Server data from the Official MCP Registry
Deterministic validation for AI-generated artifacts: JSON Schema, OpenAPI response, SQL syntax.
Deterministic validation for AI-generated artifacts: JSON Schema, OpenAPI response, SQL syntax.
A well-architected validation API server with proper authentication, rate limiting, and input validation. The codebase demonstrates solid security practices including separated storage abstractions, typed error handling, and reasonable permission scoping. Minor code quality observations exist around error handling breadth and logging, but do not constitute security vulnerabilities. The server's purpose (validation-as-a-service) aligns well with its required permissions. Supply chain analysis found 9 known vulnerabilities in dependencies (0 critical, 4 high severity). Package verification found 1 issue.
7 files analyzed · 15 issues found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Set these up before or after installing:
Environment variable: SANDBOX_URL
Environment variable: SANDBOX_API_KEY
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-machinegrade-validate": {
"env": {
"SANDBOX_URL": "your-sandbox-url-here",
"SANDBOX_API_KEY": "your-sandbox-api-key-here"
},
"args": [
"-y",
"@machinegrade/validate"
],
"command": "npx"
}
}
}From the project's GitHub README.
Validate AI-generated artifacts against a contract before you act on them:
json_schema — validate artifact against a JSON Schema (ajv, all errors collected).openapi_response — validate a response body against the response schema for a given path + method + status in an OpenAPI spec.sql — check a SQL string for syntax errors in a given dialect.Every check returns a verdict, not an error: {valid, errors, latency_ms},
HTTP 200 whether the artifact is valid or not. Only genuinely wrong requests
(bad key, unsupported type, malformed body, over your limit) get typed HTTP
errors.
Built on Hono — one codebase, runs locally on Node today and is written to be Cloudflare Workers-compatible for deploy later (see "Deploy" below).
Agents that generate JSON, API responses, or SQL need a fast, cheap, machine-checkable pass/fail before they ship the result — cheaper than a full LLM-as-judge call, and deterministic.
npm install
npm run dev
# machinegrade validate listening on http://localhost:8787
# Get an API key
curl -s -X POST http://localhost:8787/keys \
-H 'content-type: application/json' \
-d '{"email": "you@example.com"}'
# => {"key":"sk_..."}
# Validate a JSON artifact against a JSON Schema
curl -s -X POST http://localhost:8787/v1/validate \
-H 'content-type: application/json' \
-H 'X-Api-Key: sk_...' \
-d '{
"type": "json_schema",
"artifact": {"name": "Ada", "age": 30},
"contract": {
"schema": {
"type": "object",
"required": ["name", "age"],
"properties": {"name": {"type": "string"}, "age": {"type": "number"}}
}
}
}'
# => {"valid":true,"errors":[],"latency_ms":1}
import requests
base = "http://localhost:8787"
key = requests.post(f"{base}/keys", json={"email": "you@example.com"}).json()["key"]
resp = requests.post(
f"{base}/v1/validate",
headers={"X-Api-Key": key},
json={
"type": "sql",
"artifact": "SELECT id, name FROM users WHERE id = 1",
"contract": {"dialect": "mysql"},
},
)
print(resp.status_code, resp.headers.get("X-Calls-Remaining"), resp.json())
mcp/server.ts exposes a single tool, validate, that forwards to
POST /v1/validate. Point an MCP-compatible client at it:
{
"mcpServers": {
"machinegrade-validate": {
"command": "npx",
"args": ["tsx", "mcp/server.ts"],
"cwd": "/path/to/validate",
"env": {
"SANDBOX_URL": "http://localhost:8787",
"SANDBOX_API_KEY": "sk_..."
}
}
}
}
See public/openapi.yaml for the full contract, or
/v1/manifest for a machine-readable
summary (types, limits, pricing, error codes) once the service is running.
/llms.txt is a short pointer for LLM agents.
| Endpoint | In | Out |
|---|---|---|
POST /keys | {email} | {key} |
POST /v1/validate | header X-Api-Key, body {type, artifact, contract?} | verdict, header X-Calls-Remaining |
GET /v1/manifest | — | capability manifest |
GET /stats | header X-Admin-Token | funnel: keys_issued, active_callers, repeat_callers_7d, limit_hits, paid_requests |
POST /v1/paid-request | header X-Api-Key | records interest in paid access |
GET /openapi.yaml, GET /llms.txt | — | static docs |
POST /v1/paid-request (requires X-Api-Key);
you'll be notified when it's live.Every error is typed JSON — {code, message, hint, docs_url} — never a
free-form string:
| Code | HTTP status | When |
|---|---|---|
INVALID_KEY | 401 | X-Api-Key missing or unknown |
LIMIT_EXCEEDED | 402 | Free-tier monthly limit (500 calls) exceeded |
UNSUPPORTED_TYPE | 400 | type is not json_schema, openapi_response, or sql |
MALFORMED_INPUT | 400 | Request body doesn't match the documented shape |
RATE_LIMITED | 429 | More than 60 calls/minute for a key |
A verdict ({valid, errors, latency_ms}) is never an error — an
invalid artifact is a normal, expected outcome and returns HTTP 200.
src/storage.ts defines a Storage interface with two implementations:
MemoryStorage — full in-memory implementation, used for npm run dev
and the test suite.D1Storage — real Cloudflare D1 binding, backed by schema.sql (keys,
events tables). Used in production; the Workers entry point in
src/index.ts builds it from the DB binding on first request.Apply schema.sql to a new D1 database with:
wrangler d1 execute machinegrade-validate-db --file=schema.sql # local
wrangler d1 execute machinegrade-validate-db --file=schema.sql --remote # production
npm test # vitest run, in-process via app.request(), MemoryStorage
npm run typecheck # tsc --noEmit
Tests cover: key issuance, happy + fail cases for each validator, typed
401/400/402/429 errors, the metering limits (both injectable in tests so
they don't require looping hundreds of real requests), and /stats funnel
counts.
This template runs on Cloudflare Workers (Hono + D1 + Workers Static Assets). To deploy to a fresh Cloudflare account:
wrangler d1 create machinegrade-validate-db # copy the returned database_id into wrangler.toml
wrangler d1 execute machinegrade-validate-db --file=schema.sql --remote
wrangler secret put ADMIN_TOKEN
wrangler deploy
Then bind a custom domain (e.g. api.machinegrade.dev) to the Worker via
the Cloudflare dashboard or wrangler. CI can deploy on push to main once
CLOUDFLARE_API_TOKEN and CLOUDFLARE_ACCOUNT_ID repo secrets are set and
the deploy job in .github/workflows/ci.yml is uncommented.
Two things worth knowing about the Workers port:
GET /openapi.yaml and GET /llms.txt are served by the ASSETS binding
([assets] in wrangler.toml, pointing at public/) — Cloudflare serves
them directly, without invoking the Worker. The routes in src/index.ts
are a fallback for local Node dev/tests, where there's no ASSETS binding.json_schema and openapi_response validators use
@cfworker/json-schema, not ajv: ajv compiles schemas via
new Function(...), which the Workers runtime disallows, and schemas
here arrive dynamically per request (from the caller), so they can't be
precompiled at build time either.Early stage, honestly so: this service is live and free-tier usage is real, and we're measuring whether it earns a paid tier. What you can rely on:
/v1/validate request/response shapes, typed error
codes, verdict semantics) is stable — breaking changes only with a
versioned path (/v2/...), never silently.Feedback and integration stories are the most valuable thing you can give
us right now: open an issue or use POST /v1/paid-request if you need
more than the free tier.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.