Stackbilt MCP Gateway

Stackbilt platform MCP gateway — wireframe generation and stack scaffolding tools

0MITother

Install

Config snippet generator goes here (5 client tabs)

README

# Stackbilt MCP Gateway

<p align="center">
  <img src="docs/banner.png" alt="Stackbilt MCP Gateway — img-forge + Stackbilder" width="480" />
</p>

<p align="center">
  <em>Two products. One MCP connection. Image generated by img-forge (ultra tier).</em>
</p>

[![Stackbilt MCP server](https://glama.ai/mcp/servers/Stackbilt-dev/stackbilt-mcp-gateway/badges/card.svg)](https://glama.ai/mcp/servers/Stackbilt-dev/stackbilt-mcp-gateway)

> **MCP Registry**: [`dev.stackbilt.mcp/gateway`](https://registry.modelcontextprotocol.io/v0.1/servers?search=stackbilt) — published on the [Official MCP Registry](https://modelcontextprotocol.io/registry/quickstart)

OAuth-authenticated [Model Context Protocol](https://modelcontextprotocol.io/) (MCP) gateway for Stackbilt platform services. Built as a Cloudflare Worker using `@cloudflare/workers-oauth-provider`.

## What It Does

A single MCP endpoint (`mcp.stackbilt.dev/mcp`) that routes tool calls to multiple backend product workers:

| Backend | Tools | Description |
|---------|-------|-------------|
| **TarotScript** | `scaffold_create`, `scaffold_classify`, `scaffold_publish`, `scaffold_deploy`, `scaffold_import`, `scaffold_status` | Deterministic project scaffolding, n8n workflow import, GitHub publishing, CF deployment |
| **img-forge** | `image_generate`, `image_list_models`, `image_check_job` | AI image generation (5 quality tiers) |
| **Stackbilder** | `flow_create`, `flow_status`, `flow_summary`, `flow_quality`, `flow_governance`, `flow_advance`, `flow_recover` | Architecture flow orchestration (legacy — migrating to scaffold_*) |

### The Scaffold Pipeline (E2E)

```
You: "Build a restaurant menu API with D1 storage"
  ↓
scaffold_create → structured facts + 9 deployable project files
  ↓
scaffold_publish → GitHub repo with atomic initial commit
  ↓
git clone → npm install → npx wrangler deploy → live Worker
```

Zero LLM calls for file generation. ~20ms for structure, ~2s with oracle prose. 21x faster than flow_create.

## Key Features

- **OAuth 2.1 with PKCE** — GitHub SSO, Google SSO, and email/password authentication
- **Backend adapter pattern** — tool catalogs aggregated from multiple service bindings, namespaced to avoid collisions
- **Security Constitution compliance** — every tool declares a risk level (`READ_ONLY`, `LOCAL_MUTATION`, `EXTERNAL_MUTATION`); structured audit logging with secret redaction; HMAC-signed identity tokens
- **Coming-soon gate** — `PUBLIC_SIGNUPS_ENABLED` flag to control public access
- **MCP JSON-RPC over HTTP** — supports both streaming (SSE) and request/response transport

## Quick Start

### Prerequisites

- Node.js 18+
- [Wrangler CLI](https://developers.cloudflare.com/workers/wrangler/) (`npm i -g wrangler`)
- Cloudflare account with the required service bindings configured

### Install & Run

```bash
npm install
npm run dev
```

### Run Tests

```bash
npm test
```

### Deploy

```bash
npm run deploy
```

Deploys to the `mcp.stackbilt.dev` custom domain via Cloudflare Workers.

## Environment Variables & Secrets

| Name | Type | Description |
|------|------|-------------|
| `SERVICE_BINDING_SECRET` | Secret | HMAC-SHA256 key for signing identity tokens |
| `API_BASE_URL` | Variable | Base URL for OAuth redirects (e.g. `https://mcp.stackbilt.dev`) |
| `AUTH_SERVICE` | Service Binding | RPC to `stackbilt-auth` worker (`AuthEntrypoint`) |
| `STACKBILDER` | Service Binding | Route to `edge-stack-architect-v2` worker |
| `IMG_FORGE` | Service Binding | Route to `img-forge-mcp` worker |
| `OAUTH_KV` | KV Namespace | Stores social OAuth state (5-min TTL entries) |
| `PLATFORM_EVENTS_QUEUE` | Queue | Audit event pipeline (`stackbilt-user-events`) |
| `MCP_REGISTRY_AUTH` | Variable | MCP Registry domain verification string (served at `/.well-known/mcp-registry-auth`) |

Set secrets with:
```bash
wrangler secret put SERVICE_BINDING_SECRET
```

## Project Structure

```
src/
  index.ts           # Entry point — OAuthProvider setup, CORS, health check, MCP Registry well-known
  gateway.ts         # MCP JSON-RPC transport, session management, tool dispatch
  oauth-handler.ts   # OAuth 2.1 flows: login, signup, social SSO, consent
  tool-registry.ts   # Tool catalog aggregation, namespacing, schema validation
  audit.ts           # Structured audit logging, secret redaction, trace IDs
  auth.ts            # Bearer token extraction & validation
  route-table.ts     # Static routing table, tool-to-backend mapping, risk levels
  types.ts           # Type definitions, RiskLevel enum, interfaces

test/
  audit.test.ts
  auth.test.ts
  gateway.test.ts
  oauth-handler.test.ts
  route-table.test.ts
  tool-registry.test.ts

docs/
  user-guide.md      # End-user guide: account creation, client setup, tool usage
  api-reference.md   # MCP tool surface, authentication flow, tool routing
  architecture.md    # System design, security model, request flow
```

## Test Suite

122 tests across 6 test files covering:

- **OAuth handler** — identity token sign