Public Portfolio
БесплатноНе проверенA read-only JSON-RPC service exposing a bounded engineering portfolio to recruiters and external agents, with strict tool allowlist and security measures.
Описание
A read-only JSON-RPC service exposing a bounded engineering portfolio to recruiters and external agents, with strict tool allowlist and security measures.
README
A small, production-minded read-only JSON-RPC service for exposing a deliberately bounded engineering portfolio to recruiters and external agents.
The interesting part is not the profile data. It is the boundary: callers can invoke three purpose-built tools, but they cannot choose a database table, filesystem path, URL, command, or private application module.
What this demonstrates
- Strict TypeScript and zero production dependencies
- MCP-style
initialize,tools/list, andtools/callover JSON-RPC 2.0 - Fixed read-only tool allowlist with exact argument keys
- Payload limits, rate limiting, CORS allowlisting, and security headers
- Bounded public text and prompt-injection-shaped input rejection
- Stable errors without stack traces or request payload logging
- Tests, Docker, GitHub Actions, architecture notes, ADR, and threat model
Architecture
Untrusted client
|
v
HTTP safeguards
|
v
JSON-RPC method allowlist
|
v
Strict tool arguments
|
v
Immutable public records
See architecture, threat model, and ADR 0001.
Run locally
cp .env.example .env
npm ci
npm test
npm run dev
Health check:
curl http://localhost:3000/health
List tools:
curl http://localhost:3000/mcp \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'
Search projects:
curl http://localhost:3000/mcp \
-H 'content-type: application/json' \
-d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"search_projects","arguments":{"query":"security","limit":3}}}'
Security decisions
The server does not expose a generic query tool. Search runs in memory over known public fields. Tool schemas reject additional properties, and the server does not include a database or outbound HTTP adapter.
Pattern rejection is defense in depth. The main control is the absence of dangerous capabilities.
Trade-offs
The in-memory rate limiter is appropriate for this standalone example, not for a multi-instance global quota. A production deployment should use an external atomic store and trust forwarded client identity only from a controlled edge proxy.
License
MIT
Установка Public Portfolio
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/Ovidio-Git/public-portfolio-mcpFAQ
Public Portfolio MCP бесплатный?
Да, Public Portfolio MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Public Portfolio?
Нет, Public Portfolio работает без API-ключей и переменных окружения.
Public Portfolio — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Public Portfolio в Claude Desktop, Claude Code или Cursor?
Открой Public Portfolio на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Public Portfolio with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
