marfrit/lmcp - lmcp - marfrit's space

marfrit/lmcp

Fork 0

Commit Graph

Author	SHA1	Message	Date
marfrit	c6efc8f685	initial import: lmcp 0.1.0 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-14 19:58:40 +00:00
test0r	6bf0f450dc	Security hardening: body size limit, JSON depth limit, timing-safe auth - Add MAX_BODY_SIZE (64KB) check before reading body — prevents pre-auth OOM on internet-facing deployments - Add JSON nesting depth limit (64 levels) — prevents C stack overflow that bypasses pcall and crashes the process - Timing-safe token comparison via XOR accumulate — prevents timing oracle on Bearer token - Auth token from LMCP_TOKEN env var (highest priority) — avoids storing token in a file readable by the read_file tool - Silent handling of unknown JSON-RPC notifications (spec compliance) - Exact path matching on /mcp endpoint (was prefix-based) - Remove dead json.array() function Findings from architecture review + security audit. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-11 20:45:16 +02:00
test0r	2bd661a8c9	Initial release: Lua MCP server library Zero-dependency MCP (Model Context Protocol) server in pure Lua. Only requires luasocket. 2MB RSS vs Python FastMCP's 97MB. - json.lua: pure Lua JSON encoder/decoder (~150 lines) - lmcp.lua: MCP server with streamable-http transport (~230 lines) - example_server.lua: shell/file tools demo Implements MCP 2025-03-26: initialize, tools/list, tools/call, notifications/initialized, ping. JSON-RPC 2.0. SSE support. CORS. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-04-05 15:54:25 +00:00

Author

SHA1

Message

Date

marfrit

c6efc8f685

initial import: lmcp 0.1.0

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-14 19:58:40 +00:00

test0r

6bf0f450dc

Security hardening: body size limit, JSON depth limit, timing-safe auth

- Add MAX_BODY_SIZE (64KB) check before reading body — prevents pre-auth
  OOM on internet-facing deployments
- Add JSON nesting depth limit (64 levels) — prevents C stack overflow
  that bypasses pcall and crashes the process
- Timing-safe token comparison via XOR accumulate — prevents timing
  oracle on Bearer token
- Auth token from LMCP_TOKEN env var (highest priority) — avoids storing
  token in a file readable by the read_file tool
- Silent handling of unknown JSON-RPC notifications (spec compliance)
- Exact path matching on /mcp endpoint (was prefix-based)
- Remove dead json.array() function

Findings from architecture review + security audit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-11 20:45:16 +02:00

test0r

2bd661a8c9

Initial release: Lua MCP server library

Zero-dependency MCP (Model Context Protocol) server in pure Lua.
Only requires luasocket. 2MB RSS vs Python FastMCP's 97MB.

- json.lua: pure Lua JSON encoder/decoder (~150 lines)
- lmcp.lua: MCP server with streamable-http transport (~230 lines)
- example_server.lua: shell/file tools demo

Implements MCP 2025-03-26: initialize, tools/list, tools/call,
notifications/initialized, ping. JSON-RPC 2.0. SSE support. CORS.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

2026-04-05 15:54:25 +00:00

3 Commits