constraints-registry-mcp

constraints-registry-mcp

A single, queryable source of engineering constraints that coding agents consult at code-generation time, exposed over an MCP server.

Category
访问服务器

README

Constraint Registry

A single, queryable source of engineering constraints (infrastructure, organizational, architectural) that coding agents (Claude Code, Cursor, Codex, …) consult at code-generation time, exposed over an MCP server. It does not enforce constraints itself — it provides guidance to agents and delegates deterministic validation to existing enforcement engines (OPA / Conftest).

Constraints are authored in source repos, aggregated into an immutable, versioned bundle, and served over MCP so an agent can:

  1. describe_scope — discover the valid selector vocabulary,
  2. get_constraints — fetch the rules relevant to what it's building, and
  3. validate — check a candidate artifact against the bound enforcement engines.

Authoritative requirements: constraint-registry-v0-spec.md. Requirement → component → test mapping: TRACEABILITY.md.


Contents


Features

  • Three constraint categories — infrastructure, organizational, architectural, including relationship-style selectors (e.g. "no synchronous calls across domain boundaries") and advisory (no-enforcement) constraints.
  • Multi-source aggregation — import from many source repos; ids are namespaced per source; deterministic, content-hashed, immutable versioned bundles.
  • Precedence & anti-drift — a configurable default policy (hard outranks weaker; a downstream source may not relax a higher-precedence rule on the same scope); fixture cross-checks keep guidance and enforcement from drifting.
  • Pluggable engines — a stable adapter interface; ships a real OPA adapter and a real Conftest adapter. Adding an engine = one adapter + one config line (see Adding an enforcement engine).
  • MCP server — three tools (describe_scope, get_constraints, validate) over stdio or a shared HTTP endpoint. get_constraints fails open so an agent is never blocked.
  • Hot reload — the server can periodically re-import so constraint changes are picked up without a restart.
  • Validation harness — proves the registry and constraint set are internally consistent; machine-readable JSON, non-zero exit on failure.

Prerequisites

Tool Required? Notes
Python ≥ 3.11 yes the package targets 3.11+
uv yes manages the venv and runs entry points
OPA (opa) for validate / fixture cross-checks the reference enforcement engine
Conftest (conftest) optional second engine; its harness check SKIPs if absent

Install the engines on macOS:

brew install opa conftest

The registry and the get_constraints/describe_scope guidance work without any engine; an engine is only needed to run validate and the fixture cross-checks.


Quick start

git clone https://github.com/SureshKhemka/constraints-registry-mcp.git
cd constraints-registry-mcp

uv sync                      # create the venv + install deps

uv run cregistry-harness     # run the validation harness against the bundled samples

The harness emits machine-readable JSON and exits non-zero on any failure. A green run looks like:

{ "passed": true, "summary": { "pass": 21, "fail": 0, "skip": 0, "total": 21 }, "checks": [ ... ] }

(skip is used only when an optional engine like conftest is not installed.)


Running the MCP server

Two transports — pick based on how you want tools to connect.

# stdio (default): each tool launches its own copy; nothing to manage
uv run cregistry-mcp

# one shared HTTP server every tool connects to (recommended for multiple tools)
uv run cregistry-mcp --http --port 8765 --reload-interval 60

Flags: --transport {stdio,http,sse}, --http (shorthand), --host (default 127.0.0.1), --port (default 8765), --config (or $CREGISTRY_CONFIG), --reload-interval SECONDS (0 = off).

Manage the shared HTTP server:

lsof -ti tcp:8765 | xargs kill     # stop
# restart = stop + start

Full operational guide (stop/restart, macOS launchd auto-start, the repo-sync/decoupling pattern): docs/RUNNING.md. Tool input/output contracts: docs/MCP_CONTRACT.md.


Integrating with coding agents

The server exposes three tools: describe_scope, get_constraints, validate.

Claude Code

# shared HTTP server (start it first, see above), available in every project:
claude mcp add --scope user --transport http constraint-registry http://127.0.0.1:8765/mcp

# OR stdio (no separate server to run; Claude launches it):
claude mcp add constraint-registry -- uv run --directory "$(pwd)" cregistry-mcp

claude mcp list   # should show: constraint-registry ... ✔ Connected

Cursor (~/.cursor/mcp.json)

{ "mcpServers": { "constraint-registry": { "url": "http://127.0.0.1:8765/mcp" } } }

Codex / other stdio-only tools

Configure an MCP server with command: uv, args: ["run","--directory","/abs/path/to/repo","cregistry-mcp"].

Make the agent actually consult it

Agents auto-discover the tools, but to get them to consult the registry before generating code, add an instruction to your project (or ~/.claude/CLAUDE.md):

Before writing AWS/infra code, call the constraint-registry MCP: describe_scope to learn valid selector values, then get_constraints with the right scope, and comply with every hard constraint as a non-negotiable downstream gate. Optionally validate the result.


Authoring constraints

A source is a directory with constraints/*.yaml (one constraint per file) and, optionally, policies/ (engine policies) and fixtures/ (sample artifacts). Register sources and engines in registry.config.yaml:

sources:
  - { name: platform-security, path: sources/platform-security, precedence: 100 }
  - { name: data-platform,     path: sources/data-platform,     precedence: 50  }
engines:
  - { name: opa,      adapter: "cregistry.engine.adapters.opa:OpaAdapter" }
  - { name: conftest, adapter: "cregistry.engine.adapters.conftest:ConftestAdapter" }
precedence_policy: default

A constraint (see sources/platform-security/constraints/aws-s3-no-public-access.yaml):

id: aws.s3.no-public-access
title: "S3 buckets must not be publicly accessible"
intent: "Public buckets are the top source of data-exposure incidents."
category: infrastructure          # infrastructure | organizational | architectural
scope:
  providers: [aws]
  resource_types: [aws_s3_bucket] # Terraform resource ids (NOT "s3_bucket")
  environments: [all]
  repos: ["tag:data-plane"]
severity: hard                    # hard | soft | advisory
enforcement:                      # omit for an advisory (guidance-only) constraint
  - { engine: opa, policy: policies/s3_public.rego }
guidance:
  do:   ["Attach an aws_s3_bucket_public_access_block with all four flags true"]
  dont: ["Never set acl = 'public-read' or 'public-read-write'"]
  example_compliant: |
    {"resources": {"aws_s3_bucket": {"data": {"acl": "private", "public_access_block": true}}}}
owner: platform-security
version: 1.0.0
fixtures:                         # optional; cross-checked against the engine
  pass: fixtures/s3_private.json
  fail: fixtures/s3_public.json

Scoping notes (matters when agents query):

  • resource_types use the target tooling's identifiers (Terraform: aws_s3_bucket). Call describe_scope to discover the exact vocabulary present.
  • A query that omits a dimension matches broadly; a value that contradicts a constraint's selector excludes it. Relationship-scoped constraints are only returned for queries that supply a matching relationship.
  • After authoring, run uv run cregistry-harness to validate schema, precedence, and fixtures.

Hot reload (no restart on constraint changes)

Run the server with --reload-interval N and it re-imports from disk every N seconds, publishing a new immutable bundle when content changes:

uv run cregistry-mcp --http --port 8765 --reload-interval 60
  • No-op when nothing changed; previous bundle versions stay pinnable by id.
  • A failed re-import (e.g. an unresolvable precedence conflict) keeps the last-good bundle serving and logs the reason — the server never goes dark.
  • The server reads from the configured source paths, so wire your teams' constraint repos to sync/pull into those paths (a separate ops job, e.g. a cron git pull or CI publish). Code/dependency changes still need a restart.

Validation harness

uv run cregistry-harness runs end-to-end against the bundled, self-contained sample sources and proves: schema conformance, deterministic import, malformed- constraint isolation, namespacing & precedence, versioning & deprecation, engine- interface conformance (incl. a reusable suite any adapter can be run against), fixture cross-checks / broken-binding detection, the MCP contract / scoping / fail-open, and hot-reload behavior. It prints structured JSON and returns a non-zero exit on any failure — suitable for CI.

uv run cregistry-harness            # human-readable JSON to stdout, exit 0/1
uv run cregistry-harness --config path/to/registry.config.yaml

Adding an enforcement engine

Implement the EngineAdapter interface in a new module under src/cregistry/engine/adapters/, add one line under engines: in registry.config.yaml, and validate it against the existing conformance suite — no changes to the schema, importer, MCP server, or harness. Full walkthrough: docs/ADDING_AN_ENGINE.md.


Repository layout

src/cregistry/
  model.py            constraint schema (Pydantic)
  loader.py           load + per-field schema validation
  config.py           registry config (sources, engines)
  importer.py         import → aggregate → bundle
  precedence.py       namespacing precedence / conflict resolution
  scope.py            scope matching (query + conflict)
  bundle.py store.py  immutable versioned bundles + store
  query.py validate.py  scoped queries + artifact validation
  integrity.py        fixture cross-check / anti-drift
  service.py          transport-independent service (+ hot reload)
  mcp_server.py       MCP server (stdio / http) + CLI
  engine/             stable engine interface, registry, adapters (opa, conftest)
  harness/            the validation harness (checks/*)
sources/              bundled sample source repos (constraints, policies, fixtures)
scenarios/            self-contained fixtures for harness edge cases
docs/                 RUNNING.md, MCP_CONTRACT.md, ADDING_AN_ENGINE.md
deploy/               launchd template for auto-starting the HTTP server

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选