Expand description
Sumac (sxmc) is a native Rust toolkit that brings out what your tools can
do: skills become MCP servers, MCP servers become terminal workflows, and
APIs become CLIs.
MCP is an open standard for connecting AI assistants to external tools and data sources. Sumac removes the need to write separate adapters for each surface by providing one binary that handles all three while reducing wrapper sprawl, keeping discovery narrower, and making the same capabilities reusable across agents, shells, and hosted MCP clients:
- Skills → MCP server — serve skill directories as stdio or HTTP MCP endpoints
- MCP server → CLI — turn any MCP server into command-line tools
- API → CLI — auto-detect OpenAPI or GraphQL specs and execute operations with JSON or TOON-style structured output
- CLI → AI surfaces — inspect a real CLI into a normalized profile, then generate startup-facing docs and host config scaffolds
The crate powers the sxmc binary, but it also exposes the building blocks
that the CLI uses internally. That makes it useful if you want to embed
skill discovery, MCP serving, API introspection, or security scanning in a
Rust application of your own.
§What Sumac does
Sumac treats a skills directory as structured input:
- each
SKILL.mdbody becomes an MCP prompt - each file in
scripts/becomes an MCP tool - each file in
references/becomes an MCP resource - hybrid retrieval tools are added for broad client compatibility
It also includes clients for:
- local stdio MCP servers
- remote streamable HTTP MCP servers
- OpenAPI documents
- GraphQL endpoints
§Module Guide
skillsdiscovers and parses skillsserverturns parsed skills into an MCP serverclientconnects to MCP, OpenAPI, and GraphQL sourcescli_surfacesinspects CLIs and generates startup-facing AI artifactssecurityscans skills and MCP surfaces for common risksbakestores reusable connection definitionsauthresolves secrets from environment variables and files
§Typical CLI Flows
The crate is primarily exercised through the sxmc binary:
sxmc serve --paths ./skills
sxmc stdio "sxmc serve --paths ./skills" --list
sxmc http http://127.0.0.1:8000/mcp --list
sxmc api ./openapi.json --list
sxmc scan --paths ./skills
sxmc inspect cli gh --format toon§Embedding in Rust
A minimal server setup looks like:
use std::path::PathBuf;
#[tokio::main]
async fn main() -> Result<(), Box<dyn std::error::Error>> {
let paths = vec![PathBuf::from("./skills")];
let discovery_snapshots = Vec::<PathBuf>::new();
sxmc::server::serve_stdio(&paths, &discovery_snapshots, false).await?;
Ok(())
}For remote serving, use server::serve_http.
§Security
sxmc includes native scanners for:
- prompt injection patterns
- hidden Unicode characters and homoglyphs
- embedded secrets
- dangerous script patterns
- suspicious MCP tool descriptions and responses
The CLI exposes these through sxmc scan, and the underlying types are in
security.
§Acknowledgements
sxmc was informed in part by prior work such as
skill-to-mcp, which
helped demonstrate the value of exposing skill collections through MCP.
Modules§
- auth
- Secret resolution helpers used by CLI and client configuration flows. Authentication and secret resolution utilities.
- bake
- Saved connection definitions for MCP servers and APIs. Persistent saved connection configs.
- cache
- Lightweight filesystem cache utilities.
- cli_
surfaces - CLI inspection and CLI->AI surface generation helpers.
- client
- MCP, OpenAPI, and GraphQL client adapters. Client adapters for MCP servers and API surfaces.
- discovery_
snapshots - Saved discovery snapshot loading and resource helpers.
- error
- Shared error types used across the crate.
- executor
- Process execution helpers for script-backed tools.
- output
- Output formatting helpers for CLI rendering.
- paths
- Path resolution helpers for config/cache storage.
- security
- Security scanners and finding/report models. Security scanning primitives for skills and MCP servers.
- server
- MCP server construction and transport serving. MCP server construction and transport serving.
- skills
- Skill discovery, parsing, and generation. Skill discovery, parsing, and generation.