Is io.github.mova-compact/mova-mcp-connector safe to use?

io.github.mova-compact/mova-mcp-connector has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.mova-compact/mova-mcp-connector?

io.github.mova-compact/mova-mcp-connector can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with io.github.mova-compact/mova-mcp-connector?

io.github.mova-compact/mova-mcp-connector is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

mova-mcp-connector

mova-mcp-connector is the thin Rust MCP server that sits above the existing MOVA platform connector model.

Current role:

expose MOVA connector capabilities through an MCP-compatible tool surface
resolve connector definitions from mcp_door
resolve business bindings from mcp_door
resolve access-registry state from mcp_door
prepare a normalized proxy plan for upstream transport
stay thin and platform-aware instead of inventing a second connector subsystem

This service is intentionally separate from:

mova-tool-sdk which stays Python-first and user-facing
mova-state-1.5 which remains the operational truth

Current release state:

binary starts locally and exposes MCP plus proxy HTTP surfaces
proxy prepare/invoke work against mcp_door
endpoint_ref and secret_ref can be resolved from local transport maps
local binding-driven upstream MCP invoke has been proven end-to-end
remaining work is production hardening, not protocol viability

Public docs:

Surface

Current endpoints:

GET /health
GET /v1/connectors/:connector_id
GET /v1/bindings/:binding_id
POST /v1/proxy/prepare
POST /v1/proxy/invoke
POST /mcp

Current MCP methods:

initialize
tools/list
tools/call

Current MCP tools:

mova.connectors.get
mova.bindings.get
mova.proxy.prepare
mova.proxy.invoke

Invocation Boundary

the service can perform a real upstream MCP call by sending initialize and then tools/call
it can resolve endpoint_ref through MOVA_MCP_CONNECTOR_ENDPOINT_REFS_JSON
it can resolve secret_ref through MOVA_MCP_CONNECTOR_SECRET_REFS_JSON
it now reads /access/connectors and /access/vault-bindings to enrich business bindings with real platform access metadata
caller-provided upstream_url and headers still work as override or fallback
strongest local proof currently covered:
- business binding contains endpoint_ref and secret_ref
- proxy resolves transport from platform material without explicit upstream_url
- upstream MCP server completes a real external read-only HTTP call and returns through proxy

Config

Environment:

MOVA_PLATFORM_URL
MCP_DOOR_BASE_URL
MOVA_DOOR_BASE_URL
MOVA_ADMIN_READ_TOKEN
MCP_DOOR_GATEWAY_KEY_ID
MCP_DOOR_GATEWAY_SHARED_SECRET
MCP_DOOR_ACTOR_ID
MCP_DOOR_ACTOR_ROLE
MCP_DOOR_ACTOR_TYPE
MOVA_MCP_CONNECTOR_ENDPOINT_REFS_JSON
MOVA_MCP_CONNECTOR_SECRET_REFS_JSON
MOVA_MCP_CONNECTOR_BIND_ADDR

See .env.example for a local bootstrap shape.

Intent

This repo is the future home of the single MCP connector/proxy mentioned in the production planning work. The current implementation establishes:

the real platform contour
signed gateway transport to mcp_door
a first MCP-compatible tool surface
a proven proxy boundary for upstream MCP invocation

io.github.mova-compact/mova-mcp-connector

Quick Install

Should you use this server?

Test This Server

Score Breakdown

MCPpedia Score

Security

Help improve this page

Reviews

Frequently Asked Questions

Similar servers

Memory MCP Server

Context Mode

Idea Reality MCP Server

Browser Tools Mcp

Discussion

mova-mcp-connector

Surface

Invocation Boundary

Config

Intent