mm.tech

Open Source from Mallorca

Matthias Meyer

Open-source tools for AI builders

I build the MCP servers, memory engines, agent patterns, and security layers I need for my own AI stack. Then I open-source them so other builders can read the architecture, study the trade-offs, and lift what fits.

Open Source from Mallorca

Drag a node, hover for details, click to open the repo.

What you cannot see on the GitHub front page

Stars are slow. Real usage shows up in installs and clones first.

package installs total
11k
git clones / 14d
2.8k
public repos
40
forks
12

Live, refreshed every 6h. Source: npm + crates.io + PyPI + GitHub API.

The eight cornerstones

Start here. Everything else extends one of these.

memoryTypeScript

Local Memory MCP

Persistent local memory for Claude, Cursor, Codex

21 MCP tools, SQLite + FTS5 + Knowledge Graph. No cloud, no API keys. One command: npx @studiomeyer/local-memory-mcp.

★ 6⑂ 3↓ 1.5k⊟ 137· 21 tools
read →
agentsTypeScript

Personal Suite MCP

Local-first personal productivity for Claude and Cursor

Email, Calendar, Messaging, Search, Image Generation. BYOK, no cloud, no signup. 49 tools across 6 modules.

↓ 681⊟ 80· 49 tools
read →
mediaTypeScript

MCP Video

Cinema-grade video production via MCP

8 tools for recording, editing, effects, captions, TTS, and smart screenshots. Built on ffmpeg + Playwright.

★ 2⑂ 1⊟ 99· 8 tools
read →
agentsTypeScript

Agent Fleet

Multi-agent orchestration for the Claude Code CLI

Run specialized AI agents in parallel: research, critique, analyze, fix, and discuss. TypeScript orchestration layer.

⊟ 62
read →
securityTypeScript

AI Shield

LLM security toolkit, direct and indirect injection, memory canary, circuit breakers

v0.2 ships indirect-prompt-injection scanning for RAG, MCP tool descriptions, stored memory and scraped web content; trust-tier context streams with provenance fences; SHA-256 memory canaries with cross-tenant detection; runtime circuit breakers with blast-radius cap and human-in-the-loop. Zero dependencies in the core, optional ONNX classifier sibling. 567 tests, three-round agent code review, MIT.

★ 2⑂ 2↓ 562⊟ 77
read →
agentsTypeScript

Darwin Agents

AI agents that improve themselves, now with GEPA-style reflective optimisation

Self-evolving prompts via A/B testing, multi-model critics, safety gates. v0.5.0-alpha.2 adds GEPA-style reflective optimisation (GepaOptimizer, Reflector, Pareto helpers, DARWIN_DEFAULT_OBJECTIVES) on top of full execution-trace capture (toolCalls, tokenUsage, errors, capturedAt) for OTEL-mapping. 307 tests, R1+R2 review loops, TypeScript, MIT.

★ 4↓ 2.2k⊟ 173
read →
securityRust

MCP Armor

Drop-in Rust sidecar for MCP servers

v0.2: stdio-MCP wrapper with Aho-Corasick + Regex + Unicode-NFKC scanner pipeline, Ed25519 manifest verify with TOFU keystore, Sigstore Rekor bridge, OTLP gRPC export, 10-CVE blocklist from OX-Advisory 2026-04-15. 9 control-plane MCP tools, 133 tests, MIT.

↓ 133⊟ 237
read →
workflowPython

n8n Templates

Production n8n workflows with cross-session memory

Production-pattern hardened n8n workflow templates for voice agents, customer support, personal assistants. Multi-provider, powered by StudioMeyer Memory.

★ 3⑂ 1⊟ 6
read →

More repos

Conformance harnesses, n8n nodes, SaaS connectors. Click to expand.

  • Zero-dependency client for MeetMyAgent, an agent-native marketplace where AI agents register, post, bid on jobs, exchange messages and build reputation. Native fetch, full TypeScript types, 44 tests. Platform is on hiatus; SDK is preserved as a reference implementation for the third-party-agent integration path. Point baseUrl at any compatible deployment.

    statusstableupdated2026-05-20installs555clones (14d)13groupagents
    npx -y meetmyagent-sdk
    details →github ↗npm ↗

  • Python LLM security middleware: prompt-injection, PII, tool-policy, cost-budget, audit. Port of ai-shield-core (TypeScript). Same defense surface, FastAPI/LangChain hooks instead of Hono/Express.

    statusstableupdated2026-06-21installs64clones (14d)8groupsecurity
    pip install studiomeyer-aishield
    details →github ↗PyPI ↗

  • Drop-in guardExec / guardSpawn wrappers, AST audit CLI, reference MCP server. Closes the OX Security 200k-server stdio-RCE class (CVE-2025-69256). Unicode-bypass-hardened, allowlist-based, replay-window protected. MIT, TypeScript, Node 20+.

    statusstableupdated2026-06-21installs345clones (14d)58groupsecurity
    npx -y mcp-stdio-shellguard
    details →github ↗npm ↗

  • Detect, diff, compatibility-matrix, plan, check. Foundation pillar by StudioMeyer (MCP Factory). Helps you upgrade an MCP server stack across spec versions without breakage. 35/35 tests, MIT.

    statusstableupdated2026-06-21installs133clones (14d)19groupfactory
    npx -y mcp-spec-migrator
    details →github ↗npm ↗

  • Foundation library for couples, families, groups. Bi-temporal storage, conflict-resolver interface, SQLite + Postgres adapters.

    statusalphaupdated2026-06-21installs398clones (14d)98groupfactory
    npx -y mcp-tenant-pair
    details →github ↗npm ↗

  • AsyncLocalStorage-based tenant + actor context propagation for MCP servers. Zero runtime dependencies, ESM-only. MCP Factory foundation pillar.

    statusalphaupdated2026-06-21stars1installs162clones (14d)60groupfactory
    npx -y mcp-tenant-context
    details →github ↗npm ↗

  • Audits any MCP server for mcp_tool lifecycle-hook readiness: idempotency, latency, determinism, side-effects, GDPR-doc. 56/56 tests, MIT.

    statusstableupdated2026-06-21installs405clones (14d)87groupfactory
    npx -y mcp-hook-conformance
    details →github ↗npm ↗

  • JSON-RPC 2.0, OAuth 2.1 PKCE, tool schemas, capabilities, smoke roundtrip, annotation hygiene. Spec versions 2024-11-05, 2025-03-26, 2025-06-18.

    statusstableupdated2026-06-21installs372clones (14d)97groupfactory
    npx -y mcp-protocol-conformance
    details →github ↗npm ↗

  • Ed25519-signed tool manifests, runtime spawn-attestation, default-deny argument sanitizer. Defends against marketplace-poisoning + CVE-2025-69256.

    statusstableupdated2026-06-21installs227clones (14d)152groupsecurity
    npx -y mcp-server-attestation
    details →github ↗npm ↗

  • Long-term AI memory with knowledge graph, semantic search, entity tracking, session continuity. Drop-in for n8n.

    statusstableupdated2026-06-21stars2forks1installs588clones (14d)73groupworkflow
    npx -y n8n-nodes-studiomeyer-memory
    details →github ↗npm ↗

  • Multi-provider LLM, no memory required. For cross-session memory see n8n-templates.

    statusstableupdated2026-05-09clones (14d)7groupworkflow
    details →github ↗

  • Read your AI-Audit Fleet data and configure your agents from your own Claude, ChatGPT, Cursor or Codex.

    statusstableupdated2026-06-15tools14installs174clones (14d)78groupsaas
    npx -y mcp-studiomeyer-agents
    details →github ↗npm ↗

  • Next lesson, quiz, review, certificates, tutor.

    statusstableupdated2026-06-21stars1installs1.1kclones (14d)145groupsaas
    npx -y mcp-academy
    details →github ↗npm ↗

  • Memory, CRM, GEO, Crew. 119 tools, 21 slash commands, 5 skills, 3 subagents. Magic Link auth. EU Frankfurt.

    statusstableupdated2026-06-20clones (14d)52groupsaas
    details →github ↗

  • Knowledge Graph, semantic search, session tracking, multi-agent support. Hosted at memory.studiomeyer.io. Free tier.

    statusstableupdated2026-06-20tools56stars3forks2clones (14d)47groupsaas
    details →github ↗

  • 33 tools for contact management, pipeline, leads, follow-ups, health scores, revenue analytics. Hosted at crm.studiomeyer.io. OAuth 2.1.

    statusstableupdated2026-06-20tools33stars2forks1clones (14d)57groupsaas
    details →github ↗

  • 23 MCP tools and 5 expert workflows. Check how 8 LLM platforms see your brand. Hosted at geo.studiomeyer.io.

    statusstableupdated2026-06-20tools23stars1forks1clones (14d)60groupsaas
    details →github ↗

  • 10 MCP tools, 8 personas, 3 workflows. Zero API cost. Free tier available.

    statusstableupdated2026-06-20tools10stars2clones (14d)28groupsaas
    details →github ↗

  • Foundation pillar 9. Closes the tool-injection-RCE class that sidecar scanners (mcp-armor) and stdio wrappers (mcp-stdio-shellguard) cannot catch. Synthesises per-tool policies from declared semantics and enforces them at execution time. MIT, TypeScript.

    statusalphaupdated2026-06-21clones (14d)13groupsecurity
    details →github ↗

  • Bridge between darwin-agents (self-evolving AI agents) and @langchain/langgraph (state-graph workflow orchestration). Zero hard deps, both upstreams as peer-dependencies. Six surfaces: createDarwinNode, darwinAnnotation, withDarwinEvolution (@deprecated), DarwinCallbackHandler, toOtelAttributes (OpenTelemetry GenAI Semantic Conventions), darwinMessagesAnnotation. v0.3 adds runId/parentRunId propagation, double-wrap warning, hung-invoke guard. 132 tests, R1+R2 review loops, MIT.

    statusalphaupdated2026-06-21installs1kclones (14d)64groupagents
    npx -y darwin-langgraph
    details →github ↗npm ↗

  • Five Temporal templates (T01-T05): memory-aware agent, operator approval, saga rollback, recurring synthesis, multi-agent coordination. All workflows write durable knowledge (learn), decisions (decide), and mistakes into Memory via Temporal activities. Bring-your-own backend via the MemoryClient adapter (HostedMemoryClient + InMemoryMemoryClient). 45 tests with time-skipping, MIT.

    statusalphaupdated2026-06-21clones (14d)19groupworkflow
    details →github ↗

  • Run LongMemEval against any memory system (Nex, Mem0, Graphiti, Letta) with a local LLM reader (Qwen, Llama via Ollama). 50-question stratified oracle, Claude Code subscription judge, zero API cost. Python, MIT.

    statusalphaupdated2026-05-09clones (14d)9groupmemory
    details →github ↗

  • Five LLM citizens build a small town. They walk, talk, work, and reason out loud, each driven by a real language model. Open-source mirror of the live meetmyagent.io world, built on darwin-agents and LangGraph. TypeScript, MIT.

    statusbetaupdated2026-05-25clones (14d)10groupagents
    details →github ↗

  • Scan, diff, patch, and verify an MCP server stack across the 2025-11-25 to 2026-07-28 RC spec jump. Eight detection rules, AST rewrite via ts-morph, CLI-first. Foundation pillar by StudioMeyer (MCP Factory). TypeScript, MIT.

    statusalphaupdated2026-06-21installs184clones (14d)157groupfactory
    npx -y mcp-stateless-migrator
    details →github ↗npm ↗

  • A Rust workspace: mcp-fuzz (a schema-aware fuzzer that finds crashes and hangs, SARIF output) and mcp-storm (a load tester with p50/p95/p99 and a CI gate), both on one shared async MCP client core (mcp-gauntlet-core). The pre-deploy counterpart to mcp-armor's runtime defense. 21 tests, three crates on crates.io, MIT.

    statusstableupdated2026-06-21installs27clones (14d)113groupsecurity
    cargo install mcp-fuzz mcp-storm
    details →github ↗crates.io ↗

  • Snapshots a server's tools/resources/prompts into a lockfile and fails CI on breaking changes, with direction-aware JSON-Schema classification (tightening an input schema vs loosening an output schema break different callers) plus a schema-hygiene linter. Single Rust binary, stdio + HTTP, SARIF + GitHub Action. 132 tests, on crates.io, MIT.

    statusstableupdated2026-06-21installs8groupsecurity
    cargo install mcp-covenant
    details →github ↗crates.io ↗

  • Scans your MCP server's source for the breaking-change signatures of the 2026-07-28 spec, then reports, file and line, what to change. It flags the retired -32002 error code (SEP-2164), stateful sessions (SEP-2575), deprecated roots/sampling/logging (SEP-2577) and OAuth without resource metadata (RFC 9728/8707). Every finding links its SEP/RFC. Single Rust binary, SARIF + GitHub Action. 93 tests, on crates.io, MIT.

    statusstableupdated2026-06-21installs8groupsecurity
    cargo install mcp-herald
    details →github ↗crates.io ↗

  • A publish-readiness validator: checks server.json against the registry schema (required name/description/version, reverse-DNS name, packages/remotes, per-package registryType/identifier/transport, the snake_case registry_type mistake, mcpb fileSha256) and cross-checks version + mcpName consistency with the sibling package.json / Cargo.toml / pyproject.toml, so mcp-publisher accepts the upload first try. Single Rust binary, SARIF + GitHub Action. 166 tests, on crates.io, MIT.

    statusstableupdated2026-06-21groupsecurity
    cargo install mcp-passport
    details →github ↗crates.io ↗

  • Implements MCP spec SEP-414: propagates traceparent / tracestate / baggage from _meta as OpenTelemetry spans, so host → server → tool → downstream renders as one trace tree. Drop-in for any MCP server, no vendor lock-in. 41 tests, MIT, TypeScript.

    statusstableupdated2026-06-21installs116clones (14d)65groupfactory
    npx -y mcp-otel
    details →github ↗npm ↗

  • Enforces the allowed tool order, transitions, loop limits, and cost budgets at runtime. Fail-closed, so an agent cannot step outside its declared state machine. Zero-dependency core, LangGraph-aware. 74 tests, MIT, Python.

    statusstableupdated2026-06-21installs140clones (14d)144groupagents
    pip install statepilot
    details →github ↗PyPI ↗

  • Implements MCP spec SEP-2549 (ttlMs + cacheScope): set the cache fields correctly server-side, and never share a private result across tenants or users client-side. Closes the cross-tenant cache-leak class with helpers and types. 66 tests, MIT, TypeScript.

    statusstableupdated2026-06-21installs156clones (14d)87groupfactory
    npx -y mcp-cache-kit
    details →github ↗npm ↗

  • Lints Claude Code SKILL.md, AGENTS.md, and subagent files: 25 rules, an A–F grade, prompt-injection and secret-leak detection, --fix, SARIF, and a GitHub Action. The CLI command is skilldoctor (the npm package is scoped). 91 tests, MIT, TypeScript.

    statusstableupdated2026-06-21installs151clones (14d)87groupsecurity
    npx -y @studiomeyer-io/skilldoctor
    details →github ↗npm ↗

Concepts

Repo-agnostic deep dives on the patterns behind the code.