by vinkius-labs
MCP Fusion - The TypeScript framework for secure MCP servers.
# Add to your Claude Code skills
git clone https://github.com/vinkius-labs/mcpfusionGuides for using mcp servers skills like mcpfusion.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@aws-sdk/xml-builder: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "esbuild: esbuild enables any website to send any requests to the development server and read the response",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-xml-parser: fast-xml-parser has stack overflow in XMLBuilder with preserveOrder",
"severity": "high"
},
{
"type": "npm-audit",
"message": "flatted: flatted vulnerable to unbounded recursion DoS in parse() revive phase",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono Vulnerable to Cookie Attribute Injection via Unsanitized domain and path in setCookie()",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs has a remotely triggerable DoS: qs.stringify crashes with TypeError on null/undefined entries in comma-format arrays when encodeValuesOnly is set",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "vitepress: Vulnerability found",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "yaml: yaml is vulnerable to Stack Overflow via deeply nested YAML collections",
"severity": "medium"
}
],
"status": "WARNING",
"scannedAt": "2026-05-30T15:20:15.714Z",
"npmAuditRan": true,
"pipAuditRan": true
}mcpfusion is an open-source mcp servers skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by vinkius-labs. MCP Fusion - The TypeScript framework for secure MCP servers. It has 255 GitHub stars.
mcpfusion returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/vinkius-labs/mcpfusion" and add it to your Claude Code skills directory (see the Installation section above).
mcpfusion is primarily written in TypeScript. It is open-source under vinkius-labs on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other MCP Servers skills you can browse and compare side by side. Open the MCP Servers category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh mcpfusion against similar tools.
No comments yet. Be the first to share your thoughts!
Top skills in this category by stars
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
The TypeScript framework for secure MCP servers.
MCP Fusion is a TypeScript framework that enforces security at the architectural level of every MCP server. Raw data never reaches the LLM without passing through a typed egress firewall. Tools are physically removed from the agent's namespace when the workflow state forbids them. Every behavioral surface is hashed, locked, and auditable in version control.
The framework ships with a SKILL.md — a machine-readable architectural contract. AI coding agents read the Skill and produce correct, governed servers on the first pass.
MCP Fusion includes a SKILL.md that encodes the entire MVA architecture, security patterns, and governance rules into a format AI coding agents consume directly.
Open your project in Cursor, Claude Code, GitHub Copilot, or Windsurf and describe what you need:
"Build an MCP server for patient records with Prisma. Redact SSN and diagnosis from LLM output. Gate discharge tools until attending physician signs off."
The agent reads the Skill. It produces defineModel() declarations with m.hidden() for sensitive fields, definePresenter() with .redactPII(['*.ssn', '*.diagnosis']) for DLP compliance, FSM state gating via .bindState() for workflow enforcement, and file-based routing under src/tools/. You review the PR.
The Skill is not documentation. It is the security contract. Every server the AI produces inherits the governance stack because the Skill encodes Presenters, state machines, and lockfile generation as mandatory structural patterns.
📄 SKILL.md · llms.txt (complete API reference for LLM consumption)
The Presenter validates every response through a Zod schema compiled from defineModel(). Undeclared fields are stripped in RAM before serialization. PII is redacted via V8-optimized fast-redact compiled functions. Rules travel with data, not in the system prompt. The Late Guillotine pattern applies redaction after UI blocks render — charts and suggestions always see full data, the wire never does.
const PatientPresenter = createPresenter('Patient')
.schema(PatientModel)
.redactPII(['*.ssn', '*.diagnosis'])
.rules((p) => [
p.status === 'critical' ? 'PRIORITY: Patient is critical.' : null,
])
.suggest((p) => p.status === 'admitted'
? [suggest('ward.discharge', 'Begin discharge protocol')]
: []);
The Presenter also runs a PromptFirewall — an LLM-as-Judge that evaluates dynamically generated system rules for prompt injection before they reach the agent. Fail-closed by default.
Tools bound to FSM states are physically removed from tools/list when the current state does not match. The LLM cannot call what does not exist in its namespace. Powered by XState v5 with manual fallback when XState is not installed.
const gate = f.fsm({
id: 'discharge', initial: 'admitted',
states: {
admitted: { on: { PHYSICIAN_SIGNOFF: 'approved' } },
approved: { on: { DISCHARGE: 'discharged' } },
discharged: { type: 'final' },
},
});
export default f.mutation('ward.discharge')
.bindState('approved', 'DISCHARGE')
.handle(async (input, ctx) => ctx.db.patients.discharge(input.id));
| State | Visible tools |
|---|---|
admitted |
ward.view, ward.update_vitals |
approved |
ward.discharge, ward.view |
discharged |
ward.view |
Serverless-compatible: FsmStateStore persists state to Redis/KV across request boundaries. Each request gets an isolated gate.clone().
Eight introspection modules that make behavioral changes visible and auditable:
| Module | What it does |
|---|---|
| ToolContract | Materializes the complete behavioral surface of each tool |
| BehaviorDigest | SHA-256 hash of the behavioral surface |
| CapabilityLockfile | mcpfusion.lock — git-diffable behavioral snapshot, CI gate via fusion lock --check |
| CryptoAttestation | HMAC-SHA256 runtime verification — fail-fast if behavioral digest drifts |
| ContractDiff | Per-field diff between lockfile versions |
| EntitlementScanner | Static analysis of handler source for I/O capabilities (fs, network, subprocess, eval) with evasion heuristics |
| SemanticProbe | LLM-as-Judge for detecting semantic drift in handler output |
| TokenEconomics | Context window inflation risk profiling |
SandboxEngine executes LLM-provided JavaScript in a sealed V8 isolate. No process, require, fs, or network access. One isolate per engine, fresh empty context per execution. Memory-limited, timeout-enforced, output-capped, abort-signal-compatible.
version: "1.0"
server:
name: "github-tools"
connections:
github:
type: rest
base_url: "https://api.github.com"
auth:
type: bearer
token: "${SECRETS.GITHUB_TOKEN}"
tools:
- name: search_repos
description: "Search GitHub repositories"
instruction: "Use for finding projects by topic or keyword."
rules:
- "Max 10 results per query"
parameters:
query: { type: string, required: true }
execute:
connection: github
method: GET
path: "/search/repositories"
query: { q: "{{query}}", per_page: "10" }
response:
extract: ["items[].{full_name, description, stargazers_count, html_url}"]
mcpfusion yaml dev
export const InvoiceModel = defineModel('Invoice', m => {
m.casts({
id: m.string(),
amount_cents: m.number('CRITICAL: in CENTS. Divide by 100 for display.'),
status: m.enum('Status', ['paid', 'pending', 'overdue']),
});
m.hidden(['password_hash', 'internal_margin']);
});
export const InvoicePresenter = definePresenter({
name: 'Invoice',
schema: InvoiceModel,
suggestActions: (inv) => inv.status === 'pending'
? [{ tool: 'billing.pay', reason: 'Process payment', args: { id: inv.id } }]
: [],
});
export default f.query('billing.get_invoice')
.describe('Get an invoice by ID')
.withString('id', 'Invoice ID')
.returns(InvoicePresenter)
.handle(async (input, ctx) => ctx.db.invoices.findUnique({ where: { id: input.id } }));
State-gated tool discovery. Tools appear and disappear based on the current state.
npx @mcpfusion/core create my-server
cd my-server && npm run dev
File-based routing — drop a file, restart, and it's a live MCP tool:
src/tools/
├── billing/
│ ├── get_invoice.ts → billing.get_invoice
│ └── pay.ts → billing.pay
└── users/
└── list.ts → users.list
mcpfusion deploy # Vinkius Edge (V8 Isolate)
vercel deploy # Vercel Functions
wrangler deploy # Cloudflare Workers
mcpfusion create my-server # Vanilla
mcpfusion create my-api --vector prisma # Prisma + field-level security
mcpfusion create ops-bridge --vector n8n # n8n workflow bridge
mcpfusion create petstore --vector openapi # OpenAPI → MCP
mcpfusion create my-server --target vercel --yes # Vercel Functions
mcpfusion create my-server --target cloudflare --yes # Cloudflare Workers
| Package | Purpose |
|---|---|
@mcpfusion/core |
Framework core — Presenters, Fluent API, middleware, routing, governance |
@mcpfusion/yaml |
Declarative YAML engine |
@mcpfusion/swarm |
Multi-agent orchestration — HMAC-SHA256 delegation, namespace isolation, W3C tracing |
@mcpfusion/a2a |
A2A Protocol Bridge — Agent Cards, task delegation |
@mcpfusion/skills |
Progressive SKILL.md disclosure for agents |
@mcpfusion/testing |
In-memory MVA pipeline testing |
@mcpfusion/inspector |
Real-time TUI dashboard |
| Package | Target |
|---|---|
@mcpfusion/vercel |
Vercel Functions (Edge / Node.js) |
@mcpfusion/cloudflare |
Cloudflare Workers |
| Package | Purpose |
|---|---|
@mcpfusion/openapi-gen |
OpenAPI 3.x / Swagger 2.0 → MCP tools |
@mcpfusion/prisma-gen |
Pri |