uapf-mcp
Verified Safeby UAPFormat
Overview
The uapf-mcp server acts as a Model Context Protocol (MCP) gateway for UAPF packages, connecting to a uapf-engine instance to expose UAPF tools and resources.
Installation
npm run startEnvironment Variables
- MCP_PORT
- MCP_TRANSPORT
- MCP_HTTP_PATH
- MCP_CORS_ORIGIN
- UAPF_MCP_NAME
- UAPF_MCP_TOOL_PREFIX
- UAPF_DEBUG_LOG
- UAPF_ENGINE_URL
- UAPF_ENGINE_MODE
- UAPF_MCP_MODE
- UAPF_PACKAGE_PATH
- UAPF_WORKSPACE_DIR
- UAPF_SECURITY_MODE
- UAPF_DIDVC_VERIFIER
- UAPF_DIDVC_VERIFIER_URL
Security Notes
The server uses environment variables for sensitive configurations, which is good practice. Session IDs are generated using `randomUUID()`. However, the default CORS origin is `*`, which is overly permissive for production and should be restricted. The debug log (`UAPF_DEBUG_LOG`) records full HTTP requests/responses (including headers and body) to disk, which could expose sensitive data if the log file is not properly secured. While claims enforcement is supported via `UAPF_SECURITY_MODE=claims_enforce` and an `HttpVerifier`, the default `claims_declare` mode only reports claims without enforcing them, meaning sensitive operations might not be blocked by default. The `HttpVerifier` relies on an external URL (`UAPF_DIDVC_VERIFIER_URL`) for verification, and the security of this endpoint is critical and not managed by this server. No `eval` or blatant malicious patterns were found in the provided source code.
Similar Servers
mcpo
Exposes Model Context Protocol (MCP) tools as OpenAPI-compatible HTTP servers.
tmcp
A server implementation for the Model Context Protocol (MCP) to enable LLMs to access external context and tools.
zeromcp
A minimal, pure Python Model Context Protocol (MCP) server for exposing tools, resources, and prompts via HTTP/SSE and Stdio transports.
modular-mcp
A proxy server that efficiently manages and loads large tool collections from multiple Model Context Protocol (MCP) servers on-demand for LLMs, reducing context overhead.