Skip to main content
Glama
finos

FINOS AI Governance MCP Server

by finos

FINOS AI Governance MCP Server

Python Version License MCP Protocol Status

GitHub Actions Security Tests MyPy

MCP Tools Document Access Framework Support Pre-commit

AI governance framework document access through the Model Context Protocol.

This project provides direct access to AI governance framework documents from FINOS repositories through MCP, making them available in Claude, VS Code, Cursor, and other supported tools.


Quick Start

# Clone the repository
git clone https://github.com/finos/aigf-mcp-server.git
cd aigf-mcp-server

# Create and activate a virtual environment
python -m venv venv

# On Windows:
venv\Scripts\activate

# On macOS/Linux:
source venv/bin/activate

# Install dependencies
pip install -e .

# Required security setting (generate your own value; choose one)
export FINOS_MCP_CACHE_SECRET=$(python -c "import secrets; print(secrets.token_hex(32))")
# OR
export FINOS_MCP_CACHE_SECRET=$(openssl rand -hex 32)

# Test
finos-mcp --help
mcp list tools

Note: Using a virtual environment isolates project dependencies from your system Python, preventing conflicts and keeping your environment clean. This is the recommended approach for Python development.

Full Setup Guide - Connect to Claude, VS Code, Cursor, etc.


Related MCP server: MCP Enhanced Data Retrieval System

Docker Deployment (Local + Cloud)

This repository now includes:

  • Dockerfile for a production-style container image

  • docker-compose.yml for local deployment

Run locally with Docker Compose

# 1) Create Docker env file
cp .env.docker.example .env.docker

# 2) Put a real 32+ char value in .env.docker
# FINOS_MCP_CACHE_SECRET=...

# 3) Start
docker compose up --build -d

# 4) Follow logs
docker compose logs -f finos-mcp-server

Server endpoint:

  • http://localhost:8000/mcp

Build and run image directly

docker build -t finos-mcp-server:latest .

docker run --rm -p 8000:8000 \
  -e FINOS_MCP_CACHE_SECRET="$(openssl rand -hex 32)" \
  -e FINOS_MCP_MCP_TRANSPORT=http \
  -e FINOS_MCP_MCP_HOST=0.0.0.0 \
  -e FINOS_MCP_MCP_PORT=8000 \
  finos-mcp-server:latest

Use in AWS/GCP/Azure/Kubernetes

Use the same container image and pass environment variables at deploy time:

  • FINOS_MCP_CACHE_SECRET (required, minimum 32 chars)

  • FINOS_MCP_MCP_TRANSPORT=http

  • FINOS_MCP_MCP_HOST=0.0.0.0

  • FINOS_MCP_MCP_PORT (for example 8000)

  • FINOS_MCP_GITHUB_TOKEN (recommended)

  • If FINOS_MCP_MCP_AUTH_ENABLED=true, then FINOS_MCP_MCP_AUTH_ISSUER, FINOS_MCP_MCP_AUTH_AUDIENCE, and one of FINOS_MCP_MCP_AUTH_JWKS_URI or FINOS_MCP_MCP_AUTH_PUBLIC_KEY are also required.

Cloud mapping examples:

  • AWS ECS/Fargate: task definition env vars + secret manager for FINOS_MCP_CACHE_SECRET

  • GCP Cloud Run: container env vars + Secret Manager mount/reference

  • Kubernetes: Deployment env vars + Secret for sensitive values


Available MCP Tools

Framework Access Tools (5)

Tool Name

Description

Use Case

list_frameworks

List all available AI governance frameworks

Get overview of the runtime-discovered framework catalog

get_framework

Get complete content of a specific framework

Retrieve complete framework document content

search_frameworks

Search for text within framework documents

Find specific content within framework documents

list_risks

List all available risk documents

Get overview of AI governance risks

get_risk

Get complete content of specific risk documents

Retrieve detailed risk documentation

Risk & Mitigation Tools (4)

Tool Name

Description

Use Case

search_risks

Search within risk documentation

Find specific risks by keyword

list_mitigations

List all available mitigation documents

Get overview of available mitigations

get_mitigation

Get complete content of specific mitigation documents

Retrieve detailed mitigation strategies

search_mitigations

Search within mitigation documentation

Find specific mitigations by keyword

System Monitoring Tools (2)

Tool Name

Description

Use Case

get_service_health

Get basic service health status

Monitor system availability and status

get_cache_stats

Get cache performance statistics

Monitor cache performance and efficiency


Supported Content

AI Governance Frameworks

  • Framework definitions are discovered from the configured upstream repository at runtime.

  • Use list_frameworks to see the current catalog available to your deployment.


Risk and Mitigation Categories

Risk Categories

Risk Type

Description

Example Risks

Security

Information security and cybersecurity risks

Data leakage, prompt injection, adversarial attacks

Operational

Business and operational risks

AI bias, model drift, hallucination

Privacy

Data privacy and protection risks

Data exposure, unauthorized access

Transparency

Explainability and accountability risks

Model opacity, decision traceability

Mitigation Categories

Mitigation Type

Description

Example Controls

Prevention

Proactive controls to prevent risks

Access controls, bias testing, data validation

Detection

Controls to detect and monitor risks

Performance monitoring, anomaly detection

Response

Controls to respond to identified risks

Incident response, model rollback procedures


Common Use Cases

Framework Research

  • List Available Frameworks: Use list_frameworks to see all supported governance frameworks

  • Get Framework Content: Use get_framework to retrieve complete framework documents

  • Search Framework Content: Use search_frameworks to find specific text within frameworks

Risk Management

  • Browse Available Risks: Use list_risks to see all documented AI governance risks

  • Get Risk Details: Use get_risk to retrieve complete risk documentation

  • Search Risks: Use search_risks to find specific risks by keyword

Mitigation Planning

  • Browse Available Mitigations: Use list_mitigations to see all documented mitigation strategies

  • Get Mitigation Details: Use get_mitigation to retrieve complete mitigation documentation

  • Search Mitigations: Use search_mitigations to find specific mitigations by keyword

System Monitoring

  • Health Status: Use get_service_health to monitor system availability

  • Performance Metrics: Use get_cache_stats to monitor cache performance


Architecture

Components

  • FastMCP Runtime Bootstrap (src/finos_mcp/fastmcp_server.py): FastMCP server construction, model definitions, and tool registration wiring

  • API Registration Modules (src/finos_mcp/api/): Dedicated tool/resource/prompt registration and MCP payload mapping

  • MCP Tools: 11 tools organized in 3 categories (Framework Access, Risk & Mitigation, System Monitoring)

  • MCP Prompts: 3 prompt templates for framework analysis and risk assessment

  • MCP Resources: 3 resource types with finos:// URI scheme for structured access

  • Application Services and Use-Cases (src/finos_mcp/application/): Search text parsing, prompt composition, observability projection, and domain flows

  • Content Management (src/finos_mcp/content/): Dynamic content loading and caching

  • Security Layer (src/finos_mcp/security/): Request validation and protection

  • Runtime Guardrails (src/finos_mcp/fastmcp_server.py): Middleware-based rate limiting, safe error responses, and payload size enforcement

Design Principles

  • Document Access Only: Direct access to governance framework documents

  • Framework Agnostic: Works with any governance framework document structure

  • Modular Tool System: Easy addition and removal of tools

  • Security First: All requests validated and protected

  • Performance Optimized: Intelligent caching and async operations

Runtime Security Controls

  • Middleware Order: Error handling -> timing -> logging -> rate limiting

  • Input Limits: Tool, prompt, and resource parameters enforce max lengths and request-size checks

  • Output Limits: Resource/document payloads are size-validated before returning to clients

  • Error Disclosure Control: External errors are sanitized and correlation-tagged

  • Failure Signaling Strategy: Dynamic GitHub discovery with explicit unavailable responses when upstream content cannot be reached

  • Boundary Authentication (Optional): JWT validation at MCP boundary with issuer/audience/scope enforcement


Development

Setup

# Install development dependencies
pip install -e ".[dev,security,test]"

# Run CI-equivalent checks locally
./scripts/ci-local.sh

# Run tests
pytest

Testing

# Run all tests
pytest

# Run with coverage
pytest --cov=src --cov-report=html

# Run fast tests
pytest -c pytest.fast.ini

# Test MCP server
mcp list tools

Adding New Tools

Tool additions follow the layered runtime pattern:

  1. Add payload builder or registration wiring in src/finos_mcp/api/tools/

  2. Add or extend use-case logic in src/finos_mcp/application/use_cases/

  3. Register the MCP surface from src/finos_mcp/fastmcp_server.py

  4. Add or update tests in tests/unit/ and integration coverage where needed

  5. Update tool documentation


Configuration

Environment variables and configuration:

  • Content loaded from GitHub repositories dynamically

  • Cache configuration in src/finos_mcp/content/cache.py

  • Security settings in src/finos_mcp/security/

Required Security Configuration

FINOS_MCP_CACHE_SECRET is required at startup.

# Option 1 (Python)
export FINOS_MCP_CACHE_SECRET=$(python -c "import secrets; print(secrets.token_hex(32))")
# Option 2 (OpenSSL)
export FINOS_MCP_CACHE_SECRET=$(openssl rand -hex 32)

Notes:

  • Use a unique secret per environment.

  • Do not commit real secrets to git.

MCP Auth Configuration

Use JWT validation (FastMCP JWTVerifier) to protect the MCP boundary in production.

export FINOS_MCP_MCP_AUTH_ENABLED=true
export FINOS_MCP_MCP_AUTH_ISSUER=https://auth.example.com
export FINOS_MCP_MCP_AUTH_AUDIENCE=finos-mcp-server
export FINOS_MCP_MCP_AUTH_JWKS_URI=https://auth.example.com/.well-known/jwks.json
export FINOS_MCP_MCP_AUTH_REQUIRED_SCOPES=governance:read,governance:write

Notes:

  • Set exactly one of FINOS_MCP_MCP_AUTH_JWKS_URI or FINOS_MCP_MCP_AUTH_PUBLIC_KEY.

  • When auth is enabled, missing issuer/audience/verifier settings fail startup.

  • Clients must send Authorization: Bearer <JWT>.

MCP Transport Configuration

Transport and network binding are config-driven (no hardcoded host/port in runtime code):

# Local MCP client default
export FINOS_MCP_MCP_TRANSPORT=stdio

# HTTP exposure example
export FINOS_MCP_MCP_TRANSPORT=http
export FINOS_MCP_MCP_HOST=127.0.0.1
export FINOS_MCP_MCP_PORT=8000

Live Transport Tests

# End-to-end stdio MCP test
FINOS_RUN_LIVE_MCP_TEST=1 ./venv/bin/pytest -q tests/integration/test_live_mcp_server.py

# End-to-end HTTP MCP test (starts server + probes /mcp)
./scripts/test-http-transport.sh

# End-to-end HTTP auth boundary test (unauthorized/forbidden/authorized)
./scripts/test-auth-http-transport.sh

Advanced Configuration Reference

Use .env.example as the canonical source and override by environment in production.

Variable

Default

Required

Purpose / Guidance

FINOS_MCP_MCP_TRANSPORT

stdio

No

Runtime transport. Use stdio for local clients; use http or streamable-http for network exposure.

FINOS_MCP_MCP_HOST

127.0.0.1

For non-stdio

Bind host for network transports. Keep loopback unless behind controlled ingress.

FINOS_MCP_MCP_PORT

8000

For non-stdio

Bind port for network transports.

FINOS_MCP_MCP_AUTH_ENABLED

false

No

Enables JWT boundary authentication. Set true for production.

FINOS_MCP_MCP_AUTH_ISSUER

(none)

If auth enabled

Expected JWT iss claim.

FINOS_MCP_MCP_AUTH_AUDIENCE

(none)

If auth enabled

Expected JWT aud claim.

FINOS_MCP_MCP_AUTH_JWKS_URI

(none)

One of verifier pair

Recommended verifier source (supports key rotation).

FINOS_MCP_MCP_AUTH_PUBLIC_KEY

(none)

One of verifier pair

Static PEM verifier source. Do not set with JWKS_URI.

FINOS_MCP_MCP_AUTH_REQUIRED_SCOPES

(none)

No

Comma-separated required scopes for all requests.

FINOS_MCP_HTTP_TIMEOUT

30

No

Outbound request timeout in seconds.

FINOS_MCP_ENABLE_CACHE

true

No

In-memory content cache toggle.

FINOS_MCP_CACHE_MAX_SIZE

1000

No

Max entries in cache. Increase carefully with memory limits.

FINOS_MCP_CACHE_TTL_SECONDS

3600

No

Cache TTL in seconds.

FINOS_MCP_GITHUB_TOKEN

(none)

Recommended

Raises GitHub API limits and stability for dynamic content sync.

FINOS_MCP_LOG_LEVEL

INFO

No

Runtime log verbosity.

FINOS_MCP_DEBUG_MODE

false

No

Enables verbose diagnostics; avoid in production unless troubleshooting.

Production baseline:

  • FINOS_MCP_MCP_AUTH_ENABLED=true

  • FINOS_MCP_MCP_TRANSPORT=http (or streamable-http) behind TLS ingress

  • FINOS_MCP_MCP_HOST=127.0.0.1 when fronted by reverse proxy

  • Configure FINOS_MCP_MCP_AUTH_JWKS_URI, FINOS_MCP_MCP_AUTH_ISSUER, FINOS_MCP_MCP_AUTH_AUDIENCE

Go-Live Approval Gate

Run full automated release gates:

./scripts/go-live-gate.sh

Includes:

  • tracked-folder hygiene checks

  • clean working tree enforcement

  • linting and type checks

  • regression tests

  • live stdio/HTTP/auth transport checks

  • dependency vulnerability scan


Content Sources

Content Coverage

  • Framework Data: Direct access to governance framework documents

  • Dynamic Loading: Automatic content fetching from official sources

  • FINOS Content: AI governance risks and mitigations from FINOS AI Governance Framework, used under CC BY 4.0 license

Performance Characteristics

  • Response Times: Fast cached response times with intelligent caching

  • Reliability: Circuit breaker protection and error boundary management

  • Scalability: Memory-efficient design with configurable cache limits

  • Security: Comprehensive DoS protection and request validation


Documentation

Getting Started

API & Integration

Support & Troubleshooting


Contributing

  1. Fork the repository

  2. Create a feature branch

  3. Make changes and add tests

  4. Run CI-equivalent checks: ./scripts/ci-local.sh

  5. Test with MCP CLI: mcp list tools

  6. Submit a pull request


Need Help


License

Software License Content License

  • Software: Apache 2.0 License

  • FINOS Content: CC BY 4.0 License


A
license - permissive license
-
quality - not tested
D
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/finos/aigf-mcp-server'

If you have feedback or need assistance with the MCP directory API, please join our Discord server