
Security News
Next.js moves to scheduled security releases
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.
@mcp-rune/mcp-rune
Advanced tools
Model-driven framework for building Model Context Protocol servers.
mcp-rune.dev
Documentation · Quickstart · Examples · Discord · GitHub
Building an MCP server by hand means writing N tool handlers, N schemas,
OAuth from scratch, and an agent that still guesses your business rules.
mcp-rune derives all of that from one model definition. Define your models once —
it derives the prompts, tools, apps and docs an agent needs, then indexes your
whole dataset so the agent retrieves by meaning, not raw rows.
One spec, an entire server.
npm install @mcp-rune/mcp-rune
New here? Start with the Quickstart — a real MCP server running in under ten minutes, no database or backend required.
Want to poke at a running example first? Scaffold the bookshelf example with one command — a 30-line model, a complete server:
npx @mcp-rune/create new my-app --template bookshelf
Write a model. That's the spec.
import { BaseModel } from '@mcp-rune/mcp-rune'
export class Book extends BaseModel {
static override attributes = {
title: { type: 'string', required: true },
author: { type: 'string', required: true },
status: { type: 'enum', values: ['reading', 'done'] },
rating: { type: 'integer', validation: { min: 1, max: 5 } }
}
}
From that one declaration, mcp-rune registers the full agent surface — and the tool list does not grow as you add models:
list_models, find_records, create_model, update_model, delete_model cover every model you define.Both TypeScript and JavaScript are first-class — every example in the docs ships in both.
Most MCP servers can only hand the agent raw rows. mcp-rune indexes an entire dataset three ways — vectors, a relationship graph, and your domain vocabulary — then answers by meaning, aggregate, filter, or stratified sample. The agent reasons over findings, never the whole table.
all-MiniLM-L6-v2 (384-dim) into local pgvector; the semantic mode ranks by cosine distance, no keywords.analysis_act mutates a filtered subset server-side; matched IDs never return to the agent's context.Six tools — analysis_ingest · analysis_query · analysis_store · analysis_act · analysis_summarize · analysis_clear — opt-in via ANALYSIS_ENABLED=true. Off by default — nothing loads, nothing runs, no startup cost until you turn it on. Local embeddings: no external vector DB, no embedding API.
Visit the official documentation for the full guide library. Good places to start:
Having trouble? Ask in the official mcp-rune Discord — the community is happy to help you get unstuck.
For partnerships, security reports, or anything 1:1, email david@mcp-rune.dev.
New contributors welcome! Check out the Contributors Guide to get started, then browse the good first issues.
Join us on Discord to meet other contributors — we'll help you land your first contribution in no time.
MIT © the mcp-rune authors. No telemetry. Self-hosted by default.
Built in the open · Star us on GitHub ✦
FAQs
Model-driven framework for building Model Context Protocol servers.
The npm package @mcp-rune/mcp-rune receives a total of 64 weekly downloads. As such, @mcp-rune/mcp-rune popularity was classified as not popular.
We found that @mcp-rune/mcp-rune demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?

Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.

Security News
Vercel is formalizing a monthly release program for Next.js. The change follows React2Shell and a sharp rise in AI-assisted vulnerability discovery.

Research
/Security News
11 malicious NuGet tools pose as game cheats to deploy Windows payloads, track hosts, and use Google Sheets for telemetry and control.

Research
/Security News
4 compromised asyncapi packages deliver miasma botnet loader on macOS, Linux and Windows.