Fluid Forge
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
  • Introduction

    • Home
    • Why Fluid Forge
    • Getting Started
    • Snowflake Quickstart
    • See it run
    • Forge Data Model
    • Vision & Roadmap
    • Playground
    • FAQ
  • Concepts

    • Concepts
    • Builds, Exposes, Bindings
    • What is a contract?
    • Quality, SLAs & Lineage
    • Governance & Policy
    • Agent Policy (LLM/AI governance)
    • Providers vs Platforms
    • Fluid Forge vs alternatives
  • Data Products

    • Consume a Data Product
    • Product Types — SDP, ADP, CDP
  • Walkthroughs

    • Walkthrough: Local Development
    • Source-Aligned: Postgres → DuckDB → Parquet
    • AI Forge And Data-Model Journeys
    • Walkthrough: MCP Output Port
    • Walkthrough: Deploy to Google Cloud Platform
    • Walkthrough: Snowflake Team Collaboration
    • Declarative Airflow DAG Generation - The FLUID Way
    • Generating Orchestration Code from Contracts
    • Jenkins CI/CD for FLUID Data Products
    • Universal Pipeline
    • The 11-Stage Pipeline
    • End-to-End Walkthrough: Catalog → Contract → Transformation
  • CLI Reference

    • CLI Reference
    • Core workflow

      • fluid init
      • fluid demo
      • fluid forge
      • fluid validate
      • fluid plan
      • fluid apply
      • fluid diff
      • fluid status
    • Build & ship

      • fluid bundle
      • fluid generate
      • fluid generate artifacts
      • fluid validate-artifacts
      • fluid verify-signature
      • fluid generate iac
      • fluid generate-airflow
      • fluid generate-pipeline
      • fluid viz-graph
      • fluid publish
      • fluid ship
      • fluid rollback
      • fluid schedule-sync
    • AI & Agents

      • fluid ai
      • fluid agents
      • fluid mcp
      • fluid memory
      • fluid stats
      • fluid skills
    • Quality & governance

      • fluid test
      • fluid verify
      • fluid contract-tests
      • fluid contract-validation
      • fluid policy
      • fluid policy check
      • fluid policy compile
      • fluid policy apply
    • Standards & interoperability

      • fluid odps
      • fluid odps-bitol
      • fluid odcs
      • fluid export
      • fluid export-odps
      • fluid exporters
      • fluid import
      • fluid market
      • fluid datamesh-manager
    • Project & workspace

      • fluid product-new
      • fluid product-add
      • fluid workspace
      • fluid contract
      • fluid split
      • fluid config
      • fluid providers
      • fluid plugins
      • fluid provider-init
      • fluid auth
      • fluid secrets
      • fluid ide
      • fluid scaffold-ci
      • fluid scaffold-composer
      • fluid scaffold-ide
      • fluid docs
      • fluid runs
      • fluid retention
      • fluid describe
      • fluid doctor
      • fluid roadmap
      • fluid version
    • Catalog adapters

      • Source Catalog Integration (V1.5)
      • Publishing to a Catalog — Overview
      • BigQuery Catalog
      • Snowflake Horizon Catalog
      • Databricks Unity Catalog
      • Google Dataplex Catalog
      • AWS Glue Data Catalog
      • DataHub Catalog
      • Data Mesh Manager Catalog
      • OpenMetadata Catalog
    • CLI by task

      • CLI by task
      • Add quality rules
      • Add agent governance
      • Debug a failed pipeline run
      • Switch clouds with one line
  • Recipes

    • Recipes
    • Recipe — add a quality rule
    • Recipe — switch clouds with one line
    • Recipe — tag PII in your schema
    • Write a contract that consumes another contract
    • Generate per-environment overlays
  • SDK & Plugins

    • SDK & Plugins
    • Quickstart — your first plugin
    • Examples

      • Runnable examples
      • Example: hello-scaffold — the minimal viable plugin
      • Example: gitlab-ci-scaffold — generate a complete CI project
      • Example: steward-validator — a custom governance rule
      • Example: prod-key-guard — apply-time invariant check
    • Journeys

      • Journeys
      • Your own CI/CD

        • You have your own CI/CD setup, no problem
        • GitLab CI — the bundle template
        • GitHub Actions — the bundle template
        • Jenkins — the bundle template
        • CircleCI — the bundle template
      • You have a strict project layout, no problem
      • You have governance rules, no problem
      • You want a check at apply time, no problem
    • Reference

      • Reference
      • Roles reference
      • Entry points reference
      • Trust model
      • Packaging
      • Companion packages
  • Providers

    • Providers
    • Provider Architecture
    • GCP Provider
    • AWS Provider
    • Snowflake Provider
    • Local Provider
    • Creating Custom Providers
    • Provider Roadmap
  • AI & Agents

    • MCP Server
    • Built-in And Custom Forge Guidance
    • Forge Discovery Guide
    • Forge Memory Guide
    • Authoring Forge Tools
    • Guided fluid forge UX
    • LLM Providers
    • LiteLLM Backend
    • Capability Warnings
    • Cost Tracking
    • FLUID Forge Contract GPT Packet
    • Agentic Primitives
  • Operate & Deploy

    • Airflow Integration
    • Blueprints
    • Source-Aligned Acquisition
  • Govern & Secure

    • Governance, Compliance & the Business Case
    • Governance & Compliance
    • Network Safety
    • Credential Resolver — Security Model
  • Configuration & Reference

    • Environment Variables
    • Typed Errors
    • Typed CLI Errors
    • API Stability — fluid_build.api
  • Architecture & Releases

    • V1.5 Catalog Integration — Architecture Deep-Dive
    • V1.5 + V2 Hardening — Release Notes
  • Project

    • Contributing to Fluid Forge
    • Fluid Forge Docs Baseline: CLI 0.9.0
    • Fluid Forge Docs Baseline: CLI 0.8.11
    • Fluid Forge Docs Baseline: CLI 0.8.10
    • Fluid Forge Docs Baseline: CLI 0.8.9
    • Fluid Forge Docs Baseline: CLI 0.8.8
    • Fluid Forge Docs Baseline: CLI 0.8.7
    • Fluid Forge Docs Baseline: CLI 0.8.6
    • Fluid Forge Docs Baseline: CLI 0.8.5
    • Fluid Forge Docs Baseline: CLI 0.8.4
    • Fluid Forge Docs Baseline: CLI 0.8.3
    • Fluid Forge Docs Baseline: CLI 0.8.0
    • Fluid Forge Docs Baseline: CLI 0.7.11
    • Fluid Forge Docs Baseline: CLI 0.7.9
    • Fluid Forge v0.7.1 - Multi-Provider Export Release

fluid mcp

fluid mcp exposes Fluid Forge over the Model Context Protocol so MCP-compatible clients (Claude Code, Claude Desktop, Cursor, Continue, VS Code, MCP Inspector, and your own agents) can talk to it. There are two distinct servers under this command, with two different threat models:

ServerAudienceWhat it serves
fluid mcp serveProducer — a data engineer authoring contractsForge authoring tools: inspect, validate, and carefully edit forge artifacts (16 typed tools, including forge_run).
fluid mcp output-port serveConsumer — an AI agent reading a published data productRead-only data-access tools (describe / sample / query / gated query_sql) bound to one expose of a contract, with contract-driven governance enforced on every call.

Which one do I want?

If you are building a data product and want an editor's AI to help write the contract, use fluid mcp serve. If you have a published data product and want an agent to safely query it, use fluid mcp output-port serve. The output port is the flagship capability for serving published products to agents — see the output-port deep dive and the end-to-end walkthrough.

fluid mcp                       # interactive guide (no subcommand → friendly panel)
fluid mcp serve [...]           # producer-side authoring server
fluid mcp output-port serve ... # consumer-side data-access server

Producer: fluid mcp serve

Run the authoring MCP stdio server so an MCP client can inspect, validate, and edit forge artifacts. It is a foreground process — no daemon, no HTTP port, no background service.

Syntax

fluid mcp serve [--read-only]
fluid mcp serve [--allow-tools TOOL[,TOOL...]] [--deny-tools TOOL[,TOOL...]]
fluid mcp serve [--readable-paths PATH[,PATH...]] [--writable-paths PATH[,PATH...]]
fluid mcp serve [--writable-namespaces NS[,NS...]] [--allow-inline-credentials]

Recommended start

For review-only client sessions:

FLUID_QUIET=1 fluid mcp serve --read-only

For a scoped workspace where the client may update generated model sidecars and regenerate artifacts:

FLUID_QUIET=1 fluid mcp serve \
  --readable-paths ./forge-output \
  --writable-paths ./forge-output \
  --writable-namespaces history,audit

FLUID_QUIET=1 keeps stdout reserved for MCP JSON-RPC frames.

Access controls

FlagPurpose
--read-onlyReject all mutating tools.
--allow-toolsAdvertise and allow only the named tools.
--deny-toolsBlock the named tools; denial wins over allow.
--readable-pathsLimit path-based read tools to these roots. Default: current working directory.
--writable-pathsLimit file writes to these roots. Default: current working directory.
--writable-namespacesLimit staged-store writes to these namespaces. Default: history,audit.
--allow-inline-credentialsPermit MCP clients to pass raw catalog credentials via credentials.inline. OFF by default — turn on only for trusted in-process CLI harnesses.

Inline catalog credentials are blocked by default. Configure source credentials outside MCP and pass credential ids from the client.

Server internals

fluid mcp serve is built on the official MCP Python SDK (FastMCP) and speaks MCP protocol version 2025-06-18. It advertises 16 typed tools — including forge_run, which can drive a full forge from inside the client. Each tool carries an MCP inputSchema, so clients can offer typed autocomplete and validate arguments before dispatch. See the Advanced MCP server guide for the complete authoring-tool catalog and the LLM sampling backchannel.


Consumer: fluid mcp output-port serve

Bind one expose from a FLUID contract and serve it to MCP clients as a governed, read-only data port. This is distinct from fluid mcp serve, which exposes authoring tools — the output port queries production data, so its threat model and policy surface differ entirely.

The server is read-only by default and exposes a deliberately small surface: an agent can describe the data product, sample a few rows, and run a predeclared semantic query. Free-form SQL (query_sql) is OFF unless you opt in with --allow-sql.

The output-port subcommands

fluid mcp output-port list   <contract>   # list the exposes this server can serve
fluid mcp output-port doctor <contract>   # preflight: load the driver, run a health check
fluid mcp output-port serve  <contract>   # run the MCP server bound to one expose
  • list prints every expose with its kind, binding platform/format, resolved table reference, and which optional tools each one exposes (semantics ⇒ query is advertised). Add --json for machine-readable output.
  • doctor loads the engine driver for one expose and runs its health_check (a cheap SELECT 1 round-trip). Run it before wiring a client so credential / network / binding issues surface as a clear preflight failure instead of a failed tools/call. Add --json for machine-readable output.

serve syntax

fluid mcp output-port serve <contract> [options]

The only positional argument is the path to the FLUID contract YAML (or fragment) to serve.

# Minimal — one expose in the contract, stdio transport, read-only.
fluid mcp output-port serve ./contract.fluid.yaml

# Bind a specific expose by id.
fluid mcp output-port serve ./contract.fluid.yaml --expose-id customer_segments

# Enable free-form SQL for a trusted internal copilot.
fluid mcp output-port serve ./contract.fluid.yaml --allow-sql

# Serve over HTTP/SSE for a network deployment (front with a proxy — see below).
fluid mcp output-port serve ./contract.fluid.yaml \
  --transport http --host 127.0.0.1 --port 8765

Auto-selected expose

--expose-id is optional when the contract contains exactly one expose — the server picks it automatically and logs auto-selected expose '<id>' to stderr so the choice is visible in client logs.

serve flags

FlagDefaultWhat it does
--expose-id EXPOSE_IDautoexposeId (from contract.exposes[].exposeId) to bind the server to. Optional with exactly one expose.
--env ENVIRONMENTnoneEnvironment overlay name passed to the contract loader so per-environment overrides apply (matches fluid plan / fluid apply).
--allow-tools TOOL[,TOOL...]allAllowlist of tool names. Tools outside the list are blocked and hidden from tools/list.
--deny-tools TOOL[,TOOL...]noneBlocklist of tool names. Evaluated before --allow-tools so denial wins.
--readable-paths PATH[,PATH...]contract dirFilesystem roots the server may read from (today only the contract YAML; reserved for future tools). Defaults to the directory of the contract argument.
--allow-sqlOFFEnable the free-form query_sql tool. Even when on, every statement passes through the SQL-safety allowlist. Use only with trusted internal copilots.
--max-sample-rows N100Hard cap on rows returned by sample. Asking for more silently returns the cap.
--query-timeout-seconds SEC60Statement timeout passed to the engine driver where supported (Snowflake, BigQuery).
--transport {stdio,http}stdioMCP transport. stdio for desktop tool integrations; http for MCP-SSE on --host:--port.
--host HOST127.0.0.1Bind host for --transport http.
--port PORT8765Bind port for --transport http.
--allow-models MODEL[,MODEL...]contractOverride agentPolicy.allowedModels. The caller's model_id (declared at MCP initialize) must be in this list. When unset, the contract value is used.
--deny-models MODEL[,MODEL...]contractOverride agentPolicy.deniedModels. Evaluated before the allowlist so denial wins.
--allow-use-cases USE_CASE[,...]contractOverride agentPolicy.allowedUseCases. The caller's useCase (declared at initialize) must be in this list.
--deny-use-cases USE_CASE[,...]contractOverride agentPolicy.deniedUseCases. Evaluated before the allowlist so denial wins.

HTTP transport has no built-in auth flag

There is no --auth-token flag. When --transport http is used, authentication is configured through environment variables (FLUID_MCP_AUTH_TOKEN for a shared bearer token, or FLUID_MCP_AUTH_MODE=jwt for JWT). With no auth configured the gateway binds --host:--port unauthenticated and warns loudly at startup. Always front the HTTP transport with an mTLS / OAuth reverse proxy for production — see the Caddy / nginx templates and the full auth-mode reference in the deep dive.

The four agent tools

The output port advertises a precise, bounded surface derived from the bound expose's shape. The query tool is only advertised when the expose declares a semantics block; query_sql is only advertised with --allow-sql.

ToolAlways on?ArgumentsWhat it does
describeyesnoneReturns the bound expose's metadata: contract.schema, semantics, binding (platform / format / table reference / dialect / capabilities), and the agentPolicy block. No engine round-trip.
sampleyeslimit (≤ --max-sample-rows)Returns up to --max-sample-rows rows. Restricted columns are dropped; PII/PHI columns are redacted to [REDACTED-PII]; per-tenant rowFilters are applied.
querywhen semantics presentmetric or measure, optional dimensions[], optional filters{}, optional limitRuns a predeclared semantic query. Pick a metric or measure from expose.semantics, group by zero or more dimensions, optionally filter on dimension keys. The server compiles to parameterised SQL — preferred over query_sql.
query_sqlonly with --allow-sqlsql (SELECT only), optional limitRuns caller-supplied SELECT SQL against the bound expose. Refuses any statement referencing a restricted or PII column (aliasing does not bypass the mask). A server-side LIMIT is always appended.

Every tool ships an MCP inputSchema, so MCP clients can drive typed autocomplete and validate arguments before dispatch. Each tools/call is checked against the contract's agentPolicy (allowed/denied models + use-cases), the tool allow/deny lists, a sliding-window rate limit, a token budget, a circuit breaker, and a concurrency cap — see the deep dive for the full enforcement order.

Wire it to a client

{
  "mcpServers": {
    "customer-segments": {
      "command": "fluid",
      "args": [
        "mcp", "output-port", "serve",
        "/abs/path/to/contract.fluid.yaml"
      ],
      "env": { "FLUID_QUIET": "1" }
    }
  }
}

FLUID_QUIET=1 is important because stdout is reserved for MCP JSON-RPC frames; all human-facing notices go to stderr.


Related guides

  • Advanced MCP server guide — runtime governance, auth modes, drivers, IAM compilers, rate-limit / circuit-breaker / audit internals.
  • Walkthrough: MCP output port — serve the example DuckDB product end-to-end and watch PII masking + an agentPolicy deny in action.
  • AI Forge And Data-Model Journeys
  • Forge Memory Guide
Edit this page on GitHub
Last Updated: 6/25/26, 10:06 PM
Contributors: fas89, Claude Opus 4.7, Claude Opus 4.7 (1M context)
Prev
fluid agents
Next
fluid memory