@neito/mcp
v0.1.3
Published
MCP server exposing Neito (AI LP builder) operations to AI clients. Pro / Business プラン以上が利用可能。
Maintainers
Readme
@neito/mcp
Model Context Protocol server that exposes Neito (AI LP builder) operations to AI clients (Claude Code, Cursor, MCP Inspector, etc.).
npm: @neito/mcp — Pro / Business プラン以上が利用可能。
日本語セットアップガイド: リポジトリ内
docs/mcp-setup-guide.md
The server is a thin stdio adapter. All real work happens server-side in two Supabase Edge Functions:
mcp-execute— handles CRUD, publish, analytics (the bulk of tools)generate-lp-image— image generation (credits-consuming)
This Node process only authenticates, validates input, forwards the call, and shapes the response.
Architecture
┌─────────────┐ stdio ┌──────────────┐ HTTPS ┌─────────────────────┐
│ MCP client │ <──────> │ @neito/mcp │ ─────────> │ Supabase Edge fns │
│ (Claude…) │ │ (this package)│ │ mcp-execute / image │
└─────────────┘ └──────────────┘ └──────────┬──────────┘
│
▼
┌───────────────┐
│ Postgres + RLS │
└───────────────┘Authentication uses workspace-scoped API keys of the form neito_sk_<32 alnum> (see 200_workspace_api_keys.sql migration in the main repo). The key is hashed with SHA-256 and verified against the api_keys table on every request; scopes (projects:read, etc.) gate individual tools.
Tools
| Category | Tools |
| ---------- | --------------------------------------------------------------------- |
| Read | listProjects, getProject, listSections |
| Write | createProject, updateSectionContent, addSection, removeSection, moveSection, updateGlobalStyles |
| Generate | generateAllImages, regenerateSection (both require confirm: true) |
| Publish | publishSite, unpublishSite, updateSubdomain (publish/unpublish require confirm: true) |
| Analytics | getSiteAnalytics |
Tools that mutate billable state (image generation, publish, unpublish) require an explicit confirm: true flag in the input. The server rejects the call before forwarding when the flag is missing.
Install
Pick one:
# Global install
npm install -g @neito/mcp
# → exposes the `neito-mcp` bin
# One-shot via npx (no install)
npx -y @neito/mcp
# Or from a local checkout
cd mcp-server && npm install && npm run buildIssue an API key (no UI yet)
The dashboard UI is not shipped yet. Until then, insert a row directly via the Supabase REST endpoint using a service-role key (run this from a machine you trust):
# 1. Generate a random key
KEY="neito_sk_$(openssl rand -hex 16)"
# 2. Compute its sha256 (this is what the DB stores — the raw key is never persisted)
HASH=$(printf '%s' "$KEY" | shasum -a 256 | awk '{print $1}')
# 3. Insert via PostgREST. Replace <WORKSPACE_UUID> and <SERVICE_ROLE_KEY>.
curl -X POST 'https://zknwrrjlxwzheqyjvvlr.supabase.co/rest/v1/api_keys' \
-H "apikey: <SERVICE_ROLE_KEY>" \
-H "Authorization: Bearer <SERVICE_ROLE_KEY>" \
-H 'Content-Type: application/json' \
-d "{
\"workspace_id\": \"<WORKSPACE_UUID>\",
\"key_hash\": \"$HASH\",
\"key_prefix\": \"${KEY:0:12}\",
\"label\": \"local-mcp\",
\"scopes\": [\"projects:read\",\"projects:write\",\"images:generate\",\"sites:publish\"]
}"
echo "Your key (save it now, it is not recoverable):"
echo "$KEY"The dashboard UI (Settings → API Keys → "Create MCP key") will replace this once shipped; the storage shape will not change.
Configure your MCP client
Recommended (npx — works for Claude Desktop, Cursor, Claude Code):
{
"mcpServers": {
"neito": {
"command": "npx",
"args": ["-y", "@neito/mcp"],
"env": {
"NEITO_API_KEY": "neito_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
}
}
}
}Local checkout (development):
{
"mcpServers": {
"neito": {
"command": "node",
"args": ["/absolute/path/to/neito/mcp-server/dist/index.js"],
"env": {
"NEITO_API_KEY": "neito_sk_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
"NEITO_SUPABASE_URL": "https://zknwrrjlxwzheqyjvvlr.supabase.co"
}
}
}
}NEITO_MCP_ENDPOINT and NEITO_GENERATE_IMAGE_ENDPOINT can be overridden directly; otherwise they are derived from NEITO_SUPABASE_URL.
Smoke test with the MCP Inspector:
cd mcp-server && npm run build
NEITO_API_KEY=neito_sk_... npx @modelcontextprotocol/inspector node dist/index.jsEnvironment
| Variable | Required | Default |
| ------------------------------ | -------- | ------------------------------------------------------------------------- |
| NEITO_API_KEY | yes | — |
| NEITO_SUPABASE_URL | no | https://zknwrrjlxwzheqyjvvlr.supabase.co |
| NEITO_MCP_ENDPOINT | no | ${NEITO_SUPABASE_URL}/functions/v1/mcp-execute |
| NEITO_GENERATE_IMAGE_ENDPOINT| no | ${NEITO_SUPABASE_URL}/functions/v1/generate-lp-image |
| NEITO_MCP_TIMEOUT_MS | no | 30000 |
Development
npm run dev # tsc --watch
npm run typecheck # type-only
npm run build # emit dist/
npm run start # node dist/index.js
npm test # vitestThe MCP server is a leaf package; it does not depend on the main Neito app and is safe to release independently.
Security
- The API key is read from env at process start and never logged.
- All requests carry both
Authorization: BearerandX-API-Keyfor redundancy; the Edge Function picks whichever is present. - Scopes are enforced server-side (the client cannot escalate by editing this code).
- Failed auth, expired keys, and revoked keys all return
401; insufficient scope returns403. - Mutating tools require
confirm: truein the input to avoid accidental fires from LLM hallucinations.
Related
- Wireframe REST API (
nk_live_keys /neito-api) — separate from this package. Seedocs/api-reference.mdand internalpackages/mcp-server(not published).
