内容摘录
<img alt="MCP Mesh Readme Banner" src="https://github.com/user-attachments/assets/e6283421-71ff-478d-8c45-9fb67d484888" />
<h1 align="center">MCP Mesh</h1>
<p align="center">
<em>MCP-native · TypeScript-first · Deploy anywhere</em><br/><br/>
<b>One secure endpoint for every MCP server.</b>
</p>
<p align="center">
<a href="https://docs.deco.page/">📘 Docs</a> ·
<a href="https://decocms.com/discord">💬 Discord</a> ·
<a href="https://decocms.com/mesh">🌐 decocms.com/mesh</a>
</p>
**TL;DR:**
Route all MCP traffic through a single governed endpoint
Enforce RBAC, policies, and audit trails at the control plane
Full observability with OpenTelemetry — traces, costs, errors
Runtime strategies as mcps for optimal tool selection
Self-host with Docker, Bun/Node, Kubernetes, or run locally
---
What is an MCP Mesh?
**MCP Mesh** is an open-source control plane for MCP traffic. It sits between your MCP clients (Cursor, Claude, Windsurf, VS Code, custom agents) and your MCP servers, providing a unified layer for auth, routing and observability.
It replaces M×N integrations (M MCP servers × N clients) with one production endpoint, so you stop maintaining separate configs in every client. Built for multi-tenant orgs: workspace/project scoping for policies, credentials, and logs.
---
Quick Start
→ runs at http://localhost:3000 (client) + API server
Or use npx @decocms/mesh to instantly get a mesh running.
---
Runtime strategies as Virtual MCPs
As tool surfaces grow, “send every tool definition to the model on every call” gets expensive and slow.
The mesh models runtime strategies as Virtual MCPs: one endpoint, different ways of exposing tools.
Examples:
Full-context: expose everything (simple and deterministic for small toolsets)
Smart selection: narrow the toolset before execution
Code execution: load tools on demand and run code in a sandbox
Virtual MCPs are configurable and extensible. You can add new strategies and also curate toolsets (see Virtual MCPs).
---
Core Capabilities
| Capability | What it does |
|-------|-------------|
| **MeshContext** | Unified runtime interface providing auth, storage, observability, and policy control |
| **defineTool()** | Declarative API for typed, auditable, observable MCP tools |
| **AccessControl** | Fine-grained RBAC via Better Auth — OAuth 2.1 + API keys per workspace/project |
| **Multi-tenancy** | Workspace/project isolation for config, credentials, policies, and audit logs |
| **OpenTelemetry** | Full tracing and metrics for tools, workflows, and UI interactions |
| **Storage Adapters** | Kysely ORM → SQLite / Postgres, easily swapped |
| **Proxy Layer** | Secure bridge to remote MCP servers with token vault + OAuth |
| **Virtual MCPs** | Compose and expose governed toolsets as new MCP servers |
| **Event Bus** | Pub/sub between connections with scheduled/cron delivery and at-least-once guarantees |
| **Bindings** | Capability contracts (ex.: agents, workflows, views) so apps target interfaces instead of specific MCP implementations |
---
Define Tools
Tools are first-class citizens. Type-safe, audited, observable, and callable via MCP.
Every tool call automatically gets: input/output validation, access control checks, audit logging, and OpenTelemetry traces.
---
Project Structure
---
Development
Mesh-specific commands (from apps/mesh/)
Running with worktrees (subdomain per workspace)
dev:worktree routes http://<WORKTREE_SLUG>.localhost to the dev server via Caddy. Useful for running multiple workspaces in parallel without port conflicts.
**One-time setup:**
**Start dev server for a worktree:**
Ports for Hono and Vite are allocated automatically. On exit (Ctrl+C) the route is removed and ports are freed. State is tracked in ~/.worktree-devservers/proxy-map.json.
**Conductor adapter** (sets WORKTREE_SLUG from CONDUCTOR_WORKSPACE_NAME automatically):
---
Deploy Anywhere
Runs on any infrastructure — Docker, Kubernetes, AWS, GCP, or local Bun/Node runtimes. No vendor lock-in.
---
Tech Stack
| Layer | Tech |
|-------|------|
| Runtime | Bun / Node |
| Language | TypeScript + Zod |
| Framework | Hono (API) + Vite + React 19 |
| Database | Kysely → SQLite / PostgreSQL |
| Auth | Better Auth (OAuth 2.1 + API keys) |
| Observability | OpenTelemetry |
| UI | React 19 + Tailwind v4 + shadcn |
| Protocol | Model Context Protocol (MCP) |
---
Roadmap
[ ] Multi-tenant admin dashboard
[ ] MCP bindings (swap providers without rewrites)
[ ] Version history for mesh configs
[ ] NPM package runtime
[ ] Edge debugger / live tracing
[ ] Cost analytics and spend caps
[ ] MCP Store — discover and install pre-built MCP apps
---
Part of deco CMS
The MCP Mesh is the infrastructure layer of decoCMS.
| Layer | What it does |
|-------|--------------|
| **MCP Mesh** | Connect, govern, and observe MCP traffic |
| **MCP Studio** (coming soon) | Package durable MCP capabilities into shareable apps (SDK + no-code admin) |
| **MCP Store** (coming soon) | Discover, install (and eventually monetize) pre-built MCP apps. |
---
License
The MCP Mesh ships with a **Sustainable Use License (SUL)**. See LICENSE.md.
✅ Free to self-host for internal use
✅ Free for client projects (agencies, SIs)
⚠️ Commercial license required for SaaS or revenue-generating production systems
Questions? contact@decocms.com
---
Contributing
We welcome contributions! Run the following before submitting a PR:
See AGENTS.md for detailed coding guidelines and conventions.
---
<div align="center">
<sub>Made with ❤️ by the <a href="https://decocms.com">deco</a> community</sub>
</div>