"Build an MCP server for patient records with Prisma. Redact SSN and diagnosis from LLM output. Gate discharge tools until attending physician signs off."

The agent reads the Skill. It produces defineModel() declarations with m.hidden() for sensitive fields, definePresenter() with .redactPII(['*.ssn', '*.diagnosis']) for DLP compliance, FSM state gating via .bindState() for workflow enforcement, and file-based routing under src/tools/. You review the PR.

The Skill is not documentation. It is the security contract. Every server the AI produces inherits the governance stack because the Skill encodes Presenters, state machines, and lockfile generation as mandatory structural patterns.

📄 SKILL.md · llms.txt (complete API reference for LLM consumption)

Security Architecture

Egress Firewall — Presenter

The Presenter validates every response through a Zod schema compiled from defineModel(). Undeclared fields are stripped in RAM before serialization. PII is redacted via V8-optimized fast-redact compiled functions. Rules travel with data, not in the system prompt. The Late Guillotine pattern applies redaction after UI blocks render — charts and suggestions always see full data, the wire never does.

const PatientPresenter = createPresenter('Patient')
    .schema(PatientModel)
    .redactPII(['*.ssn', '*.diagnosis'])
    .rules((p) => [
        p.status === 'critical' ? 'PRIORITY: Patient is critical.' : null,
    ])
    .suggest((p) => p.status === 'admitted'
        ? [suggest('ward.discharge', 'Begin discharge protocol')]
        : []);

The Presenter also runs a PromptFirewall — an LLM-as-Judge that evaluates dynamically generated system rules for prompt injection before they reach the agent. Fail-closed by default.

State Gate — FSM

Tools bound to FSM states are physically removed from tools/list when the current state does not match. The LLM cannot call what does not exist in its namespace. Powered by XState v5 with manual fallback when XState is not installed.

const gate = f.fsm({
    id: 'discharge', initial: 'admitted',
    states: {
        admitted:    { on: { PHYSICIAN_SIGNOFF: 'approved' } },
        approved:    { on: { DISCHARGE: 'discharged' } },
        discharged:  { type: 'final' },
    },
});

export default f.mutation('ward.discharge')
    .bindState('approved', 'DISCHARGE')
    .handle(async (input, ctx) => ctx.db.patients.discharge(input.id));

| State | Visible tools | |---|---| | admitted | ward.view, ward.update_vitals | | approved | ward.discharge, ward.view | | discharged | ward.view |

Serverless-compatible: FsmStateStore persists state to Redis/KV across request boundaries. Each request gets an isolated gate.clone().

Governance Stack

Eight introspection modules that make behavioral changes visible and auditable:

| Module | What it does | |---|---| | ToolContract | Materializes the complete behavioral surface of each tool | | BehaviorDigest | SHA-256 hash of the behavioral surface | | CapabilityLockfile | mcpfusion.lock — git-diffable behavioral snapshot, CI gate via fusion lock --check | | CryptoAttestation | HMAC-SHA256 runtime verification — fail-fast if behavioral digest drifts | | ContractDiff | Per-field diff between lockfile versions | | EntitlementScanner | Static analysis of handler source for I/O capabilities (fs, network, subprocess, eval) with evasion heuristics | | SemanticProbe | LLM-as-Judge for detecting semantic drift in handler output | | TokenEconomics | Context window inflation risk profiling |

Sandbox

SandboxEngine executes LLM-provided JavaScript in a sealed V8 isolate. No process, require, fs, or network access. One isolate per engine, fresh empty context per execution. Memory-limited, timeout-enforced, output-capped, abort-signal-compatible.

Three Pathways

1. YAML — Zero Code

version: "1.0"
server:
  name: "github-tools"

connections:
  github:
    type: rest
    base_url: "https://api.github.com"
    auth:
      type: bearer
      token: "${SECRETS.GITHUB_TOKEN}"

tools:
  - name: search_repos
    description: "Search GitHub repositories"
    instruction: "Use for finding projects by topic or keyword."
    rules:
      - "Max 10 results per query"
    parameters:
      query: { type: string, required: true }
    execute:
      connection: github
      method: GET
      path: "/search/repositories"
      query: { q: "{{query}}", per_page: "10" }
    response:
      extract: ["items[].{full_name, description, stargazers_count, html_url}"]

mcpfusion yaml dev

2. Typed MVA — Full Control

export const InvoiceModel = defineModel('Invoice', m => {
    m.casts({
        id:           m.string(),
        amount_cents: m.number('CRITICAL: in CENTS. Divide by 100 for display.'),
        status:       m.enum('Status', ['paid', 'pending', 'overdue']),
    });
    m.hidden(['password_hash', 'internal_margin']);
});

export const InvoicePresenter = definePresenter({
    name: 'Invoice',
    schema: InvoiceModel,
    suggestActions: (inv) => inv.status === 'pending'
        ? [{ tool: 'billing.pay', reason: 'Process payment', args: { id: inv.id } }]
        : [],
});

export default f.query('billing.get_invoice')
    .describe('Get an invoice by ID')
    .withString('id', 'Invoice ID')
    .returns(InvoicePresenter)
    .handle(async (input, ctx) => ctx.db.invoices.findUnique({ where: { id: input.id } }));

3. FSM — Deterministic Workflow Enforcement

State-gated tool discovery. Tools appear and disappear based on the current state.

Get Started

npx @mcpfusion/core create my-server
cd my-server && npm run dev

File-based routing — drop a file, restart, and it's a live MCP tool:

src/tools/
├── billing/
│   ├── get_invoice.ts  → billing.get_invoice
│   └── pay.ts          → billing.pay
└── users/
    └── list.ts         → users.list

Deploy

mcpfusion deploy                  # Vinkius Edge (V8 Isolate)
vercel deploy                # Vercel Functions
wrangler deploy              # Cloudflare Workers

Scaffold

mcpfusion create my-server                           # Vanilla
mcpfusion create my-api --vector prisma              # Prisma + field-level security
mcpfusion create ops-bridge --vector n8n             # n8n workflow bridge
mcpfusion create petstore --vector openapi           # OpenAPI → MCP
mcpfusion create my-server --target vercel --yes     # Vercel Functions
mcpfusion create my-server --target cloudflare --yes # Cloudflare Workers

Ecosystem

Core

| Package | Purpose | |---|---| | @mcpfusion/core | Framework core — Presenters, Fluent API, middleware, routing, governance | | @mcpfusion/yaml | Declarative YAML engine | | @mcpfusion/swarm | Multi-agent orchestration — HMAC-SHA256 delegation, namespace isolation, W3C tracing | | @mcpfusion/a2a | A2A Protocol Bridge — Agent Cards, task delegation | | @mcpfusion/skills | Progressive SKILL.md disclosure for agents | | @mcpfusion/testing | In-memory MVA pipeline testing | | @mcpfusion/inspector | Real-time TUI dashboard |

Adapters

| Package | Target | |---|---| | @mcpfusion/vercel | Vercel Functions (Edge / Node.js) | | @mcpfusion/cloudflare | Cloudflare Workers |

Generators & Connectors

| Package | Purpose | |---|---| | @mcpfusion/openapi-gen | OpenAPI 3.x / Swagger 2.0 → MCP tools | | @mcpfusion/prisma-gen | Prisma schema → CRUD tools with field-level security | | [@mcpfusion/n8n](https://mcpfusion.vinkius.com/n