# Cutline MCP — Engineering Guardrails for Vibecoding

**Security, reliability, and scalability constraints for your coding agent.** Free code audits, 9 compliance frameworks, pre-mortem analysis, and a Red-Green-Refactor workflow — all injected directly into Cursor, Claude, Windsurf, or any MCP client.

[![npm](https://img.shields.io/npm/v/@vibekiln/cutline-mcp-cli)](https://www.npmjs.com/package/@vibekiln/cutline-mcp-cli)
[![MCP Registry](https://img.shields.io/badge/MCP_Registry-ai.thecutline-blue)](https://registry.modelcontextprotocol.io)
[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](https://opensource.org/licenses/MIT)

## Install

### npm (Recommended)

```bash
npm install -g @vibekiln/cutline-mcp-cli@latest
```

`@vibekiln/cutline-mcp-cli` includes the standard Cutline MCP servers and **SlopBurn** (the product quality engineering roguelike RPG mode) in the same install.

If you want a dedicated SlopBurn-first CLI with separate onboarding/config UX, use:

```bash
npm install -g @vibekiln/slopburn-cli
slopburn setup
slopburn serve
```

### Docker

```bash
docker run -i ghcr.io/kylewadegrove/cutline-mcp serve constraints
```

### Claude Desktop (.mcpb)

Download `cutline-mcp.mcpb` from the [latest release](https://github.com/kylewadegrove/cutline/releases) and double-click to install.

## Quick Start

```bash
# 1. Install and run setup (does login + IDE config + rules)
cd /path/to/your/project
npm install -g @vibekiln/cutline-mcp-cli@latest
cutline-mcp setup
```

Then ask your AI agent: **"use cutline"**

For test-heavy flows, use the explicit bootstrap + route:

```bash
npx -y @vibekiln/cutline-mcp-cli@latest setup
```

Then ask:
- `Write tests for this PR`
- `use cutline to generate and run constraint-grounded tests for this scope increase`

Cutline interprets intent and tier:
- Natural variants also work: `use cutline to ...`, `using cutline, ...`, `with cutline ...`
- Free/default: runs `code_audit` (generic codebase scan)
- Premium product-linked: runs `engineering_audit` (deep analysis + RGR)

## What It Does

| Capability | Free | Premium |
|---|---|---|
| **Code Audit** — security, reliability, scalability scan | 3/month | Unlimited |
| **9 Compliance Frameworks** — SOC 2, PCI-DSS, HIPAA, GDPR, OWASP LLM, FedRAMP, GLBA, FERPA/COPPA | Auto-loaded | Auto-loaded |
| **Engineering Audit** — deep product-linked scan + RGR remediation plan | — | Unlimited |
| **Pre-Mortem Analysis** — risks, assumptions, competitive threats | — | Unlimited |
| **Constraint Graph** — product-specific NFR routing | — | Full access |
| **AI Personas** — stakeholder feedback on features | — | Full access |
| **Idea Validation** — fast-track from free web validation | — | Included |

### SlopBurn

SlopBurn is a **product quality engineering roguelike RPG** built into the Cutline MCP ecosystem.
It turns deep-dive + verification loops into game progression, where test checks act like encounters, XP tracks quality gains, and MCP servers unlock as spells.

## 54 MCP Tools

### Free Tier

| Tool | Description |
|---|---|
| `code_audit` | Security, reliability, and scalability scan (3/month) |
| `exploration_start` | Start a guided product idea exploration |
| `exploration_chat` | Continue an exploration conversation |
| `exploration_graduate` | Graduate top idea (teaser for free, full for premium) |
| `llm_status` | Check AI/LLM provider health |
| `perf_status` | Check MCP server performance metrics |

### Premium Tier (50+ tools)

**Pre-Mortem & Deep Dive:** `premortem_run`, `premortem_from_idea`, `premortem_queue`, `premortem_status`, `premortem_kick`, `premortem_list`, `premortem_render_pdf`, `premortem_qa`, `premortem_regen_assumptions`, `premortem_regen_experiments`

**Personas:** `personas_list`, `personas_get`, `personas_chat`

**Constraint Graph:** `constraints_query`, `constraints_auto`, `constraints_ingest`, `constraints_list`, `constraints_learn`, `constraints_embed`, `constraints_semantic_query`, `constraints_ingest_persona`, `constraints_ingest_wiki`, `constraints_ingest_doc`, `constraints_heal`

**Graph Operations:** `graph_ingest_requirements`, `graph_get_boundaries`, `graph_bind_codebase`, `graph_bind_confirm`, `graph_view`, `graph_conflicts`, `graph_metrics`

**Code & RGR:** `engineering_audit`, `rgr_plan`, `rgr_complete_phase`, `export_readiness_badge`

**Wiki & Integrations:** `wiki_load`, `wiki_save`, `wiki_apply_edits`, `agent_chat`, `integrations_create_issues`

**Templates:** `template_list`, `template_get`, `template_create`, `template_discover`

**Config:** `generate_cutline_md`

## Commands

### `login`

Authenticate with Cutline. Opens your browser for a quick email-only signup (no password needed). Stores credentials in your system keychain.

```bash
cutline-mcp login
cutline-mcp login --staging   # Use staging environment
cutline-mcp login --signup    # Full sign-up page (email + password)
```

### `init`

Generate IDE-specific config files for your project. Adapts to your tier:

```bash
cutline-mcp init
cutline-mcp init --project-root /path/to/project
```

**Free tier writes:**
- `.cursor/rules/rgr-workflow.mdc` — RGR cycle with `code_audit`
- `.cursor/rules/ambient-constraints.mdc` — Constraint checking guidance
- `CLAUDE.local.md` — Same instructions for Claude Code

**Premium tier adds:**
- `.cursor/rules/cutline.mdc` — Points agent to `.cutline.md`

All files are gitignored automatically.

### `setup`

Print the MCP server configuration to add to your IDE.

```bash
cutline-mcp setup
```

### `serve <server>`

Start an MCP server (used by IDE MCP configs).

```bash
cutline-mcp serve constraints    # Main server (engineering audit, constraints, graph)
cutline-mcp serve premortem      # Pre-mortem and deep dive
cutline-mcp serve exploration    # Idea exploration
cutline-mcp serve tools          # Utility tools
cutline-mcp serve output         # Export and rendering
cutline-mcp serve integrations   # External integrations
```

HTTP bridge mode (for registries/hosts that require an HTTPS MCP URL):

```bash
cutline-mcp serve constraints --http --host 0.0.0.0 --port 8080 --path /mcp
# Health: GET /health
# MCP endpoint: POST /mcp
```

Bridge notes:
- Default mode remains stdio (no behavior change for Cursor/Claude Desktop local configs).
- The bridge forwards JSON-RPC requests to the bundled stdio server process.
- Batch JSON-RPC payloads are not supported by the bridge.

### `upgrade`

Open the upgrade page and refresh your session.

```bash
cutline-mcp upgrade
```

### `status` / `logout`

```bash
cutline-mcp status    # Check auth and subscription
cutline-mcp logout    # Remove stored credentials
```

## How It Works

### Authentication

```
1. cutline-mcp login
2. CLI starts local callback server on localhost:8765
3. Browser opens — enter email, receive magic link, click it
4. CLI receives token and stores it in your OS keychain
```

Existing users who are already signed in complete automatically. Password sign-in is also available.

### RGR Workflow

The `init` command creates rules that make your AI coding agent follow the Red-Green-Refactor cycle automatically:

1. **Plan** — Check constraints before implementing
2. **Implement** — Write code addressing the constraints
3. **Verify** — Run a code audit to check coverage
4. **Complete** — Mark the phase done to update readiness scores

When the agent detects testing intent (write/generate/validate tests), it should route through Cutline first and, if not configured, prompt the install bootstrap command above before continuing.

### Compliance Frameworks

Cutline auto-detects your stack and loads the appropriate compliance constraints:

| Framework | Triggers |
|---|---|
| SOC 2 | Always loaded |
| Security Baseline | Always loaded |
| PCI-DSS | Stripe, payment libs |
| HIPAA | Health/FHIR/HL7 libs |
| GDPR / CCPA | Analytics, auth libs |
| OWASP LLM Top 10 | OpenAI, LangChain, RAG |
| FedRAMP | GovCloud, FIPS |
| GLBA | Plaid, banking SDKs |
| FERPA / COPPA | Clever, Canvas, EdTech |

## Registry Listings

### Official MCP Registry

```bash
# Verify namespace
mcp-publisher login dns --domain thecutline.ai

# Publish
mcp-publisher publish
```

Config: [`server.json`](./server.json)

### Smithery

Config: [`smithery.yaml`](./smithery.yaml) with [`Dockerfile`](./Dockerfile)

If the publish UI requires an MCP Server URL, deploy the bridge and provide your public HTTPS endpoint, for example:

`https://mcp.thecutline.ai/mcp`

### Claude Desktop Extension

```bash
npm run build:mcpb
# → cutline-mcp.mcpb (drag into Claude Desktop)
```

Config: [`mcpb/manifest.json`](./mcpb/manifest.json)

## Troubleshooting

### Port 8765 in use

```bash
lsof -i :8765
kill -9 <PID>
```

### Authentication timeout

The browser didn't complete within 10 minutes. Run `cutline-mcp login` again.

### Failed to refresh token

```bash
cutline-mcp logout
cutline-mcp login
```

### Keychain Access Denied (macOS)

1. Open Keychain Access
2. Find "cutline-mcp" entry
3. Right-click → Get Info → Access Control
4. Add your Terminal/IDE to allowed applications