74
/ 100
1 day ago
glama

Design System MCP Server

Self-hosted MCP server that enables ChatGPT agents to perform health checks, fetch design request context, and submit agent results back to a design system backend.

Is this your MCP?

Claim it to get a verified publisher badge, a free copy of our full audit findings, and direct contact for any high-priority issues we find.

Install from

M8ven verifies MCPs across every public registry — install directly from whichever one you prefer.

// key findings
39 tools verified — handlers match their declared behaviour
19 read-only tools verified — handlers contain no write/delete/exec
No credential exfiltration, no sensitive file access, no obfuscation
Static analysis found nothing flowing your secrets to unexpected places.
🔐
You'll be asked for 14 credentials: GITHUB_TOKEN, GITHUB_WEBHOOK_SECRET, INTERNAL_AGENT_RESULT_TOKEN, MCP_BEARER_TOKEN, MCP_URL_SECRET, REST_API_BEARER_TOKEN, SUPABASE_DEVELOPMENT_SERVICE_ROLE_KEY, SUPABASE_LOCAL_SERVICE_ROLE_KEY, SUPABASE_PRODUCTION_SERVICE_ROLE_KEY, SUPABASE_REAL_SERVICE_ROLE_KEY, SUPABASE_SERVICE_ROLE_KEY, SUPABASE_STAGING_SERVICE_ROLE_KEY, WORKSPACE_AGENT_CALLBACK_TOKEN, WORKSPACE_AGENT_TOKEN
These are read from process.env at runtime. Make sure you trust where they’ll be sent.
// required environment variables
This server reads these from process.env. You'll be asked to provide them before it can run.
configAPP_RUNTIME_MODE
configCORS_ALLOWED_ORIGINSmust list the exact browser origins allowed to call the REST API.
configDASHBOARD_CACHE_TTL_MS
configDB_TARGET
configDEV_TOOLS_ALLOW_REAL_DB_SWITCH
configDEV_TOOLS_ENABLED
configDS_BACKEND_URL
configDS_UPLOAD_CHUNK_MAX_BYTES
configDS_UPLOAD_MAX_FILE_BYTES
configDS_UPLOAD_SESSION_TTL_SECONDS
configDS_UPLOAD_STORAGE
configGITHUB_ALLOWED_BRANCH_PREFIXESfeature/,fix/,chore/,docs/,ai/
configGITHUB_ALLOWED_REPOSdw18031988/ds_mcp_server,nhatnguyenquang1838-coder/rental_home
configGITHUB_DEFAULT_BASE_BRANCH
configGITHUB_MAX_FILE_BYTES
🔐 secretGITHUB_TOKENgithub_pat_xxx
🔐 secretGITHUB_WEBHOOK_SECRETreplace-with-a-long-random-secret
🔐 secretINTERNAL_AGENT_RESULT_TOKENHeader: X-Internal-Token: <>
configMAX_JSON_BODY_BYTESlimits request payload size before parsing.
🔐 secretMCP_BEARER_TOKENreplace-with-a-long-random-token
configMCP_PATH
🔐 secretMCP_URL_SECRETURL: https://<your-public-domain>/mcp/<>
configPORT
configPUBLIC_BASE_URL
configRATE_LIMIT_MAX_REQUESTSRATE_LIMIT_WINDOW_MS and control sensitive-route rate limiting.
configRATE_LIMIT_WINDOW_MSand RATE_LIMIT_MAX_REQUESTS control sensitive-route rate limiting.
🔐 secretREST_API_BEARER_TOKENThis endpoint uses GitHub X-Hub-Signature-256 verification and intentionally bypasses , because GitHub cannot send the REST bearer token.
configSECURITY_ENFORCEMENTstrict fails startup if required secrets are missing.
configSUPABASE_ACTIVE_DB_TARGET
🔐 secretSUPABASE_DEVELOPMENT_SERVICE_ROLE_KEY
configSUPABASE_DEVELOPMENT_URL
🔐 secretSUPABASE_LOCAL_SERVICE_ROLE_KEY
configSUPABASE_LOCAL_URL
🔐 secretSUPABASE_PRODUCTION_SERVICE_ROLE_KEY
configSUPABASE_PRODUCTION_URL
🔐 secretSUPABASE_REAL_SERVICE_ROLE_KEY
configSUPABASE_REAL_URL
🔐 secretSUPABASE_SERVICE_ROLE_KEY
🔐 secretSUPABASE_STAGING_SERVICE_ROLE_KEY
configSUPABASE_STAGING_URL
configSUPABASE_URL
configWORKSPACE_AGENT_API_BASE_URL
🔐 secretWORKSPACE_AGENT_CALLBACK_TOKEN
🔐 secretWORKSPACE_AGENT_TOKEN
configWORKSPACE_AGENT_TRIGGER_ID
// full audit trail
The full breakdown of what we checked, the deductions that landed, the network hosts, the dependency advisories, and concrete fix guidance is available to verified publishers.
// improvement guidance — verified publishers only
We have 5 concrete improvements we can share with the publisher of this MCP. Each comes with specific guidance to raise the trust score.
// embed badge in your README
[![M8ven Score](https://m8ven.ai/badge/mcp/dw18031988-ds-mcp-server-pe8xa3)](https://m8ven.ai/mcp/dw18031988-ds-mcp-server-pe8xa3)
commit: 347a35414f0a00c5f9efc98a64d017042aca29cc
code hash: 30110785f015f138465803f5f9c3bcf0bc76aa428773b658d2da1edd872aa06f
verified: 7/10/2026, 10:07:41 AM
view raw JSON →