Welcome to the server suite of the Fsas Technologies AI Team. This repository provides a highly specialized selection of gateway servers optimized to integrate the PGPT API into any IT environmentβranging from established legacy systems to cutting-edge AI agent architectures.
Each server in this package has been developed for a specific use case to ensure maximum performance and stability.
The Bridge for Legacy Systems. This server is the ideal tool for environments that do not yet natively support the Model Context Protocol (MCP).
- Purpose: Enables older applications to access state-of-the-art AI logic via classic, high-performance TCP connections.
- Advantage: High compatibility without the overhead of complex web protocols. Perfect for industrial controls or proprietary software solutions that rely on proven socket communication.
The Standard for Local Integrations. This server implements the Model Context Protocol via the standard input/output channel.
- Purpose: The primary choice for direct integration into local AI environments such as Claude Desktop, VS Code, or IDE plugins.
- Advantage: Ultra-fast communication with minimal latency. Since no network ports need to be opened, this server offers outstanding security for local workflows directly on the developer machine.
β οΈ Requirement: This server requires a running PGPT Instance Version 1.5 to ensure full API compatibility.
The Powerhouse for Remote and Web Architectures. This server utilizes Server-Sent Events (SSE) to realize a stable, bidirectional connection over HTTP.
- Purpose: Designed for distributed systems and network access. It is the first choice for the MCP Inspector or web-based dashboards.
- Advantage: Thanks to the integrated Stream-Fix and Auto-Session-Recovery, this server is extremely resilient against unstable network connections or SSH tunnels. It makes AI tools reliably usable over long distances.
β οΈ Requirement: This server requires a running PGPT Instance Version 1.5 to ensure full API compatibility.
All servers in this suite are based on the same hardened logic engine developed by the Fsas Technologies AI Team:
- Full Tool Coverage: Access to all 23 functions of the PGPT API (Chat, RAG Sources, Scenarios, User Management).
- Intelligent Configuration: Centrally managed via
pgpt.env.jsonfor maximum flexibility. - Enterprise Security: Support for RSA-encrypted headers, TLS encryption, and secure SSH key authentication.
- Optimized for Node.js 20+: Full utilization of modern ESM modules and asynchronous runtimes for peak efficiency.
.
βββ API-Server-with-TCP-Support # Legacy & Custom TCP Gateway
βββ MCP-Server-with-STDIO-Support # Local Agent Integration (Standard)
βββ MCP-Server-with-Streamable-HTTP-Support # Remote & Web Gateway (SSE)
- Clone the Repository:
git clone https://github.com/Fujitsu-AI/MCP-Server-for-MAS-Developments.git cd MCP-Server-for-MAS-Developments - Select the desired server
- API-Server-with-TCP-Support: Best for Legacy application integrations & Custom TCP Gateway solutions
- MCP-Server-with-STDIO-Support: Local Agent Integration (Standard)
- MCP-Server-with-Streamable-HTTP-Support: Remote & Web Gateway (SSE)
-
Prepare Configuration: Create a
pgpt.env.jsonin the respective server directory with your PGPT API credentials. -
Installation & Launch: Choose your server type and follow the local
INSTALL.mdor use the provided setup script, for example:./Install-MPC-Server.sh
The following security features are implemented to ensure data protection and secure communication between the client application and server. These features cover encryption, decryption, key management, and transport security.
- To secure communication between the client and server, TLS can be activate. All data transmitted between the client and server is encrypted using TLS (minimum version 1.2).
- TLS (Transport Layer Security) ensures that all data transmitted between the client and server is encrypted. This protects sensitive information such as passwords, credit card details, and personal data from eavesdropping attacks (Man-in-the-Middle attacks).
- TLS guarantees that the transmitted data remains unchanged and unaltered. The integrity check ensures that the received data is exactly as it was sent.
- TLS enables secure authentication of the server (and optionally the client) through digital certificates. This prevents users from falling victim to phishing attacks on fake websites.
- TLS encrypts the connection, making it nearly impossible for attackers to intercept or manipulate traffic. Without TLS, attackers could capture and modify data packets.
- Many regulatory requirements (e.g., GDPR, PCI-DSS) mandate secure data transmission. TLS is a fundamental component of these security requirements.
- TLS protects against attacks that attempt to downgrade a connection to an insecure version (downgrade attacks) or replay previously valid requests (replay attacks).
Enabling TLS between client and server is essential to ensure data privacy, security, and communication integrity. It not only protects sensitive information but also helps meet compliance requirements and increases user trust.
Passwords can be encrypted using RSA (RivestβShamirβAdleman) public-key cryptography. This ensures that sensitive data, such as user passwords, are never transmitted in plaintext.
- Public key encryption with a up to 4096-bit key length.
- Padding:
RSA_PKCS1_PADDINGto enhance security and prevent known padding attacks.
- The server administrator encrypts the client's password using the server's public key (
id_rsa_public.pem) by executingnode security/generate_encrypted_password.js ~/.ssh/id_rsa_public.pemand hand out the encrpyted password to the client. - Alternatively: The client encrypts the password using the server's public key (
id_rsa_public.pem) by using thekeygen- Function. Therefore the function has to be enabled in the server's config (privateGPT.env.json). Important: Using this function also means transmitting data via the network. Therefore, make sure that the data traffic is secure and cannot be intercepted. - Finally, the encrypted password is sent to the server, where it is decrypted using the server's private key.
- Asymmetric encryption ensures that only the server can decrypt the password.
- Even if the communication channel is compromised, encrypted data remains secure.
To secure data communication and encryption processes, the following key management principles are followed:
- Stored securely on the server (
id_rsa.pub). - Used only for encryption and does not pose a security risk if exposed.
- Stored securely on the server (
id_rsa_public.pem). - Has to be created by using the public cert (see: Server Configuration)
- Stored securely on the server (
id_rsa). - Restricted access with appropriate file permissions (
chmod 600). - Used exclusively for decryption operations.
- Keys can be rotated periodically or upon detection of a security incident. Important: if these are reissued, the clients or AI agents immediately lose access to the MCP server and require a new RSA key (encrypted password)!
- Old keys are securely invalidated.
Decryption is exclusively performed on the server using the private key:
- The server receives the encrypted password from the client.
- The private key decrypts the password to retrieve the original plaintext.
- The decrypted password is used internally (e.g., authentication) and never stored in plaintext.
- Decrypted passwords exist in memory only for the duration of processing.
- Secure memory management practices ensure sensitive data is cleared immediately after use.
- Certificates are validated on both sides to ensure the authenticity of the server and client.
- Optionally, mutual TLS can be enabled for enhanced security.
Tokens are used to authenticate requests and ensure only authorized users can access the system:
- Tokens are generated upon successful login.
- They are short-lived and automatically expire after a predefined time.
- Tokens are signed using HMAC or RSA, making them tamper-proof.
This project is licensed under the MIT License - see the LICENSE file for details.