Spring Toolkit MCP
Scans Flyway migrations for risky operations and provides migration status via Actuator.
Detects Gradle build metadata and runs Gradle tests when policy allows.
Reads Liquibase migration status from Actuator endpoints.
Reads Prometheus metrics from Actuator endpoints.
Inspects Spring Boot repositories, extracts annotations, endpoints, configuration, and interacts with Actuator endpoints for runtime health, metrics, and management.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Spring Toolkit MCPcheck actuator health of orders application"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Spring Toolkit MCP
Spring Toolkit MCP is a secure-by-default MCP server and CLI for agentic review of real Spring Boot repositories. It focuses on the practical developer workflow teams need in production: inspect a Java/Spring codebase, expose safe tools to an AI agent, and produce review signals around controllers, configuration, Flyway migrations, JPA, and test opportunities.
The second design goal is simple: Spring Boot Admin for AI agents. Human operators use dashboards; agents need structured tools. Spring Toolkit MCP now has both workspace inspection and runtime Actuator access, with mutating actions behind explicit policy flags.
This first version is intentionally dependency-free Python. It can run as:
an MCP stdio server for clients that support tools/list and tools/call
a local CLI that prints Markdown or JSON reports
a Python library for future integrations with Continue, OpenHands, Aider, or CI
Features
Detects Maven and Gradle build metadata
Scans Spring annotations such as controllers, services, repositories, entities, mappers, configuration classes, and application entrypoints
Extracts endpoint mappings and security annotations from Java sources
Reads
application*.properties,application*.yml, andapplication*.yamlwhile redacting likely secretsScans Flyway migrations for risky operations
Lists configured Spring Boot Actuator applications
Reads Actuator endpoint index, health, info, audit events, beans, conditions, config properties, mappings, metrics, env, loggers, thread dumps, heap metrics, startup steps, scheduled tasks, caches, HTTP exchanges/traces, Flyway and Liquibase status, Spring Integration graph, Quartz, sessions, SBOM, Prometheus, bounded log files, and heap dump metadata
Changes logger levels, deletes sessions, and reads sensitive Actuator downloads only when explicitly enabled by policy
Reads Maven Surefire and JaCoCo reports
Runs Maven or Gradle tests only when explicitly enabled by policy
Generates pragmatic Markdown review reports
Suggests MockMvc test skeletons for controllers
Guards MCP access to configured workspace roots
Related MCP server: mcp-devtools
How It Works
The server runs as a long-lived process that an MCP client (such as Claude Code)
launches over stdio. It stays alive for the whole client session and answers
JSON-RPC tools/list and tools/call requests. With an editable install
(pip install -e .), the code runs from src/, so editing a file and
restarting the client picks up the change with no reinstall.
The tools split into two families with very different requirements:
Family | App running? | What it needs | Reads / does | Example tools |
Workspace | No | A project folder on disk, in scope | Static scan of |
|
Runtime | Yes | A live app's Actuator URL configured | HTTP calls to a running Spring Boot |
|
In short: static review needs only the folder; live health/metrics need the app running with Actuator exposed.
Scope and defaults when nothing is configured:
Workspace tools can only read the client's current working directory until
SPRING_TOOLKIT_ALLOWED_ROOTSlists more absolute paths.Runtime tools see zero applications until
SPRING_TOOLKIT_ACTUATOR_BASE_URLS(orSPRING_TOOLKIT_ACTUATOR_BASE_URL) is set.Mutating actions — logger changes, session deletion, sensitive downloads, and test runs — are off until their explicit policy flag is enabled (see Runtime Configuration).
Quick Start
The examples below use PowerShell syntax. On Linux/macOS, set environment variables with
export NAME=valueinstead of$env:NAME = "value"and use/paths instead ofC:\.... Note that list-valued variables (SPRING_TOOLKIT_ALLOWED_ROOTS,SPRING_TOOLKIT_ACTUATOR_BASE_URLS) are always separated by;on every platform, not:.
From a fresh checkout, install the package in editable mode:
python -m pip install -e .Run a Markdown review for the current directory:
spring-toolkit review .Run a JSON summary:
spring-toolkit summary . --jsonStart the MCP server:
spring-toolkit-mcpModes
Workspace mode inspects a local repository:
spring-toolkit review C:\work\orders-service
spring-toolkit mockmvc C:\work\orders-service --controller OrderControllerRuntime mode connects to Spring Boot Actuator:
$env:SPRING_TOOLKIT_ACTUATOR_BASE_URLS = "orders=http://localhost:8080/actuator;billing=http://localhost:8081/actuator"
spring-toolkit apps
spring-toolkit actuator --application orders
spring-toolkit health --application orders
spring-toolkit metrics --application orders --metric http.server.requests
spring-toolkit mappings --application ordersFull mode combines both in the MCP client: the agent can inspect code, read runtime health/metrics, read reports, and propose a fix from one tool surface.
By default, workspace MCP tool calls can only inspect the current working
directory. To allow other roots, set SPRING_TOOLKIT_ALLOWED_ROOTS to a
semicolon-separated list of absolute paths:
$env:SPRING_TOOLKIT_ALLOWED_ROOTS = "C:\work\project-a;C:\work\project-b"
spring-toolkit-mcpWhen running directly from the checkout without installing, set PYTHONPATH:
$env:PYTHONPATH = "src"
python -m spring_toolkit_mcp.cli review .Runtime Configuration
Configure one Actuator app:
$env:SPRING_TOOLKIT_ACTUATOR_BASE_URL = "http://localhost:8080/actuator"Configure multiple named apps:
$env:SPRING_TOOLKIT_ACTUATOR_BASE_URLS = "orders=http://localhost:8080/actuator;billing=http://localhost:8081/actuator"Optional Basic Auth:
$env:SPRING_TOOLKIT_ACTUATOR_USERNAME = "admin"
$env:SPRING_TOOLKIT_ACTUATOR_PASSWORD = "secret"Mutating logger changes are disabled by default:
$env:SPRING_TOOLKIT_ENABLE_LOGGER_MUTATION = "true"Sensitive Actuator downloads are disabled by default. Enable them before using
logfile or heap dump metadata tools:
$env:SPRING_TOOLKIT_ENABLE_ACTUATOR_DOWNLOADS = "true"Session deletion is disabled by default:
$env:SPRING_TOOLKIT_ENABLE_SESSION_MUTATION = "true"Build/test execution is also disabled by default:
$env:SPRING_TOOLKIT_ENABLE_TEST_RUNS = "true"
spring-toolkit maven-test C:\work\orders-service --test OrderServiceTestRuntime CLI commands mirror the MCP runtime surface: apps, actuator,
health, info, auditevents, beans, conditions, configprops,
mappings, metrics, env, loggers, set-logger-level, threaddump,
heap-info, heapdump, scheduledtasks, caches, httpexchanges,
actuator-flyway, liquibase, integrationgraph, quartz, sessions,
delete-session, startup, sbom, prometheus, and logfile.
MCP Tools
spring_project_summary
Returns structured metadata for a Spring Boot repository: build files, dependencies, source roots, components, endpoint mappings, config keys, and Flyway migrations.
analyze_project_structure, list_rest_controllers, list_endpoints,
inspect_application_properties, inspect_flyway_migrations
Workspace aliases with names that are easy for agents to select during codebase inspection.
spring_code_review
Returns a pragmatic Markdown or JSON review focused on missing authorization signals, risky migrations, sensitive configuration, missing test directories, and common Spring/JPA footguns.
spring_flyway_risk_scan
Returns a focused Flyway migration report.
spring_generate_mockmvc_tests
Generates starter MockMvc test skeletons for detected controllers.
list_applications, list_actuator_endpoints, get_health_status,
get_info, get_audit_events, get_beans, get_conditions,
get_config_properties, get_mappings, get_flyway_status,
get_liquibase_status, get_integration_graph, get_metrics,
get_env_properties, get_loggers, get_thread_dump, get_startup,
get_heap_info, get_heap_dump_metadata, get_scheduled_tasks,
get_cache_stats, get_http_traces, get_quartz, get_sessions, get_sbom,
get_prometheus, get_log_file
Actuator-backed runtime tools. get_env_properties and
get_config_properties redact likely secrets. get_log_file and
get_heap_dump_metadata require SPRING_TOOLKIT_ENABLE_ACTUATOR_DOWNLOADS=true.
change_logger_level, delete_session
Actuator-backed mutations. Logger changes require
SPRING_TOOLKIT_ENABLE_LOGGER_MUTATION=true; session deletion requires
SPRING_TOOLKIT_ENABLE_SESSION_MUTATION=true.
run_maven_tests, run_gradle_tests, run_specific_test,
read_surefire_report, read_jacoco_report
Quality-gate tools. Report readers are passive; test runners require
SPRING_TOOLKIT_ENABLE_TEST_RUNS=true.
Demo Flow
User prompt:
Analyze why orders-service is slow before I open the PR.An agent can call:
get_health_status(application="orders")
get_metrics(application="orders", metric="http.server.requests")
get_heap_info(application="orders")
list_endpoints(path="C:\work\orders-service")
read_surefire_report(path="C:\work\orders-service")
spring_code_review(path="C:\work\orders-service")Then it can summarize runtime symptoms, related controller/service code, test status, migration risk, and concrete next steps.
MCP Client Configuration Example
{
"mcpServers": {
"spring-toolkit": {
"command": "python",
"args": ["-m", "spring_toolkit_mcp.server"],
"env": {
"SPRING_TOOLKIT_ALLOWED_ROOTS": "C:\\work\\my-spring-app",
"SPRING_TOOLKIT_ACTUATOR_BASE_URLS": "orders=http://localhost:8080/actuator"
}
}
}
}The server speaks newline-delimited JSON-RPC over stdio, the standard MCP stdio transport. Any compliant MCP client can launch it with the command and args above.
Registering with Claude Code
Claude Code can add the server from the CLI instead of hand-editing config.
From the project directory (after pip install -e .):
claude mcp add spring-toolkit -- python -m spring_toolkit_mcp.serverPass environment variables with -e (repeat per variable). Multiple roots or
URLs in one variable are separated by ; on every platform:
claude mcp add spring-toolkit \
-e "SPRING_TOOLKIT_ALLOWED_ROOTS=/work/project-a;/work/project-b" \
-e SPRING_TOOLKIT_ACTUATOR_BASE_URLS=orders=http://localhost:8080/actuator \
-- python -m spring_toolkit_mcp.serverVerifying the Server
Confirm the server starts and answers the MCP handshake before wiring it into a client. Pipe a request to it over stdio:
printf '%s\n' '{"jsonrpc":"2.0","id":1,"method":"initialize","params":{"protocolVersion":"2024-11-05","capabilities":{},"clientInfo":{"name":"t","version":"1"}}}' \
| python -m spring_toolkit_mcp.serverA successful run prints a single JSON line containing serverInfo. To list the
available tools, send {"jsonrpc":"2.0","id":1,"method":"tools/list","params":{}}
the same way. In Claude Code, claude mcp list should report the server as
✔ Connected.
Development
Run tests:
python -m unittest discover -s testsThe project has no runtime dependencies. That is deliberate for the MVP: agents can run it in locked-down enterprise environments, and the MCP surface stays easy to audit.
Roadmap
Maven and Gradle test execution tools with explicit allowlists
SonarQube report ingestion
PostgreSQL schema introspection
Spring Security 6 focused checks
MapStruct and Lombok deeper analysis
Continue/OpenHands recipes and CI examples
License
Spring Toolkit MCP is open source software released under the MIT License.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/giaffa86/spring-toolkit-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server