Server data from the Official MCP Registry
MCP server + tools for the Forge E-- generative-music authoring loop (compile / run / commit).
MCP server + tools for the Forge E-- generative-music authoring loop (compile / run / commit).
forge-mcp is a well-architected MCP server with solid security fundamentals. Authentication is properly delegated to an upstream service (forge-transpile), Bearer tokens are extracted from request headers (not hardcoded), and filesystem operations include path-traversal defenses. Permissions align with the server's purpose (file I/O, network access to a transpile service, local git operations). Minor code-quality findings around subprocess safety and error handling do not materially impact security given the trust model. Supply chain analysis found 6 known vulnerabilities in dependencies (0 critical, 5 high severity). Package verification found 1 issue.
5 files analyzed · 11 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: FORGE_TRANSPILE_URL
Environment variable: FORGE_VAULT_PATH
Environment variable: FORGE_MCP_BEARER
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-frmoded-forge-mcp": {
"env": {
"FORGE_MCP_BEARER": "your-forge-mcp-bearer-here",
"FORGE_VAULT_PATH": "your-forge-vault-path-here",
"FORGE_TRANSPILE_URL": "your-forge-transpile-url-here"
},
"args": [
"forge-recipe-mcp"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Author, compile, run, and commit generative-music E-- Recipes directly from any MCP-capable agent (Claude Desktop, Cursor, …). forge-mcp exposes the Forge E-- library note catalog + vault as an MCP server and closes the authoring loop end-to-end: the agent picks a chip from the catalog, drafts a Recipe, verifies it parses, runs it in a sandbox, previews the artifact, and commits the finished Recipe to a vault note. All 6 tools ship today.
[library note catalog] → [compile] → [run] → [commit] → [vault note with recipe_version bump]
Fastest path — Claude Code spawns forge-mcp as a stdio subprocess. Full walkthrough at docs/claude-code-install.md.
# 1. Install from PyPI (https://pypi.org/project/forge-recipe-mcp/)
pip install forge-recipe-mcp
# 2. Fetch your Bearer once and export
export FORGE_MCP_BEARER=$(jq -r '.transpileServiceToken' \
~/forge-vaults/bluh/.obsidian/plugins/forge-client-obsidian/data.json)
# 3. Register with Claude Code
claude mcp add forge-mcp \
-e FORGE_MCP_BEARER=$FORGE_MCP_BEARER \
-e FORGE_TRANSPILE_URL=https://forge.thecodingarena.com \
-e FORGE_VAULT_PATH=$HOME/forge-vaults/bluh \
-e FORGE_MCP_TRANSPORT=stdio \
-- forge-mcp
# 4. Start Claude Code and ask "list the notes in my forge music library."
Full walkthrough (Claude Desktop config, forge-transpile Bearer acquisition, verification smoke, troubleshooting): docs/install.md.
Quick paths:
# From source (pip + editable install for development)
pip install -e ".[dev]"
python -m forge_mcp.server
# Docker
docker build -t forge-mcp:latest .
docker run --rm -p 8765:8765 \
-e FORGE_TRANSPILE_URL=https://forge.thecodingarena.com \
-e FORGE_VAULT_PATH=/path/to/your/vault \
forge-mcp:latest
Environment:
FORGE_TRANSPILE_URL — base URL of the forge-transpile service. Default: http://localhost:8000.FORGE_VAULT_PATH — local vault directory for forge_read_notes_in_vault + forge_commit_recipe. Default: ~/forge-vaults/bluh.FORGE_MCP_HOST — host to bind. Default: 0.0.0.0.FORGE_MCP_PORT — port to bind. Default: 8765.FORGE_MCP_BEARER — dev fallback only. Per-request Bearer extraction is the primary path (CW-MCP-1-B); this env var only fires when the incoming request has no Authorization header. Do NOT set in production.Add to ~/Library/Application Support/Claude/claude_desktop_config.json:
{
"mcpServers": {
"forge-mcp": {
"url": "http://localhost:8765/mcp",
"headers": {
"Authorization": "Bearer <your-forge-transpile-token>"
}
}
}
}
Get your Bearer:
jq -r '.transpileServiceToken' \
~/forge-vaults/bluh/.obsidian/plugins/forge-client-obsidian/data.json
Read (no side effects):
forge_read_note_catalog({domain?}) — list Forge library notes; every entry carries the E-- signature the agent needs to Call it.forge_read_notes_in_vault({filter?}) — list vault notes with a has_recipe + recipe_version summary. Backed by a local filesystem walk (CW-MCP-2-E).Author (deterministic — no LLM, no vault write):
forge_compile_recipe({source}) — Recipe → Python. Returns compiled source + unresolved slot count, OR a structured parse error with line/column (per drain CW-recipe-parser-line-info).forge_run_recipe({source, domains?}) — compile + execute in a resource-limited server sandbox. Returns a short preview + a run_id; artifacts (MusicXML / MIDI / PNGs) accessible via the forge-artifact:// resource.forge_get_run_result({run_id}) — fetch full stdout/stderr + artifact manifest of a previous run. 7-day TTL, per-Bearer isolation.Commit:
forge_commit_recipe({source, note_id, expected_version?}) — persist Recipe to a vault note (facet-scoped — Description + Python + frontmatter survive byte-for-byte). Bumps recipe_version in the note's frontmatter. Optimistic-concurrency via expected_version; version-conflict returns isError:true with expected + current numbers.forge-note:///{domain}/{name} — library note content.forge-artifact:///{run_id}/{artifact_name} — on-demand binary fetch for run artifacts. Text mimes return via text; binaries via base64 blob.forge-recipe:///{note_id}/v{n} — Recipe body at a specific recipe_version (git-tracked vaults only; returns "history unavailable" text otherwise).forge-mcp does NOT validate tokens itself — forge-transpile is the source of truth (guarded by FORGE_TRANSPILE_SECRET). Each request's Authorization: Bearer <token> header is forwarded verbatim; a 401 or 403 from forge-transpile surfaces as isError: true with an actionable message the agent can read (drain CW-MCP-1-B).
Rotation is zero-downtime on the forge-mcp side: change FORGE_TRANSPILE_SECRET on forge-transpile, update your MCP client's header, done. Old tokens fail on the next request with a clean rejection message.
forge/recipe/ per the CW-MCP-2-A architecture; drift is caught by scripts/check-recipe-drift.sh in the forge-transpile repo./compile / /run / /catalog etc. that forge-mcp's tools proxy for the transpile + sandboxed-run paths. Vault reads + commits are LOCAL and don't hit forge-transpile.Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.