Uses OpenAI's embedding models to generate vector embeddings for RAG (Retrieval-Augmented Generation) search functionality
lsfusion-mcp
An extensible MCP server hosting multiple tools. Ships with retrieve_docs(query: string) for RAG search
(OpenAI embeddings -> Pinecone), and a structure ready for future tools (e.g., code syntax checks).
Transports:
STDIO for local development / desktop MCP clients.
Streamable HTTP for production via Uvicorn (mounted at
/mcp).
Quickstart (local)
Claude Desktop / MCP Inspector (STDIO)
Adding new tools
Create a new module under tools/ and register it with @mcp.tool() in server.py (or build an auto-discovery
if you prefer). Keep tool signatures simple and JSON-serializable.
Contract / output for retrieve_docs
Returns an array of objects:
Sorted by score descending.
Environment variables
OPENAI_API_KEY— OpenAI API keyPINECONE_API_KEY— Pinecone API keyPINECONE_INDEX— Pinecone index name (defaultlsfusion)PINECONE_NAMESPACE— Pinecone namespace (default empty)EMBEDDING_MODEL— OpenAI embedding model (defaulttext-embedding-3-large)
Docker
Build and run:
Or via Compose:
Production secrets (where to store keys)
Do not hardcode secrets. Options:
Kubernetes Secrets + external secret store
Store secrets in AWS Secrets Manager / GCP Secret Manager / HashiCorp Vault.
Sync into K8s as
Secretvia External Secrets Operator.Mount as env vars in the Deployment:
env: - name: OPENAI_API_KEY valueFrom: { secretKeyRef: { name: mcp-secrets, key: openai } } - name: PINECONE_API_KEY valueFrom: { secretKeyRef: { name: mcp-secrets, key: pinecone } }
Docker Swarm / Compose secrets
Use
secrets:and mount files into the container, then export into env at entrypoint:services: mcp: image: lsfusion/mcp:latest secrets: [openai_key, pinecone_key] secrets: openai_key: { file: ./secrets/openai_key.txt } pinecone_key: { file: ./secrets/pinecone_key.txt }Read them in an entrypoint script:
export OPENAI_API_KEY="$(cat /run/secrets/openai_key)" export PINECONE_API_KEY="$(cat /run/secrets/pinecone_key)" exec python server.py http --host 0.0.0.0 --port 8000
Cloud run / App services (ECS, Cloud Run, App Service)
Inject as environment variables wired to a managed secret store (e.g., AWS Parameter Store / Secrets Manager).
Rotate periodically; grant least-privilege IAM.
CI/CD (GitHub Actions)
Store in Actions Secrets.
At build/deploy time pass them into the container as env vars or bake only into the runtime environment (never into the image).
This app reads credentials from environment variables, so your orchestrator should inject them from a secure store.
Prefer secret stores over committing .env files.
Hardening checklist
Run as non-root (done in Dockerfile).
Keep logs to stdout/stderr; in STDIO mode, avoid extra prints (MCP uses stdio).
Set request timeouts and retries in your MCP client / reverse proxy.
Add health endpoint (optional) and readiness checks on
/mcphandshake.
HTTP transport configuration (FastMCP)
FastMCP reads host/port from environment variables:
MCP_HOST(default:127.0.0.1)MCP_PORT(default:8000)
Examples:
Local run
Docker
This server cannot be installed
hybrid server
The server is able to function both locally and remotely, depending on the configuration or use case.
Enables RAG-powered documentation search using OpenAI embeddings and Pinecone vector database. Provides an extensible framework for adding additional tools with support for both local STDIO and production HTTP transports.