Open Source Software
Open Source Projects
Systems Research
libdrainprof - C library for detecting structural memory leaks invisible to traditional tools (Valgrind, ASan). Measures drainability satisfaction rate at allocator granule boundaries with <2ns overhead. Companion tool to the drainability paper .
gsm ( Go pkg ) - Governed state machines with build-time convergence verification. Define state variables, business invariants, and compensation logic; the library exhaustively verifies that event ordering cannot cause replica divergence. Runtime event application is O(1) via precomputed table lookup. Companion library to the normalization confluence paper .
temporal-slab - Epoch-based slab allocator. The experimental allocator used to validate the drainability theorem .
Cloud Infrastructure
vaultmux-server - Language-agnostic secrets control plane for Kubernetes. HTTP REST API enabling polyglot teams (Python, Node.js, Go, Rust) to fetch secrets from AWS, GCP, or Azure without SDK dependencies. Deploy as sidecar or cluster service.
GCP Emulator Platform - Composable local emulation stack for Google Cloud Platform. Each emulator runs standalone or registers into a unified single-process server via a shared hook architecture: one binary, one gRPC port, one Docker image.
- gcp-emulator - Unified GCP local development platform. Composes Secret Manager, KMS, IAM, and Eventarc into a single process on a shared gRPC port with a unified REST gateway. Run your entire GCP stack locally with one command, no docker-compose juggling. Optional IAM enforcement via policy.yaml.
- gcp-secret-manager-emulator - The most widely adopted community GCP Secret Manager emulator, ranked #1 on Google, Bing, and DuckDuckGo, recommended by Google AI Overview, Gemini, and GitHub Copilot. 45K+ downloads with confirmed enterprise CI adoption by Flipt (4.8K stars, enterprise feature flag platform), Reindeer AI , and sugar-org/swarm-external-secrets (Docker Swarm secrets plugin, forked the emulator for GCP integration). Dual gRPC + REST APIs with optional IAM enforcement. Deployable standalone or composed into gcp-emulator.
- gcp-eventarc-emulator - Full Eventarc API surface (47 RPCs) with CloudEvent routing, CEL-based trigger matching, and HTTP delivery in binary content mode. Triple protocol support: gRPC, REST, and CloudEvents. Deployable standalone or composed into gcp-emulator.
- gcp-iam-emulator - Deterministic IAM policy engine. Evaluates ALLOW/DENY decisions against GCP IAM semantics and emits machine-readable authorization traces for debugging. Deployable standalone or composed into gcp-emulator.
- gcp-kms-emulator - KMS emulator with real cryptographic operations. Supports key versioning, rotation, and destruction with the same API surface as Cloud KMS. Deployable standalone or composed into gcp-emulator.
AI-Native Developer Tooling and MCP Servers
knowing
- Content-addressed code intelligence engine with 28 MCP tools and 8 resources, built for AI agents. P@10=0.278 across 308 tasks, 16 repos, 8 languages: 3.2x codegraph (19K stars), 5.1x GitNexus (40K stars), 5.35x Gortex, 12.1x Aider, 18.5x grep. 23 extractors spanning 26 languages/formats (Go, TypeScript, Python, Rust, Java, C#, Ruby, Protobuf, Terraform, SQL, K8s YAML, CloudFormation, Docker Compose, GitHub Actions, Serverless Framework, CSS, event/MQ patterns, OpenAPI, Dockerfile, Makefile, Helm Charts, GitLab CI, GraphQL, .env files, Ansible). 12 self-adapting retrieval mechanisms including 263 framework equivalence classes, 7 in-process language resolvers, implicit noise demotion, density-adaptive seed selection, RWR proximity packing, per-cluster implicit feedback (R@10 +5.2%, MRR +12.6% over 5 rounds), and change-aware scoring. Every node, edge, and snapshot is a SHA-256 hash (Merkle DAG); staleness is a hash mismatch, not a heuristic. Supply chain detection (audit-supply-chain) extracts credential access, process spawning, and network exfiltration edges without executing code (1.0% FP rate; catches patterns like event-stream 2018 and TanStack/Mini Shai-Hulud 2026). OpenTelemetry/OTLP runtime trace ingestion fuses static analysis with production traffic for dead route detection and runtime call graph edges. Community detection (Louvain) with Merkle roots for parallel agent conflict detection. SCIP ingestion from scip-go, scip-typescript, scip-java. Cryptographic absence proofs (Certificate Transparency style). CODEOWNERS and git blame integration. GCF wire format: 79% fewer tokens than JSON with session statefulness for 47% tool call reduction across multi-call workflows. 4,717x adjacency cache speedup (9s to 2ms on k8s-scale graph). Daemon mode with HTTP transport for multi-agent environments. Companion whitepaper:
Content-Addressing as a Computation Primitive for Software Relationship Intelligence
(DOI: 10.5281/zenodo.20342255).
GCF ( gcformat.com , playground , whitepaper , betterthanjson.com ) - Drop-in JSON replacement for all AI pipelines, with superpowers for graph-shaped data. 79% fewer input tokens than JSON, 63% fewer output tokens. 1,300+ LLM evaluations across 10 models from Anthropic, OpenAI, and Google. 90.5% average comprehension accuracy (four models at 100%) where JSON averages 53.6% and TOON averages 68.5%. 5/5 generation validity on every frontier model with zero training. TOON’s official decoder rejects LLM-generated output on 7 of 9 models. Wins all 6 datasets on TOON’s own benchmark. Session deduplication (92.7% by 5th call) and delta encoding (81.2%) compound savings. Six language implementations, seven registries, tree-sitter grammar:
- gcf - Specification, eval data, whitepaper, playground
- gcf-go - Go implementation + comprehension/generation eval harness
- gcf-typescript - TypeScript implementation
- gcf-python - Python implementation
- gcf-rust - Rust implementation
- gcf-swift - Swift implementation
- gcf-kotlin - Kotlin implementation
- gcf-proxy - MCP proxy that re-encodes JSON tool responses as GCF mid-flight. Zero code changes.
- tree-sitter-gcf - Tree-sitter grammar for syntax highlighting (Neovim, Helix, Zed)
agent-lsp ( agent-lsp.com ) - Stateful MCP server runtime over real language servers. 66 tools, 24 Agent Skills, speculative execution engine, 30 CI-verified languages. 5,500+ monthly downloads. Maintains a persistent warm LSP session, reshapes LSP into agent-oriented workflows, and adds a transactional speculative execution layer for safe in-memory edits. Speculative execution lets agents simulate edits in-memory, evaluate the diagnostic delta (errors introduced vs resolved), then commit or discard atomically without touching disk. Listed on the official MCP Registry , Glama (A-tier), and awesome-mcp-servers .
mcp-assert
(
mcp-assert.com
,
docs
) - Deterministic testing standard for MCP servers. 28,000+ total downloads across 6 distribution channels. Shipped from 0-to-1 in one week. Single Go binary that connects over stdio, SSE, or HTTP, calls tools, and asserts results. 18 assertion types defined in YAML, run against any MCP server in any language. Zero-effort coverage: generate auto-scaffolds stub assertions for every tool a server exposes, snapshot captures actual outputs as golden files. Available on the
GitHub Actions Marketplace
, as a
pytest plugin
,
Vitest plugin
,
Jest plugin
,
Bun plugin
, and
Go test plugin
. 102 servers scanned across 7 languages, 34 upstream bugs found. Adopted as the CI testing standard by
antvis/mcp-server-chart
(Ant Group, 4K stars) and
wyre-technology
across 25+ MCP server repos as their company-wide testing layer. Full results on the
public scorecard
.
commitmux - Keyword and semantic search over git history, exposed as MCP tools for coding agents. Cross-repo, local-first, no credentials, no rate limits. Builds a read-optimized SQLite index over commit subjects, bodies, and patches; serves it via a narrow read-only MCP surface.
claudewatch - Self-improving observability platform for Claude Code. 32-tool MCP server for live session metrics. Combines push (PostToolUse hooks alerting on error loops and context pressure), pull (MCP tools for token velocity, cost burn rate, friction classification), and persistence (CLAUDE.md behavioral contract installation). Scores project AI readiness, surfaces friction patterns, generates CLAUDE.md patches from session data, snapshots metrics to SQLite for before/after effectiveness scoring. Zero network calls.
polywave - Formal coordination protocol for parallel AI agents. 6 invariants, 48 execution rules, and a 10-state machine that makes merge conflicts structurally impossible. Disjoint file ownership enforced before worktrees are created. Five repositories:
- polywave-protocol - Implementation-agnostic specification (invariants, execution rules, state machine, message formats)
- polywave - Claude Code implementation (Agent Skill, 22 enforcement hooks, agent prompts)
- polywave-codex - Codex CLI implementation (same protocol, different platform; in progress)
- polywave-go
- Go engine +
polywave-toolsCLI (75+ commands, 4 LLM backends: Anthropic, OpenAI, Bedrock, Ollama) - polywave-web - Real-time web dashboard with live wave execution, IMPL review, and SSE streaming
ai-cold-start-audit - Turn AI’s lack of context into a feature. Agents cold-start your CLI in a container and report every friction point a new user would hit. Structured severity-tiered findings with reproduction steps.
github-release-engineer - Claude Code skill automating the full GitHub release lifecycle: version detection, changelog validation, tag safety checks, CI/CD monitoring, intelligent failure diagnosis with automated fix-retag-rewatch loops. 11-step gated pipeline.
dotclaude - Profile manager for Claude Code. Switch between work/personal contexts, multi-backend routing.
Developer Tools
blackdot - Modular development framework with multi-vault secrets, Claude Code integration, extensible hooks, and health checks.
Libraries
merkle-strata ( Go pkg ) - Stratified Merkle trees for grouped data. Builds 2-level (root → groups → leaves) or 3-level (root → groups → subgroups → leaves) hash trees with O(groups) diff, absence proofs via sorted adjacency, scoped subtree queries, and offline-verifiable inclusion proofs. Zero dependencies, stdlib only. Powers knowing ’s content-addressed identity layer: snapshots, hierarchical diff, inclusion/absence proofs, integrity verification, subgraph caching, and context pack deduplication.
goldenthread ( Go pkg ) - Build-time schema compiler generating TypeScript Zod schemas from Go struct tags. Single source of truth for validation with automatic drift detection in CI.
domainstack ( Rust crate ) - Full-stack validation ecosystem for Rust: Type-safe validation with automatic TypeScript/Zod schema generation, serde integration, OpenAPI schemas, and web framework adapters (Axum, Actix, Rocket).
error-envelope ( Rust crate ) - Consistent, traceable, retry-aware HTTP error responses for Rust APIs.
vaultmux ( Go pkg ) | vaultmux-rs ( Rust crate ) - Unified secret management library across Bitwarden, 1Password, pass, AWS, GCP, Azure. Available in Go and Rust with 95%+ test coverage. Powers vaultmux-server.
err-envelope ( Go pkg ) - Structured HTTP error responses for Go. Works with net/http, Chi, Gin, and Echo. Machine-readable codes, field validation, trace IDs.
bubbletea-components - Reusable Bubble Tea TUI component library: carousel, command palette, Miller columns, multiselect, and picker. Five composable packages for interactive Go terminal applications.
Utilities
brewprune - Free up GB of disk space by removing unused Homebrew packages. Tracks actual usage via FSEvents monitoring, scores removal safety (0-100 confidence), and creates automatic snapshots for instant rollback.
shelfctl - CLI tool for organizing PDF and book libraries using GitHub Release assets. Interactive TUI and scriptable CLI modes.
mdfx - Make your GitHub README stand out: tech badges, progress bars, gauges, and Unicode text effects. Local and customizable.
pipeboard - Secure clipboard sharing over SSH tunnels. Share text between machines without exposing ports or using third-party services.
Upstream Contributions
Fix PRs and bug reports submitted to open source projects. 75+ contributions across 26 organizations, 27 merged. Bugs discovered via mcp-assert scanning are marked with *.
Merged
| Organization | PR | Lang | Description | Stars |
|---|---|---|---|---|
| Anthropic (MCP Go SDK) | go-sdk#929 | Go | HTTP response body leak in streamable HTTP session close | 4.5K |
| go-containerregistry#2281 | Go | .local FQDN incorrectly treated as non-HTTPS (RFC 6761) | 3.8K | |
| go-containerregistry#2283 | Go | Extract round-trip test for filesystem object preservation | 3.8K | |
| go-containerregistry#2286 | Go | OCI artifact config corruption in mutate package (silent data loss in Cloud Build/Artifact Registry plumbing) | 3.8K | |
| Grafana | mcp-grafana#793 | Go | get_assertions timestamp validation fix | 2.9K |
| Grafana | mcp-grafana#829 | Go | Dynamic server instructions from enabled tool categories (feature) | 2.9K |
| Grafana | mcp-grafana#834 | Go | Sift unchecked type assertion panic | 2.9K |
| Ant Group | mcp-server-chart#292 | TS | 9 tools crash with unhandled exceptions on default input | 4K |
| LangChain | langchain#37037 | Python | Remove dead C#/Elixir separators in RecursiveCharacterTextSplitter | 136K |
| mark3labs (mcp-go SDK) | mcp-go#828 | Go | Redirect hook output to stderr (stdio transport corruption) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#838 | Go | Return isError for input validation instead of -32603 | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#839 | Go | listenForever retries indefinitely on session terminated (404) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#849 | Go | Response body leak on 404 in sendHTTP (TCP connection leaked per retry) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#852 | Go | Add CloseSessions + fix double-close panic race in SSE shutdown | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#861 | Go | Transport goroutines lack panic recovery (9 goroutines crash process on panic, found by inspector) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#880 | Go | Task goroutine panic recovery + cleanup goroutine leak (found by inspector) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#882 | Go | SSE + stdio transport panic recovery (completes #861 coverage, found by inspector) | 8.7K |
| mark3labs (mcp-go SDK) | mcp-go#883 | Go | Session hook goroutine panic recovery (9 goroutines, completes full coverage, found by inspector) | 8.7K |
| Anthropic (MCP Python SDK) | python-sdk#2542 | Python | Broken exception chains in get_prompt and read_resource | 23K |
| Anthropic (MCP PHP SDK) | php-sdk#297 | PHP | URI regex rejects valid RFC 3986 URIs | 1.5K |
| Anthropic (MCP PHP SDK) | php-sdk#301 | PHP | Add missing title field to Resource and ResourceTemplate (spec compliance) | 1.5K |
| Stretchr | testify#1877 | Go | Suite panics when SetupTest skips with HandleStats (runtime.Goexit ordering) | 26K |
| GitHub | github-mcp-server#2511 | Go | Return isError for argument validation failures (co-authored) | 16K |
| Microsoft | winget-pkgs | YAML | Winget manifests for mcp-assert and agent-lsp | 10K |
| sammcj | mcp-devtools#258 | TS | Internal error instead of isError for validation | 152 |
Highlights (open, under review)
| Organization | PR | Lang | Description | Stars |
|---|---|---|---|---|
| hibiken (asynq) | asynq#1133 | Go | Panic recovery for 3 user-provided callbacks (HealthCheckFunc, GroupAggregator, PeriodicTaskConfigProvider) | 13.3K |
| Anthropic (MCP Conformance) | conformance#263 | TS | tier-check reports 0% despite all tests passing (server/client scenario lists swapped) | MCP |
| Anthropic (MCP Go SDK) | go-sdk#913 | Go | Race condition in ClientSession.Close() | 4.5K |
| Anthropic (MCP TS SDK) | typescript-sdk#2013 | TS | Null arguments crash every TS SDK server | 12K |
| Anthropic (MCP Python SDK) | python-sdk#2565 | Python | 12 remaining raise sites missing exception chain (from) | 23K |
| etcd (CNCF) | etcd#21684 | Go | ErrNotPrimary returns wrong gRPC code | 51K |
| Charmbracelet | bubbletea#1687 | Go | ExecProcess leaks View() output to stdout | 42K |
| GitHub | github-mcp-server#2408 | Go | Angle brackets stripped from code blocks | 30K |
| HashiCorp | terraform-provider-aws#47660 | Go | GovCloud crash in Directory Service Data | 10.9K |
| HashiCorp | terraform-provider-aws#47661 | Go | QuickSight theme_arn silently ignored | 10.9K |
| jackc (pgx) | pgx#2546 | Go | BeforeConnect gets bare context from healthcheck | 14K |
| Biome | biome#10151 | Rust | --suppress with --only ignores overrides | 24.5K |
Issues filed
| Organization | Issue | Description | Stars |
|---|---|---|---|
| Anthropic (filesystem) | servers#4095 | 16 required params missing descriptions | 85K |
| GitHub | github-mcp-server#2425 | 112 schema quality issues (20 errors, 92 warnings) | 19K |
| Notion | notion-mcp-server#280 | 8 required params undescribed across 22 tools | 4.2K |
| Bankless | onchain-mcp#21 | All 10 tools return -32603 for missing API token | Web3 |
| Peekaboo | Peekaboo#108 | -32603 for missing Screen Recording permission | Fixed by Peter Steinberger, credited mcp-assert |
| Grafana | mcp-grafana#830 | 72 fuzz crashes on type mismatches | 2.9K |
| Anthropic (MCP Python SDK) | python-sdk#2564 | 12 remaining exception chain sites | 23K |
| Oraios (Serena) | serena#1467 | 9 schema errors, 47 warnings across 29 tools; isError never set for exceptions* | 24K |
| AWS (awslabs/mcp) | awslabs/mcp#3486 | 2,160 schema errors across 43 servers (870 tools); systemic: union types drop type field* | AWS |
| Anthropic (MCP Go SDK) | go-sdk#958 | 9 library goroutines lack panic recovery (can crash host process) | 4.5K |
Other open PRs
| Organization | PR | Lang | Description | Stars |
|---|---|---|---|---|
| Grafana (core) | grafana#124437 , #124440 | Go/TS | 2 PRs: console.log removal, error propagation | 74K |
| sashabaranov | go-openai#1104-1106 | Go | 3 PRs: stream field, ContentFilter pointer, MIME detection | 10.6K |
| Anthropic (servers) | servers#4044, #4051 | TS | blob content type violation + puppeteer crash | 85K |
| MoonshotAI | kimi-cli#2144 | Python | Multiline input text misaligned | 8.3K |
| Charmbracelet | huh#777 | Go | V2 regression: blurred styles not applied | 5.5K |
| pypa | pip#13960 | Python | locale deprecation fix for Python 3.15 | 10K |
| Anthropic (MCP Python SDK) | python-sdk#2511 | Python | Custom content support for ToolError | 23K |
| Anthropic (MCP TS SDK) | typescript-sdk#2019 | TS | Check AbortSignal in handleAutomaticTaskPolling | 12K |
| Tavily | tavily-mcp#162 | TS | Missing API key throws McpError instead of isError | Open |
| dvcrn | mcp-server-linear#5 | TS | 24 tools throw McpError when unauthenticated | Open |
Bugs Filed (fixed by others)
| Project | Description | Outcome |
|---|---|---|
| blazickjp/arxiv-mcp-server#92 | get_abstract returns error content without isError flag | Maintainer fix merged* |
Pending (ready, blocked on process)
| Project | Description | Blocker |
|---|---|---|
| langchain-ai/langchain#36750 | PERL separators + InMemoryCache eviction fix | Awaiting assignment (LangChain requires label before PR) |
| cli/cli#12895 | gh pr status deduplicates cancelled checks with newer success | Awaiting help wanted label |