forgecraft-mcp 0.2.0 → 0.2.1

package/templates/medallion-architecture/mcp-servers.yaml

@@ -0,0 +1,20 @@
+tag: MEDALLION-ARCHITECTURE
+section: mcp-servers
+servers:
+  - name: postgres
+    description: "PostgreSQL for medallion layer metadata, quality gate results, and lineage tracking"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-postgres"]
+    tags: [MEDALLION-ARCHITECTURE, DATA-PIPELINE]
+    category: database
+    env:
+      POSTGRES_CONNECTION_STRING: ""
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"
+
+  - name: filesystem
+    description: "Filesystem access for Bronze/Silver/Gold layer data files and pipeline configs"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-filesystem"]
+    tags: [MEDALLION-ARCHITECTURE, DATA-PIPELINE]
+    category: filesystem
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/filesystem"

package/templates/ml/mcp-servers.yaml

@@ -0,0 +1,10 @@
+tag: ML
+section: mcp-servers
+servers:
+  - name: jupyter
+    description: "Jupyter notebook management — create, execute, and inspect cells"
+    command: npx
+    args: ["-y", "mcp-server-jupyter"]
+    tags: [ML, DATA-PIPELINE]
+    category: ai-ml
+    url: "https://github.com/datalayer/jupyter-mcp-server"

package/templates/mobile/mcp-servers.yaml

@@ -0,0 +1,10 @@
+tag: MOBILE
+section: mcp-servers
+servers:
+  - name: android-emulator
+    description: "Android emulator control — screenshots, tap, swipe, and app lifecycle"
+    command: npx
+    args: ["-y", "mcp-server-android"]
+    tags: [MOBILE]
+    category: devtools
+    url: "https://github.com/nicholasgriffintn/android-mcp-server"

package/templates/observability-xray/instructions.yaml

@@ -0,0 +1,40 @@
+tag: OBSERVABILITY-XRAY
+section: instructions
+blocks:
+  - id: xray-lambda-instrumentation
+    tier: recommended
+    title: "Auto-Add X-Ray Instrumentation to Lambdas"
+    content: |
+      ## Auto-Add X-Ray Instrumentation to Lambdas
+
+      - Enable X-Ray active tracing on every Lambda function by default. Set `tracing: Active` in SAM/CloudFormation or `tracing_config { mode = "Active" }` in Terraform.
+      - Wrap the AWS SDK client with the X-Ray SDK to automatically trace all downstream AWS service calls (DynamoDB, S3, SQS, SNS).
+      - Add X-Ray middleware or decorators to every Lambda handler. No handler should execute without producing a trace segment.
+      - Include custom subsegments for business-critical operations: database queries, external API calls, heavy computations.
+      - Propagate trace headers across service boundaries: ensure `X-Amzn-Trace-Id` is forwarded in HTTP headers and SQS message attributes.
+      - Set sampling rules appropriate to traffic volume: 100% for low-traffic, reservoir-based for high-traffic. Document sampling decisions.
+
+  - id: xray-annotations-metadata
+    tier: recommended
+    title: "X-Ray Annotations & Metadata Standards"
+    content: |
+      ## X-Ray Annotations & Metadata Standards
+
+      - Add annotations for every trace: `service`, `environment`, `version`, `userId` (hashed), `correlationId`. Annotations are indexed and searchable.
+      - Use metadata for non-indexed debug data: request/response sizes, feature flags, cache hit/miss ratios.
+      - Define a standard annotation taxonomy across all services. No ad-hoc annotation keys — use a shared enum or constant file.
+      - Create X-Ray groups for critical paths: user-facing APIs, payment flows, data pipelines. Monitor group error rates and latency.
+      - Set up X-Ray insights for automated anomaly detection on critical service groups.
+      - Include X-Ray trace IDs in error responses and log entries for cross-referencing between traces and logs.
+
+  - id: xray-alerting
+    tier: optional
+    title: "X-Ray-Based Alerting & SLOs"
+    content: |
+      ## X-Ray-Based Alerting & SLOs
+
+      - Define SLOs per service using X-Ray latency and error rate data: p50, p95, p99 latency targets and error budget thresholds.
+      - Create CloudWatch alarms from X-Ray service maps: alert on elevated fault rates, latency spikes, or throttling.
+      - Monitor cold start impact via X-Ray initialization subsegments. Alert if cold start percentage exceeds threshold.
+      - Build dashboards combining X-Ray service map data with CloudWatch metrics for a unified observability view.
+      - Review X-Ray traces weekly for optimization opportunities: unnecessary downstream calls, serial-when-could-be-parallel patterns.

package/templates/observability-xray/mcp-servers.yaml

@@ -0,0 +1,14 @@
+tag: OBSERVABILITY-XRAY
+section: mcp-servers
+servers:
+  - name: aws-cloudwatch
+    description: "AWS CloudWatch logs and metrics — query X-Ray traces, view Lambda logs, monitor alarms"
+    command: npx
+    args: ["-y", "mcp-server-cloudwatch"]
+    tags: [OBSERVABILITY-XRAY, INFRA]
+    category: monitoring
+    env:
+      AWS_REGION: ""
+      AWS_ACCESS_KEY_ID: ""
+      AWS_SECRET_ACCESS_KEY: ""
+    url: "https://github.com/modelcontextprotocol/servers"

package/templates/realtime/mcp-servers.yaml

@@ -0,0 +1,12 @@
+tag: REALTIME
+section: mcp-servers
+servers:
+  - name: redis
+    description: "Redis key-value store management — pub/sub, streams, caching, and session management"
+    command: npx
+    args: ["-y", "mcp-server-redis"]
+    tags: [REALTIME]
+    category: database
+    env:
+      REDIS_URL: "redis://localhost:6379"
+    url: "https://github.com/nicholasgriffintn/redis-mcp-server"

package/templates/soc2/instructions.yaml

@@ -0,0 +1,41 @@
+tag: SOC2
+section: instructions
+blocks:
+  - id: access-control-validation
+    tier: recommended
+    title: "Access Control Validation"
+    content: |
+      ## Access Control Validation
+
+      - Implement role-based access control (RBAC) with the principle of least privilege. No user or service account gets more access than required.
+      - Define access control matrices mapping roles to resources and operations. Review and update quarterly.
+      - Enforce multi-factor authentication (MFA) for all administrative and privileged access.
+      - Automate access reviews: flag dormant accounts (no login in 90 days), over-provisioned roles, and orphaned service accounts.
+      - Log all access control changes (role assignments, permission grants, policy updates) with who-changed-what-when detail.
+      - Test access controls with negative tests: verify that unauthorized roles are denied, not just that authorized roles succeed.
+
+  - id: change-management
+    tier: recommended
+    title: "Change Management & Audit Trail"
+    content: |
+      ## Change Management & Audit Trail
+
+      - Every production change requires a documented change request with description, risk assessment, rollback plan, and approval.
+      - Enforce separation of duties: the person who writes code cannot be the sole approver for deployment.
+      - Maintain an immutable audit trail of all changes: code commits, config changes, infrastructure modifications, access grants.
+      - Implement automated change detection: alert on unexpected file changes, config drift, or unauthorized deployments.
+      - Conduct post-incident reviews for all unplanned changes. Document root cause, timeline, and preventive measures.
+      - Tag all deployments with version, timestamp, deployer, and change request ID for full traceability.
+
+  - id: incident-response
+    tier: recommended
+    title: "Incident Response Procedures"
+    content: |
+      ## Incident Response Procedures
+
+      - Define and document an incident response plan with clear roles: incident commander, communications lead, technical lead.
+      - Classify incidents by severity (P1-P4) with defined response times, escalation paths, and communication templates.
+      - Implement automated incident detection: anomaly alerts, threshold breaches, security event correlation.
+      - Conduct tabletop exercises quarterly to test incident response procedures with realistic scenarios.
+      - Maintain a post-mortem culture: blameless retrospectives within 48 hours, action items tracked to completion.
+      - Ensure incident logs are retained for SOC2 audit periods (minimum 12 months) with tamper-evident storage.

package/templates/soc2/mcp-servers.yaml

@@ -0,0 +1,22 @@
+tag: SOC2
+section: mcp-servers
+servers:
+  - name: github
+    description: "GitHub repository management — PR reviews, access controls, audit trails for change management"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-github"]
+    tags: [SOC2, UNIVERSAL]
+    category: version-control
+    env:
+      GITHUB_PERSONAL_ACCESS_TOKEN: ""
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/github"
+
+  - name: sentry
+    description: "Sentry error and incident tracking — incident response monitoring and alerting"
+    command: npx
+    args: ["-y", "mcp-server-sentry"]
+    tags: [SOC2, API]
+    category: monitoring
+    env:
+      SENTRY_AUTH_TOKEN: ""
+    url: "https://github.com/modelcontextprotocol/servers"

package/templates/social/mcp-servers.yaml

@@ -0,0 +1,22 @@
+tag: SOCIAL
+section: mcp-servers
+servers:
+  - name: postgres
+    description: "PostgreSQL database inspection, queries, and schema management — common backend for social platforms"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-postgres"]
+    tags: [DATA-PIPELINE, API, SOCIAL]
+    category: database
+    env:
+      POSTGRES_CONNECTION_STRING: ""
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/postgres"
+
+  - name: redis
+    description: "Redis key-value store management — caching, sessions, feeds, and real-time features"
+    command: npx
+    args: ["-y", "mcp-server-redis"]
+    tags: [REALTIME, SOCIAL]
+    category: database
+    env:
+      REDIS_URL: "redis://localhost:6379"
+    url: "https://github.com/nicholasgriffintn/redis-mcp-server"

package/templates/state-machine/mcp-servers.yaml

@@ -0,0 +1,10 @@
+tag: STATE-MACHINE
+section: mcp-servers
+servers:
+  - name: sequential-thinking
+    description: "Dynamic, reflective problem-solving through thought sequences — ideal for modeling state transitions"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+    tags: [UNIVERSAL, STATE-MACHINE]
+    category: general
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking"

package/templates/universal/mcp-servers.yaml

@@ -0,0 +1,26 @@
+tag: UNIVERSAL
+section: mcp-servers
+servers:
+  - name: forgecraft
+    description: "Production-grade engineering standards and project scaffolding"
+    command: npx
+    args: ["-y", "forgecraft-mcp"]
+    tags: [UNIVERSAL]
+    category: scaffolding
+    url: "https://github.com/jghiringhelli/forgecraft-mcp"
+
+  - name: context7
+    description: "Pulls up-to-date documentation and code examples for libraries directly into your prompt"
+    command: npx
+    args: ["-y", "@upstash/context7-mcp@latest"]
+    tags: [UNIVERSAL]
+    category: documentation
+    url: "https://github.com/upstash/context7"
+
+  - name: sequential-thinking
+    description: "Dynamic, reflective problem-solving through thought sequences"
+    command: npx
+    args: ["-y", "@modelcontextprotocol/server-sequential-thinking"]
+    tags: [UNIVERSAL]
+    category: general
+    url: "https://github.com/modelcontextprotocol/servers/tree/main/src/sequentialthinking"

package/templates/web-react/mcp-servers.yaml

@@ -0,0 +1,18 @@
+tag: WEB-REACT
+section: mcp-servers
+servers:
+  - name: chrome-devtools
+    description: "Chrome DevTools integration for debugging, profiling, and network inspection"
+    command: npx
+    args: ["-y", "@anthropic/chrome-devtools-mcp@latest"]
+    tags: [WEB-REACT, WEB-STATIC, ANALYTICS]
+    category: devtools
+    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/chrome-devtools-mcp"
+
+  - name: playwright
+    description: "Browser automation for E2E testing, screenshots, and web scraping"
+    command: npx
+    args: ["-y", "@anthropic/mcp-server-playwright"]
+    tags: [WEB-REACT, WEB-STATIC]
+    category: testing
+    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/mcp-server-playwright"

package/templates/web-static/mcp-servers.yaml

@@ -0,0 +1,18 @@
+tag: WEB-STATIC
+section: mcp-servers
+servers:
+  - name: chrome-devtools
+    description: "Chrome DevTools integration for debugging, profiling, and network inspection"
+    command: npx
+    args: ["-y", "@anthropic/chrome-devtools-mcp@latest"]
+    tags: [WEB-REACT, WEB-STATIC, ANALYTICS]
+    category: devtools
+    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/chrome-devtools-mcp"
+
+  - name: playwright
+    description: "Browser automation for E2E testing, screenshots, and web scraping"
+    command: npx
+    args: ["-y", "@anthropic/mcp-server-playwright"]
+    tags: [WEB-REACT, WEB-STATIC]
+    category: testing
+    url: "https://github.com/anthropics/anthropic-quickstarts/tree/main/mcp-server-playwright"

package/templates/web3/mcp-servers.yaml

@@ -0,0 +1,10 @@
+tag: WEB3
+section: mcp-servers
+servers:
+  - name: solidity
+    description: "Solidity smart contract development — compilation, ABI generation, and deployment helpers"
+    command: npx
+    args: ["-y", "mcp-server-solidity"]
+    tags: [WEB3]
+    category: devtools
+    url: "https://github.com/AIMONGmbH/solidity-mcp-server"

package/templates/zero-trust/instructions.yaml

@@ -0,0 +1,41 @@
+tag: ZERO-TRUST
+section: instructions
+blocks:
+  - id: deny-by-default-iam
+    tier: recommended
+    title: "Deny-by-Default IAM Policies"
+    content: |
+      ## Deny-by-Default IAM Policies
+
+      - Start with zero permissions. Every identity (user, service, Lambda) begins with no access and receives only explicit allows.
+      - Write IAM policies with explicit deny statements for sensitive operations. Explicit denies override any allows — use them as guardrails.
+      - Scope every IAM policy to specific resources using ARNs. Never use wildcard (*) for resources in production policies.
+      - Enforce condition keys on every policy: require specific VPCs, IP ranges, MFA, or time windows for access.
+      - Implement IAM policy boundaries (permission boundaries) to cap the maximum permissions any role can receive, regardless of attached policies.
+      - Automate IAM policy review: scan for overly permissive policies (Action: *, Resource: *) in CI and block deployment.
+
+  - id: explicit-allow-rules
+    tier: recommended
+    title: "Explicit Allow Rules & Least Privilege"
+    content: |
+      ## Explicit Allow Rules & Least Privilege
+
+      - Document every allow rule with a business justification: why this identity needs this action on this resource.
+      - Group related permissions into managed policies named by function (e.g., `OrderServiceReadDynamo`, `PaymentServiceInvokeKMS`).
+      - Use temporary credentials (STS AssumeRole) instead of long-lived access keys. Set maximum session duration to the minimum needed.
+      - Implement just-in-time (JIT) access for elevated privileges: temporary role escalation with automatic expiry and audit logging.
+      - Review and prune unused permissions quarterly using IAM Access Analyzer or equivalent. Remove any permission not used in 90 days.
+      - Tag all IAM roles and policies with owner, team, service, and last-review-date for governance and accountability.
+
+  - id: network-zero-trust
+    tier: optional
+    title: "Network-Level Zero Trust"
+    content: |
+      ## Network-Level Zero Trust
+
+      - Do not rely on network location (VPC, subnet) as a trust boundary. Authenticate and authorize every request regardless of origin.
+      - Encrypt all internal service-to-service communication with mutual TLS (mTLS). No plaintext traffic, even within a VPC.
+      - Implement service mesh or API gateway for policy enforcement at the network layer: rate limiting, authentication, authorization.
+      - Use private endpoints for AWS services (VPC endpoints) to keep traffic off the public internet.
+      - Segment workloads into isolated security groups with minimal ingress/egress rules. Default deny all, then add specific allows.
+      - Monitor and alert on unexpected network flows: new connections between services, unusual data transfer volumes, connections to unknown endpoints.

package/templates/zero-trust/mcp-servers.yaml

@@ -0,0 +1,14 @@
+tag: ZERO-TRUST
+section: mcp-servers
+servers:
+  - name: aws-iam
+    description: "AWS IAM policy analysis and management for zero-trust policy enforcement"
+    command: npx
+    args: ["-y", "mcp-server-aws"]
+    tags: [ZERO-TRUST, INFRA]
+    category: security
+    env:
+      AWS_REGION: ""
+      AWS_ACCESS_KEY_ID: ""
+      AWS_SECRET_ACCESS_KEY: ""
+    url: "https://github.com/modelcontextprotocol/servers"