Skip to content

schwarztim/thesun

Repository files navigation

thesun

One tool to generate, run, route, and authenticate MCP servers — with zero Docker dependency.

thesun bundles what used to be four separate projects into a single, cohesive, shippable tool. You install it once and manage everything through one CLI. MCP servers run as native Go binaries (or Python bundled into static/Go-style containers) supervised by a local process manager — no Docker, no ToolHive.

generate  ─▶  run  ─▶  route  ─▶  authenticate
generator     fleet    gateway    hermes

Subsystems

Dir What it is Role
generator/ the REST→MCP generator (formerly "thesun") generate MCP servers (Go by default; Python only when a target needs curl_cffi browser-TLS)
fleet/ fleetd supervisor + unified fleet CLI run/manage — start/stop/restart, logs, add/remove, an interactive menu, plus credential + session management
gateway/ the MCP mux/router route — one endpoint that muxes every server to your clients (Claude Code, GitHub Copilot CLI, OpenAI Codex CLI, OpenCode), with safety classification
hermes/ local auth broker + encrypted vault authenticate — owns SSO re-authentication, token caching, and the vault so servers never store secrets

Default MCP servers, multiple clients

A fresh install builds and pre-registers three MCP servers with genuinely-easy auth (no corporate SSO broker, no admin-consent app registration): ServiceNow and Atlassian (Jira + Confluence) via basic auth, and Microsoft 365 (Teams, Mail, Calendar, OneDrive) via a one-time device-code login. GitHub is available opt-in (needs a personal access token).

./install.sh compiles the two Go servers (atlassian, servicenow) into their bin/ directories and installs the vendored ms365 dependencies. They are built, not yet usable: each still needs its own credential before first use. Set the basic-auth secrets with thesun secrets set atlassian basic and thesun secrets set servicenow basic, and run the one-time Microsoft device-code login for ms365 (see servers/vendor/ms365/README.md). Run thesun doctor to see which defaults are ready. If a distribution does not vendor ms365, install skips it (not a failure) and only the two Go defaults are built.

thesun install wires the gateway into every AI client it detects on the machine — Claude Code, GitHub Copilot CLI, OpenAI Codex CLI, and OpenCode — so all of them talk to the same fleet through the same gateway endpoint.

MCP Store

Beyond generating your own servers, thesun ships a store for finding, installing, and publishing signed MCP server binaries. It spans three repos: thesun (this toolchain), thesun-servers (the curated Go server monorepo), and thesun-registry (the signed catalog index the CLI fetches).

thesun search <query>            # search the catalog (trust badge: curated vs community)
thesun add <name>[@version]      # verify (sha256 + Ed25519) then install + wire into the fleet
thesun remove <name>             # remove an installed server
thesun update [<name>]           # refresh the catalog, or upgrade an installed server
thesun keygen                    # generate an author Ed25519 keypair
thesun publish <dir>             # Lab-gated: cross-compile, sign, and emit an index entry

Two trust tiers: curated (maintainer Ed25519-signed, Conformance-Lab-proven, CI-re-gated) and community (self-attested, clearly labeled, opt-in via --community). Every add is fail-closed: a checksum, signature, revoked, or lab-report failure refuses the install and writes nothing. Both tiers are contained at runtime by the same gateway policy floor, so a pulled server's WRITE/DELETE/outbound tools still require out-of-band human approval. Full reference: docs/MCP-STORE.md.

Security posture

Every tool call that reaches a backend through the gateway passes through a single chokepoint that classifies its blast radius and, for anything beyond a plain read, refuses to dispatch until a human, not the model, approves it. Guardrails the AI can't talk its way out of, for every client. See docs/SECURITY-MODEL.md for the current two-tier threat model and guarantees.

Quick start

./install.sh            # build generator, fleetd + thesun CLI, gateway, hermes
export PATH="$(pwd)/bin:$PATH"
thesun install           # init → register OS service → up → doctor → wire AI clients
thesun status            # see the whole stack + every server's health

Full walkthrough (prerequisites, the agent-guided install loop, per-client wiring, default-server credential setup, troubleshooting): docs/INSTALL.md.

The thesun CLI (single entry point)

thesun generate <spec>                # generate a new MCP server (delegates to generator/)
thesun list | menu | logs <name>      # fleet inspection: status table, dashboard, tail logs
thesun start|stop|restart [name]      # lifecycle (all if name omitted)
thesun add|rm <name> …                # add/remove a server from the fleet
thesun secrets add|list|show|rm       # credentials (secret-safe; delegates to the Hermes vault)
thesun acquire <svc>                  # (re)authenticate an SSO session
thesun approve | grants               # human-only Tier-B approvals (production/secret-value/outbound-message calls)
thesun gateway status|reload          # the mux/router
thesun up|down|status|doctor|install  # whole-stack lifecycle + readiness diagnostics
thesun upgrade | version              # self-update

Fleet and credential commands delegate to the fleet subsystem's CLI; generation to generator/; auth to hermes/. One tool, four subsystems, no Docker. Full command reference: thesun --help, or fleet/fleetd/cmd/thesun/main.go's usage().

Design principles

  • Docker-free. Servers run native (Go) or as thin static/Python-in-Go containers, supervised by fleetd.
  • Secrets stay in the vault. Hermes owns credentials + SSO re-auth; nothing else stores secret values.
  • Go-native by default. Python is used only when a target genuinely needs curl_cffi browser-TLS.
  • One CLI, one install. Ship it as a single package that's easy for others to run and manage.

See docs/ for install docs, packaging/release, and architecture background.

About

Autonomous MCP Server Generation Platform - Zero-config, self-healing, browser-enhanced API discovery

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors