aa79a71357
All checks were successful
Deploy to Production / deploy (push) Successful in 54s
Six confirmed findings closed (3 MEDIUM, 3 LOW). Tier-1 surfaces from
Pass-1 re-verified non-regressed; this pass deepened the audit on the
auth library, OAuth issuer, and template marketplace.
Za-002 MEDIUM (scrypt cost) — bump SCRYPT_N from 2^14 → 2^17 (131072)
matching current OWASP guidance for password hashing in 2026. Hash
format embeds N (`scrypt$N$salt$hash`), so the existing admin
password at the old cost still verifies — backward-compatible. Also
added explicit maxmem ceilings since Node's default (~32MiB) is
insufficient for the new N.
Za-003 MEDIUM (single-use race) — consumeMagicLink was SELECT-then-
UPDATE; two parallel redemptions could both win and mint two
sessions from the same token. Now uses the same atomic
`UPDATE … WHERE id = ? AND consumedAt IS NULL RETURNING id` pattern
/oauth/token already had — loser of the race gets
invalid_or_expired_token.
Za-004 LOW (membership ordering) — `.orderBy(memberships.createdAt)`
added so when org-invites eventually let a user belong to multiple
orgs, the same one wins every login instead of insertion-order
roulette. Latent-bug pre-empt.
Zb-002 LOW (OAuth register spam) — /oauth/register now per-IP daily
rate-limited at 20/day (well above any legitimate MCP-client
bootstrap pattern). Prevents DB-row spam.
Zc-001 MEDIUM (banned-pattern drift) — three separate copies of
BANNED_PATTERNS had drifted apart. The publish-time scanner in
templates.ts was MISSING the 7 new patterns added in Pass-1
(process.binding, dlopen, .constructor.constructor, vm.runIn*,
globalThis['..']). Single source of truth in @bmm/llm now exports
SHARED_BANNED_PATTERNS; templates.ts composes PUBLISH_BANNED_PATTERNS
= SHARED ∪ code-only-extras (dynamic import, fs.rm, setTimeout-with-
string, process.kill, jailbreak markers).
Zc-002 LOW (N+1) — /v1/templates list was issuing one COUNT(*) per
template (101 queries for a 100-row page). Now one grouped query
with templateId GROUP BY, merged in JS. p95 doesn't degrade with
marketplace growth.
DEFERRED (documented, scoped for next sprint):
Za-001 HIGH — Account takeover via cross-provider email lookup.
Requires schema change (users.primaryProvider). Mitigation in
/settings/account banner planned.
Zb-001 MEDIUM — /oauth/token refresh_token grant: advertised in
AS metadata but unsupported_grant_type. Either implement (~40
LOC) or strip from metadata.
Zc-003 LOW — Admin takedown partial-failure consistency.
Zd-001 IMPROVE — DEK cache invalidation across replicas (single-
instance today).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
||
|---|---|---|
| .gitea/workflows | ||
| apps | ||
| infra/nginx | ||
| packages | ||
| scripts | ||
| .dockerignore | ||
| .env.example | ||
| .env.production.example | ||
| .gitignore | ||
| biome.json | ||
| BuildMyMCPServer_MASTER_PROMPT.md | ||
| CHOICES.md | ||
| DEPLOY.md | ||
| docker-compose.prod.yml | ||
| docker-compose.yml | ||
| package.json | ||
| pnpm-lock.yaml | ||
| pnpm-workspace.yaml | ||
| README.md | ||
| TEMPLATE_SECURITY_AUDIT.md | ||
| tsconfig.base.json | ||
| turbo.json | ||
BuildMyMCPServer
Describe your tool. We host the server. AI uses it.
Prompt-to-production MCP servers with OAuth 2.1 and Streamable HTTP. Production-grade infrastructure for hosting Model Context Protocol servers your AI clients (Claude Desktop, Cursor, ChatGPT) can install with a copy-paste snippet.
Quick start
# 1. Install
pnpm install
# 2. Copy env. Defaults work for local dev. Set ANTHROPIC_API_KEY if you want real generation.
cp .env.example .env
# 3. Boot everything
pnpm dev
pnpm dev will:
- Load
.env. docker compose up -d --waitpostgres + redis.- Push the Drizzle schema (
drizzle-kit push --force). - Start the full stack in parallel: web (Next.js, :3000), api (Fastify, :4000), generator (BullMQ worker).
Then open:
- Dashboard: http://localhost:3000
- API: http://localhost:4000/health
Click Start building, enter your email, copy the magic-link URL printed to the
api terminal output, paste it in your browser. You land on /dashboard. Click
New server, paste a prompt, and watch the build stream live over WebSocket.
If ANTHROPIC_API_KEY is unset, the generator returns a deterministic mock spec
(an echo and a now tool) so the full end-to-end flow stays demoable.
If Docker is unavailable, the build will fail at the deploy step with a clear error.
Otherwise: a fresh container is launched on a host port from
RUNNER_PORT_RANGE_START…RUNNER_PORT_RANGE_END, the server is marked live, and the
dashboard renders install snippets for Claude Desktop, Cursor and ChatGPT.
Architecture
See BuildMyMCPServer_MASTER_PROMPT.md for the full specification and CHOICES.md
for decisions made during this Sprints 1–3 build.
apps/
web/ Next.js 15 dashboard + marketing landing
api/ Fastify control plane (auth, server CRUD, OAuth 2.1 AS, JWKS, WS stream)
generator/ BullMQ worker — Claude → spec → render → docker build → local deploy
runner-template/ Hosted MCP server template (Streamable HTTP + OAuth 2.1 RS)
packages/
db/ Drizzle schema + client
auth/ Magic-link + session
types/ Shared Zod contracts
Scripts
| Command | Effect |
|---|---|
pnpm dev |
Bootstrap + parallel dev for web, api, generator |
pnpm dev:no-docker |
Skip docker-compose (assumes postgres + redis already up) |
pnpm build |
Turbo build all apps |
pnpm typecheck |
Turbo typecheck all apps |
pnpm lint |
Biome check |
pnpm lint:fix |
Biome check --write |
pnpm db:push |
Push schema to postgres (drizzle-kit) |
pnpm db:generate |
Generate SQL migration files |
pnpm db:migrate |
Apply pending migrations |
pnpm stop |
docker compose down |
Acceptance check
After pnpm dev is up:
http://localhost:3000renders the landing page.http://localhost:4000/healthreturns{ "ok": true }.- Sign in via magic link (URL printed in the api terminal).
- New Server → paste prompt → live WebSocket stream
queued → generating → building → deploying → live. - If Docker is running, a container is launched and
http://localhost:<port>/mcpresponds 401 + WWW-Authenticate without a token, 200 with a valid token issued by/oauth/token. - Install snippets render with copy buttons for Claude Desktop, Cursor, ChatGPT.
Repo conventions
- TypeScript strict, zero
any(Biome lintsnoExplicitAnyas error). - ESM-only, Node 20 LTS.
- Conventional commits.
- Tailwind v4 (
@import 'tailwindcss'). - Geist + Geist Mono.