skeleton-mcp
Provides tools for reading and writing secrets in HashiCorp Vault, including listing, getting, setting, and deleting secrets, with retry queues and authorization for mutating operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@skeleton-mcplist all configs"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
skeleton-mcp
Node.js MCP skeleton with:
Vault-backed secret management
Postgres-backed configuration management
Security and operational defaults for production-style patterns
Purpose
This repository is a starter template for building an MCP server that needs:
Secret reads and writes through Vault
Config reads and writes through Postgres
Tool-level authorization for mutating operations
Redacted tool output by default
Basic reliability controls for external secret writes
Related MCP server: MCP Template
Skeleton Architecture
Runtime flow:
src/index.js boots the app, creates services, and connects MCP stdio transport.
src/config/env.js loads and validates environment configuration.
src/services/configStore.js handles Postgres persistence.
src/services/vault.js handles Vault operations and write retry queue.
src/services/security.js redacts sensitive fields.
src/mcp/server.js registers MCP tools and applies auth/error wrappers.
Local infrastructure:
docker-compose.yml runs Postgres and Vault for local development.
initdb/001_config.sql creates and seeds the app_config table.
Tool Catalog
Read-only tools:
connection_info
vault_connection_info
healthcheck
list_configs
get_config
list_secrets
get_secret
Mutating tools:
set_config
delete_config
set_secret
delete_secret
If MCP_ADMIN_AUTH_KEY is configured, mutating tools require authorizationKey.
Security Behavior
Sensitive fields are redacted unless MCP_ALLOW_SENSITIVE_OUTPUT=true.
Mutating operations can be access controlled with MCP_ADMIN_AUTH_KEY.
Vault write operations are serialized through an internal queue and retried with exponential backoff.
Environment Variables
Core:
MCP_SERVER_NAME
MCP_SERVER_VERSION
MCP_ALLOW_SENSITIVE_OUTPUT
MCP_ADMIN_AUTH_KEY
Postgres:
POSTGRES_HOST
POSTGRES_PORT
POSTGRES_DB
POSTGRES_USER
POSTGRES_PASSWORD
Vault:
VAULT_ADDR
VAULT_TOKEN
VAULT_KV_MOUNT
VAULT_WRITE_RETRY_ATTEMPTS
VAULT_WRITE_RETRY_BASE_DELAY_MS
VAULT_WRITE_RETRY_MAX_DELAY_MS
Reference values are in .env.example.
Quick Start
Install dependencies.
Copy .env.example to .env.
Start local services with docker compose up -d.
Seed a test secret in Vault.
Start the MCP server with npm start.
Run tests with npm test.
Vault Production Migration (Raft)
The repository now includes a Vault production migration scaffold under vault-production:
vault-production/config/vault.hcl: Raft-backed Vault server configuration.
vault-production/docker-compose.vault-prod.yml: Compose definition for Vault in server mode (non-dev).
vault-production/scripts/convert-dev-to-prod.sh: Script to export dev KV data, start Raft Vault, initialize/unseal, and import secrets.
vault-production/scripts/bootstrap-post-conversion.sh: Script to enable audit, write policy, configure AppRole, and emit service credentials.
vault-production/README.md: Detailed migration notes and options.
Run the conversion:
bash vault-production/scripts/convert-dev-to-prod.sh --init-keys-out vault-production/backups/vault-init.jsonCommon options:
# Use a different KV mount
bash vault-production/scripts/convert-dev-to-prod.sh --mount secret
# Migrate infra only (skip data movement)
bash vault-production/scripts/convert-dev-to-prod.sh --skip-export --skip-import
# Use when Raft Vault is already initialized
bash vault-production/scripts/convert-dev-to-prod.sh --skip-init
# Post-conversion hardening bootstrap (audit, policy, AppRole)
bash vault-production/scripts/bootstrap-post-conversion.sh --vault-token <root_or_admin_token>
# CI-friendly machine output
bash vault-production/scripts/bootstrap-post-conversion.sh \
--vault-token <root_or_admin_token> \
--output jsonVS Code Agent Structure
This repository includes a project agent structure for adapting the skeleton to additional service-backed MCP implementations:
agent/README.md: Overview of agent assets.
agent/playbooks/service-onboarding.md: Step-by-step onboarding checklist.
agent/templates/service-spec.md: Request template for describing new service integrations.
Workspace custom agent:
Use this custom agent when you want GitHub Copilot in VS Code to:
Configure new service adapters under
src/services.Register matching MCP tools in
src/mcp/server.js.Update env validation in
src/config/env.js.Preserve authorization and redaction behavior.
Add tests and documentation updates.
Test Coverage
Integration tests in tests/server.integration.test.js cover:
Healthcheck behavior
Authorization on mutating tools
Redaction behavior for secret output
Production migration tests in tests/vault-production.test.js cover:
Presence of Vault production scaffold files
Raft config expectations
Non-dev Vault compose command validation
Conversion/bootstrap script help and bash syntax checks
Extend The Skeleton
Add domain services under src/services.
Register new tools in src/mcp/server.js.
Add corresponding tests under tests.
Keep mutating tools behind authorization checks.
Keep secret-bearing fields redacted by default.
Notes
Vault runs in dev mode in docker-compose.yml and is not production-safe.
The migration scaffold starts with bootstrap-friendly defaults and still requires TLS, production auth methods, and credential rotation before real production use.
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/LesterAJohn/skeleton-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server