@quarry-systems/pangolin-mcp
v0.2.0
Published
Stdio MCP server exposing exactly nine run-time, orchestration-safe tools; privileged register/assign ops never reach the AI loop.
Readme
-systems/pangolin-mcp
An MCP server that wraps PangolinClient and exposes the run-time, orchestration-safe subset of its surface to AI tool callers. The server exposes exactly six tools — pangolin_dispatch, pangolin_dispatch_describe, pangolin_dispatch_cancel, pangolin_capabilities_list, pangolin_subagents_list, pangolin_envs_list — and nothing else. Privileged operations (register, assign) are deliberately absent: prompt injection on capability content is as dangerous as secret exfiltration on env, so the entire artifact-creation surface stays out of the AI loop.
Install
pnpm add -systems/pangolin-mcpBasic usage
Register the server in your MCP client (Claude Code, Claude Desktop, etc.). The bin entry resolves pangolin.config.{ts,js,mjs} from its working directory, constructs an PangolinClient, and serves over stdio.
{
"mcpServers": {
"pangolin": {
"command": "npx",
"args": ["-y", "-systems/pangolin-mcp"],
"cwd": "/path/to/your/deploy/repo"
}
}
}The MCP server inherits the privileges of whoever launched it — there is no separate auth between the orchestrator and pangolin-mcp. Locking down who can launch the server is the integrator's IAM concern.
Spec
- §4.6 The pangolin-mcp tool surface — the six-tool allowlist this server enforces.
- §7.7 Privileged operations are never reachable through an AI tool surface — the rationale for the omitted register/assign operations.
Decisions
- ADR-0005 — Privileged ops never AI-reachable: why this server omits
registerandassign. - ADR-0006 — pangolin-mcp auth: whoever launched: the trust model for the stdio transport.
