Skip to main content

Lightweight service ontology, audit CLI, and MCP server for small web apps.

Project description

service-ontology-lite · CI Python 3.11+ MCP stdio License: MIT

English | 한국어

Map routes, auth boundaries, data entities, scheduled jobs, and external services before an AI agent edits a web app.

service-ontology-lite turns a small Next.js-style app into a machine-readable service map, then exposes that map through a CLI and MCP stdio server.

Status: public alpha. Project-specific scoring, production schema, tokens, and incident runbooks stay outside this package.

Why this exists

AI coding agents can change files quickly, but they often start without a service-level map.

This package gives the agent a compact answer before it edits:

What routes exist?
Which routes are public, authenticated, admin, or cron?
Which data entities and external services are nearby?
If this file changes, what is the blast radius?

What it returns

Question                                      Output
Which routes exist?                           routes[] with path, handler, methods, auth
Which routes are public/auth/admin/cron?      auth boundary labels
Which data entities are touched?              entities[] and route-to-entity links
Which external services are in play?          external_services[] with env-name hints and used_by files
What is the blast radius of this edit?        LOW/MEDIUM/HIGH risk with impacted routes/services/jobs

Install

Install from GitHub:

python3 -m pip install "git+https://github.com/veris-official/service-ontology-lite.git"

Local development install:

python3 -m pip install -e .

Planned PyPI install after package release:

python3 -m pip install service-ontology-lite

The MVP has no runtime dependency.

30-second example

service-ontology validate ./your-nextjs-app
service-ontology audit ./your-nextjs-app --json
service-ontology risk ./your-nextjs-app --changed app/api/admin/route.ts --json

Use this before handing a task to an AI coding agent. The result tells the agent whether the change touches public routes, authenticated routes, admin routes, cron handlers, data entities, or external integrations.

CLI

service-ontology --version   # or: service-ontology -V
service-ontology scan ./sample-app --json
service-ontology audit ./sample-app --json
service-ontology graph ./sample-app --json
service-ontology agent-os ./sample-app --json
service-ontology agent-os ./sample-app --project-context service-ontology-lite --json
service-ontology risk ./sample-app --changed app/api/admin/route.ts --json
service-ontology validate ./sample-app

Commands:

scan       Generate routes, auth boundaries, entities, external services, and jobs
--version  Print installed package version
validate   Validate service-ontology.json/yaml metadata
risk       Classify changed files by service blast radius
audit      Flag missing auth/entity/job/service metadata
graph      Return the combined service graph
agent-os   Return Agent OS registry and project_context grouping

MCP server

service-ontology-mcp ./sample-app

Supported MCP tools:

get_service_graph
list_routes
list_external_dependencies
audit_change_risk
audit_service
validate_manifest
get_agent_os_graph
list_project_contexts

agent-os and list_project_contexts accept project_context_id filtering for a single project handoff context.

Hermes Agent MCP config example:

mcp_servers:
  service_ontology:
    command: "service-ontology-mcp"
    args: ["/absolute/path/to/your-nextjs-app"]
    timeout: 60
    connect_timeout: 30

When registered, an AI agent can call audit_change_risk before editing a route and see whether the touched file crosses public, admin, cron, data, or external-service boundaries.

Python API

from service_ontology_lite import (
    audit_change_risk,
    filter_project_contexts,
    load_agent_os_registry,
    scan_project,
    validate_manifest,
)

registry = load_agent_os_registry("./sample-app")
project_context = filter_project_contexts(registry, "service-ontology-lite")

Example dry-run result

Against the bundled sample app, the current release reports:

scan route_count        5
external_services       Discord, Supabase
audit score             100
audit findings          0
risk admin route        HIGH
manifest_valid          true
MCP tools exposed       8

Next.js route support

The scanner understands common App Router path conventions:

app/(marketing)/blog/[slug]/page.tsx       → /blog/:slug
app/docs/[...parts]/page.tsx               → /docs/:parts*
app/shop/[[...filters]]/route.ts           → /shop/:filters*
app/api/admin/route.ts                     → /api/admin

Explicit manifest

Static scanning works without config. Add service-ontology.json, service-ontology.yaml, or service-ontology.yml for durable project knowledge:

routes:
  - path: /dashboard
    auth: required
    handler: app/dashboard/page.tsx
    entities: [User]
    external_services: []
entities:
  - name: User
    storage: database:users
    fields: [id, email]
external_services:
  - name: Stripe
    type: payments
    env: [STRIPE_SECRET_KEY]
jobs:
  - name: daily-sync
    schedule: "0 0 * * *"
    handler: app/api/cron/route.ts
agent_os:
  projects:
    - id: service-ontology-lite
      name: service-ontology-lite sample
  agents:
    - id: implementation-agent
      role: implementation
  surfaces:
    - id: local-sample-app
      type: local_repo
      project_context_id: service-ontology-lite
  tasks:
    - id: agent-os-registry-poc
      project_context_id: service-ontology-lite
      owner_agent: implementation-agent
  artifacts:
    - id: pytest-agent-os-registry
      type: test_output
      project_context_id: service-ontology-lite

Validate a manifest before sharing it with agents:

service-ontology validate ./sample-app

The JSON Schema reference is in docs/service-ontology.schema.json. The same schema file is included in the wheel as package data at service_ontology_lite/service-ontology.schema.json.

Practical scenarios

Before an AI agent edits an admin route

service-ontology risk . --changed app/api/admin/route.ts --json

Expected signal:

severity: HIGH
reason: admin_or_cron_route_changed
next step: require route-level tests and human review before merge

Before changing an integration file

service-ontology risk . --changed app/lib/supabase.ts --json

Expected signal:

severity: HIGH when the file is linked to an external dependency
next step: check env names, failure mode, retry behavior, and release rollback path

Before public release

service-ontology validate .
service-ontology audit . --json

Expected signal:

manifest_valid: true
finding_count: 0 or reviewed findings with explicit fixes

Good use cases

Use case                                      How this repo helps
Pre-release check for a small Next.js app      Run validate + audit + risk before deploy
AI coding guardrail                            Give agents a route/auth/service map first
Private app documentation                      Keep service-ontology.json beside source
Refactor planning                              See which routes/entities/services are touched
Cron/API safety review                         Flag admin/cron/external-service edits as high risk
MCP experiment                                 Serve service graph over stdio without app runtime dependencies

Not a replacement for

authentication tests
dependency vulnerability scanning
SAST/DAST
production penetration tests
framework-specific type checking
real database schema introspection
runtime traffic analysis

The package is a static inspection layer. It does not execute the target app, open network connections, read .env values, or verify production authorization behavior.

Release gate

Before publishing or pushing a release branch, run:

python3 -m compileall -q src tests
python3 -m pytest -q
python3 -m ruff check .
python3 -m build --sdist --wheel

The GitHub Actions workflow in .github/workflows/ci.yml runs the same gate on Python 3.11.

Security model

service-ontology-lite is a static inspection and guardrail tool. It reads project files from the target directory and emits structural metadata: routes, declared auth boundaries, entities, external service names, cron handlers, and generic risk findings.

It does not execute application code, open network connections, read .env files, or collect secret values.

Public/private boundary

Public core:

schema
CLI
MCP stdio server
generic scanner
generic audit rules
sample Next.js/Vercel app
report format

Private project plugins stay outside the package:

domain-specific scoring
live production database structure
affiliate/commercial logic
real cron tokens
incident runbooks
SEO/GEO monetization formulas

Contributing

See CONTRIBUTING. Korean guide: CONTRIBUTING-ko_kr.

License

MIT. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

service_ontology_lite-0.1.0.tar.gz (27.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

service_ontology_lite-0.1.0-py3-none-any.whl (21.1 kB view details)

Uploaded Python 3

File details

Details for the file service_ontology_lite-0.1.0.tar.gz.

File metadata

  • Download URL: service_ontology_lite-0.1.0.tar.gz
  • Upload date:
  • Size: 27.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.11.14

File hashes

Hashes for service_ontology_lite-0.1.0.tar.gz
Algorithm Hash digest
SHA256 5fea3ff000f50bca448dfb67f806cbd3d901520e4d5fe561e4d9684084209068
MD5 806c903136573888c5b1712eafe1661f
BLAKE2b-256 59fd371a863844853f2201aba0cf9a3cadf58394c2080bec0d15f9cf3bce887e

See more details on using hashes here.

File details

Details for the file service_ontology_lite-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for service_ontology_lite-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 1c998b28d56ac6701cff9d859a4ddf1b3e20ab526ea1d43e2865b7fe059b5098
MD5 aecfe150d9d510a7e10d1b321266e696
BLAKE2b-256 0cb0c5c0fe7aa15471954e25ea9a3099d9bba3815f0f70c7046c735165423cab

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page