MCP server for Oracle Fusion Cloud HCM — generic, capability-aware, safe-by-default.
Project description
HCM MCP Server for Oracle Fusion Cloud (unofficial)
Not affiliated with or endorsed by Oracle. Oracle and Fusion are trademarks of Oracle Corporation.
An MCP server that lets AI models interact with Oracle Fusion Cloud HCM across its entire REST surface — workers, org structures, compensation, absence, payroll, recruiting, talent, learning and more — without hand-coding a tool per endpoint.
Built to be packaged once and reused across many Fusion HCM customers, regardless of which modules they license, how their flexfields are configured, or which Oracle release they run.
Status: Feature-complete. All 16 tools implemented — discovery, generic read, 7 curated HR workflows, ATOM change feeds, and gated writes — with an inescapable client-layer PII-redaction + audit floor. Built on ADF REST behavior verified against a live Fusion pod (DESIGN.md §13). 60 unit tests; Docker image and stdio server boot verified. After installing, run the smoke checklist in docs/TEST_CASES.md against your pod (every pod's licensing, roles, and flexfields differ).
Why this exists
Oracle Fusion HCM exposes ~600 REST resources built on Oracle's uniform ADF REST framework. A naive MCP server would create one tool per resource and blow up the model's context window — and would advertise tools that don't exist for customers who haven't licensed the matching module.
This server takes the opposite approach: a small set of generic, schema-aware tools that introspect any resource at runtime via Oracle's /describe endpoint, plus a handful of curated workflow tools for the most common HR tasks. It discovers each customer's licensed footprint automatically and only exposes what actually works on their pod.
Key design principles
- Generic over hardcoded — 6 generic tools + ~15 curated workflows cover all ~600 resources. No per-resource code.
- Self-documenting — the model reads live schemas via
describe_resource; no bundled schema files to maintain. - Capability-aware — startup probing detects which Oracle modules are licensed/provisioned and lights up only those tool groups (no Recruiting license → no Recruiting tools).
- Safe by default — read-only out of the box; writes are off by default, gated, dry-run-first, and audited. PII (national IDs, salary, DOB) is redacted unless explicitly enabled.
- Distributable — one configurable artifact, deployed single-tenant per customer pod. No customer specifics in code.
Architecture at a glance
auth/ Basic + OAuth2/JWT (OCI IAM / IDCS)
core/ ADF REST client · resource catalog · /describe cache · q= filter builder
tools/ discovery · query · workflows · mutate · atom · bip
safety/ PII redaction · audit log · dry-run gates (writes off by default, schema-validated, fail closed)
config.py base URL · pinned REST version · scopes · feature & module flags
Tools (16)
| Group | Tools |
|---|---|
| Diagnostics | server_info |
| Discovery | list_resources · describe_resource · get_capabilities |
| Read | query_resource · get_record |
| Workflows | find_worker · get_worker_profile · list_direct_reports · get_reporting_chain · lookup_org · get_current_compensation · list_absences |
| Change feeds | list_changes (ATOM — gated by features.atom_enabled) |
| Writes | mutate_record · run_action (gated by features.writes_enabled, dry-run default, schema-validated) |
The generic query_resource / get_record / describe_resource work against any of the ~600 HCM resources; the workflows are curated shortcuts for common HR questions.
Roadmap
| Phase | Deliverable | Status |
|---|---|---|
| 1 | Generic read core + auth + discovery + safety floor | ✅ Built |
| 2 | Curated HR workflow tools | ✅ Built |
| 3 | Gated writes + custom actions + audit | ✅ Built |
| 4 | ATOM change feeds | ✅ Built |
| 5 | BI Publisher / HCM Extracts reporting | ◻ Future |
Stack
Python · FastMCP · httpx · pydantic
Packaged as a Docker/OCI image (primary) built from a hatchling wheel.
Getting started
Install from PyPI
pipx install fusion-hcm-mcp-server # or: uvx fusion-hcm-mcp-server
pypi.org/project/fusion-hcm-mcp-server — published from this repo's CI via PyPI Trusted Publishing with attestations.
Want to use this from Claude Desktop? Follow the step-by-step guide: docs/INSTALL_CLAUDE_DESKTOP.md — covers both install modes (Python venv + OS credential store, or Docker), the Desktop config file, a test sequence, and the common traps.
Configure
cp config.example.toml config.toml # then edit; supply secrets via HCM_* env vars
Required: server.base_url (or HCM_BASE_URL). Credentials should come from environment
variables (HCM_USERNAME/HCM_PASSWORD, or HCM_CLIENT_ID/HCM_CLIENT_SECRET/HCM_TOKEN_URL),
never the committed file. See config.example.toml.
Run with Docker (primary)
docker build -t fusion-hcm-mcp-server .
docker run --rm -i \
-e HCM_BASE_URL="https://your-pod.fa.ocs.oraclecloud.com" \
-e HCM_USERNAME="INTEGRATION_USER" -e HCM_PASSWORD="..." \
-v "$PWD/config.toml:/app/config.toml:ro" \
fusion-hcm-mcp-server
For hosted HTTP transport, set transport.type = "http" (or HCM_TRANSPORT=http) and publish -p 8000:8000.
Local development
Requires Python 3.11+.
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest
fusion-hcm-mcp-server # runs the MCP server over stdio
Documentation
- docs/INSTALL_CLAUDE_DESKTOP.md — install & run with Claude Desktop (venv or Docker), verification sequence, troubleshooting traps.
- docs/TEST_CASES.md — tool matrix, automated coverage, the live-pod checklist, production-readiness assessment.
- DESIGN.md — full technical design: auth, the ADF REST client, exact tool signatures, the
q=filter grammar, the safety model, ADF ground truth, and licensing/module alignment.
Status & contributions
This is an actively developing project — issues and PRs from people testing against their own pods are genuinely wanted. See CONTRIBUTING.md; for vulnerabilities, SECURITY.md. The design doc is the source of truth.
License
Apache-2.0. See also NOTICE.
Not affiliated with or endorsed by Oracle. Oracle and Fusion are trademarks of Oracle Corporation.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fusion_hcm_mcp_server-0.1.1.tar.gz.
File metadata
- Download URL: fusion_hcm_mcp_server-0.1.1.tar.gz
- Upload date:
- Size: 57.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
abd2d20f34f320cf5adde4308aadf694be0344c08a475175749e99f06fd71466
|
|
| MD5 |
044b0f64d6c64c8799863474ef5323a2
|
|
| BLAKE2b-256 |
7d18138ab23b20a9d198d8b3b86752a0e06e6378680770c3daa8c501a28065ab
|
Provenance
The following attestation bundles were made for fusion_hcm_mcp_server-0.1.1.tar.gz:
Publisher:
release.yml on mohantyajitesh/fusion-hcm-mcp-server
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fusion_hcm_mcp_server-0.1.1.tar.gz -
Subject digest:
abd2d20f34f320cf5adde4308aadf694be0344c08a475175749e99f06fd71466 - Sigstore transparency entry: 2133623648
- Sigstore integration time:
-
Permalink:
mohantyajitesh/fusion-hcm-mcp-server@c6f342f1245b1e0e09bdde196d6f5d7d1616c4e8 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/mohantyajitesh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c6f342f1245b1e0e09bdde196d6f5d7d1616c4e8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file fusion_hcm_mcp_server-0.1.1-py3-none-any.whl.
File metadata
- Download URL: fusion_hcm_mcp_server-0.1.1-py3-none-any.whl
- Upload date:
- Size: 42.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
76f686bcc41d1c8a93669c9f3d4680b98ecc7bf358a0800f79f147fa4d9088ae
|
|
| MD5 |
4a0b4cba833e871ccb9397c886f2cf76
|
|
| BLAKE2b-256 |
bcb3db59329a31f8bdd574b30d19af3d6a1d0385a1a3ffc9be41ded458797bf2
|
Provenance
The following attestation bundles were made for fusion_hcm_mcp_server-0.1.1-py3-none-any.whl:
Publisher:
release.yml on mohantyajitesh/fusion-hcm-mcp-server
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
fusion_hcm_mcp_server-0.1.1-py3-none-any.whl -
Subject digest:
76f686bcc41d1c8a93669c9f3d4680b98ecc7bf358a0800f79f147fa4d9088ae - Sigstore transparency entry: 2133623694
- Sigstore integration time:
-
Permalink:
mohantyajitesh/fusion-hcm-mcp-server@c6f342f1245b1e0e09bdde196d6f5d7d1616c4e8 -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/mohantyajitesh
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c6f342f1245b1e0e09bdde196d6f5d7d1616c4e8 -
Trigger Event:
push
-
Statement type: