# fastmcp - Doramagic AI Context Pack > Purpose: pre-work context for the user's host AI. This pack does not prove that the project has been installed, run, or validated. ## Project - canonical_name: `PrefectHQ/fastmcp` - capability: 🚀 The fast, Pythonic way to build MCP servers and clients. - expected_user_outcome: 🚀 The fast, Pythonic way to build MCP servers and clients. ## Operating Boundaries - Do not claim that the project has been installed, run, called through an API, or used on local files unless separate evidence proves it. - Project facts must come from repo evidence, Claim Graph, or explicit source references. - When a capability is not verified, mark it as unverified instead of completing it as fact. - publish_status: `publishable` - blocking_gaps: none --- ## Doramagic Context Augmentation The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints. ## Human Manual Outline Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph. Host AI hard rules: - Do not treat page titles, section order, summaries, or importance values as factual project evidence. - When explaining the Human Manual outline, state that it is only a reading route or salience signal. - Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph. - **Overview and Core Architecture**: importance `high` - source_paths: README.md, fastmcp_slim/fastmcp/__init__.py, fastmcp_slim/fastmcp/server/server.py, fastmcp_slim/fastmcp/server/providers/base.py, fastmcp_slim/fastmcp/server/providers/aggregate.py - **Server Core: Tools, Resources, Prompts, and Middleware**: importance `high` - source_paths: fastmcp_slim/fastmcp/server/providers/local_provider/local_provider.py, fastmcp_slim/fastmcp/server/providers/local_provider/decorators/tools.py, fastmcp_slim/fastmcp/server/providers/local_provider/decorators/resources.py, fastmcp_slim/fastmcp/server/providers/local_provider/decorators/prompts.py, fastmcp_slim/fastmcp/tools/function_tool.py - **Authentication, Providers, and Proxy**: importance `high` - source_paths: fastmcp_slim/fastmcp/server/auth/auth.py, fastmcp_slim/fastmcp/server/auth/oauth_proxy/proxy.py, fastmcp_slim/fastmcp/server/auth/oidc_proxy.py, fastmcp_slim/fastmcp/server/auth/cimd.py, fastmcp_slim/fastmcp/server/auth/redirect_validation.py - **Clients, Apps, Tasks, and Extensibility**: importance `high` - source_paths: fastmcp_slim/fastmcp/client/client.py, fastmcp_slim/fastmcp/client/transports/__init__.py, fastmcp_slim/fastmcp/client/transports/stdio.py, fastmcp_slim/fastmcp/client/transports/http.py, fastmcp_slim/fastmcp/client/transports/sse.py ## Repo Inspection Evidence - repo_clone_verified: true - repo_inspection_verified: true - repo_commit: `3b8538e2422a1c43fdb69661c610de7985b785f2` - inspected_files: `README.md`, `pyproject.toml`, `uv.lock`, `docs/apps/architecture.mdx`, `docs/apps/demos/bar-chart.py`, `docs/apps/demos/contacts.py`, `docs/apps/demos/dashboard.py`, `docs/apps/demos/data-table.py`, `docs/apps/demos/hitchhikers.py`, `docs/apps/demos/pie-chart.py`, `docs/apps/demos/reactive.py`, `docs/apps/demos/team-directory-reactive.py`, `docs/apps/demos/team-directory.py`, `docs/apps/development.mdx`, `docs/apps/examples.mdx`, `docs/apps/fastmcp-app.mdx`, `docs/apps/generative.mdx`, `docs/apps/low-level.mdx`, `docs/apps/overview.mdx`, `docs/apps/prefab.mdx` Host AI hard rules: - Without repo_clone_verified=true, do not claim that the source code has been read. - Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts. - Without quick_start_verified=true, do not claim that the Quick Start path has run successfully. ## Doramagic Pitfall Constraints These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes. ### Constraint 1: Installation risk requires verification - Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4306 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 2: Installation risk requires verification - Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4241 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 3: Installation risk requires verification - Trigger: Project evidence flags a installation risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4300 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 4: Configuration risk requires verification - Trigger: Project evidence flags a configuration risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4321 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 5: Configuration risk requires verification - Trigger: Project evidence flags a configuration risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4305 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 6: Maintenance risk requires verification - Trigger: Project evidence flags a maintenance risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4326 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 7: Security or permission risk requires verification - Trigger: Developers should check this security_permissions risk before relying on the project: No guardrails against destructive tool capabilities (shell exec, file deletion, env access) - Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: No guardrails against destructive tool capabilities (shell exec, file deletion, env access). Context: Observed when using python - Why it matters: Developers may expose sensitive permissions or credentials: No guardrails against destructive tool capabilities (shell exec, file deletion, env access) - Evidence: failure_mode_cluster:github_issue | https://github.com/PrefectHQ/fastmcp/issues/4318 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 8: Security or permission risk requires verification - Trigger: Developers should check this security_permissions risk before relying on the project: on_message middleware not called for unauthenticated requests - Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: on_message middleware not called for unauthenticated requests. Context: Observed when using python, linux - Why it matters: Developers may expose sensitive permissions or credentials: on_message middleware not called for unauthenticated requests - Evidence: failure_mode_cluster:github_issue | https://github.com/PrefectHQ/fastmcp/issues/4309 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 9: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4318 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it. ### Constraint 10: Security or permission risk requires verification - Trigger: Project evidence flags a security or permission risk. Review the linked source before relying on this workflow. - Host AI rule: Reproduce the official install and quickstart path in an isolated environment. - Why it matters: May increase setup, validation, or first-run risk for the user. - Evidence: community_evidence:github | https://github.com/PrefectHQ/fastmcp/issues/4320 - Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.