Authorization: Bearer <token>' localhost:8000/reload
    

The server never writes guidelines; all maintenance is via Git/the filesystem.

Development & tests

pip install -e ".[dev]"
pytest -q

Tests cover the loader (skip-on-error), the FTS5 index (ranked search, snippets, category filter, deprecation flagging, hot-reload add/edit/delete), auth (token verification, env+file principal merge, rate limiter), every tool over the real in-memory MCP protocol, and the HTTP surface (/health, the 401 auth gate, and /reload).

from github.com/eagleffz/demo-ea-mcp

Установка Guidelines Server

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/eagleffz/demo-ea-mcp

FAQ

Guidelines Server MCP бесплатный?

Да, Guidelines Server MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Guidelines Server?

Нет, Guidelines Server работает без API-ключей и переменных окружения.

Guidelines Server — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Guidelines Server в Claude Desktop, Claude Code или Cursor?

Открой Guidelines Server на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Guidelines Server with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории ai