惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Cisco Blogs
NISL@THU
NISL@THU
G
GRAHAM CLULEY
T
Threatpost
I
Intezer
D
Darknet – Hacking Tools, Hacker News & Cyber Security
P
Proofpoint News Feed
L
Lohrmann on Cybersecurity
Cisco Talos Blog
Cisco Talos Blog
P
Privacy & Cybersecurity Law Blog
Security Latest
Security Latest
P
Palo Alto Networks Blog
L
LINUX DO - 热门话题
Cyberwarzone
Cyberwarzone
AI
AI
Help Net Security
Help Net Security
Forbes - Security
Forbes - Security
T
The Exploit Database - CXSecurity.com
月光博客
月光博客
The GitHub Blog
The GitHub Blog
aimingoo的专栏
aimingoo的专栏
C
CERT Recently Published Vulnerability Notes
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events
N
News and Events Feed by Topic
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Scott Helme
Scott Helme
A
About on SuperTechFans
N
Netflix TechBlog - Medium
TaoSecurity Blog
TaoSecurity Blog
V
V2EX
MongoDB | Blog
MongoDB | Blog
AWS News Blog
AWS News Blog
Google DeepMind News
Google DeepMind News
Google Online Security Blog
Google Online Security Blog
O
OpenAI News
Y
Y Combinator Blog
S
Securelist
GbyAI
GbyAI
D
Docker
SecWiki News
SecWiki News
The Hacker News
The Hacker News
有赞技术团队
有赞技术团队
T
Tenable Blog
WordPress大学
WordPress大学
S
SegmentFault 最新的问题
P
Privacy International News Feed
S
Security Affairs
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Hacker News - Newest:
Hacker News - Newest: "LLM"
H
Hackread – Cybersecurity News, Data Breaches, AI and More

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
Building an E-Commerce SaaS with MCPify: A Real-World Use Case
fred · 2026-06-17 · via DEV Community

Building an E-Commerce SaaS with MCPify: A Real-World Use Case

If you've ever tried to make an existing application work with AI agents, you know the pain. It's not the AI that's hard — it's the plumbing. You spend days writing boilerplate MCP (Model Context Protocol) tools, wrapping every endpoint, every database query, every UI action into something an agent can call. And the moment your app changes, everything drifts out of sync. I've been there, and honestly, it sucks.

That's why when I came across MCPify, I was skeptical but intrigued. The pitch is bold: "Stop hand-writing MCP tools. Compile your stack once. Stay in sync forever." It claims to scan your actual codebase — backend services, frontend components, API specs, database schemas — and produce a fully runnable MCP server automatically. No boilerplate. No manual tool definitions.

I decided to put it to the test with a real-world scenario: taking an existing e-commerce SaaS application and making it agent-operable in minutes, not days. Here's what happened.

The Problem: Every App Is a Black Box to Agents

Modern software is built for humans. Buttons, forms, dashboards — all designed for eyeballs and mouse clicks. AI agents don't have those. They need structured, callable interfaces: tools with defined inputs, outputs, and permissions.

The standard approach today involves either:

  • Hand-writing MCP tools for every action you want an agent to take — tedious, error-prone, and maintenance-heavy
  • Browser automation (Puppeteer, Playwright scripts) — brittle, slow, and breaks on every UI change
  • Raw API exposure — gives agents too much power with too little context

None of these scale. When your app has 50+ backend functions, 20+ UI actions, and a database with 15 tables, manually creating MCP tools for all of them is a non-starter. You either ship incomplete agent access or you sink weeks into tooling.

What MCPify Actually Does

MCPify calls itself an "AI enablement compiler," and that's a pretty accurate description. It takes your application source code and compiles it into MCP server artifacts — tools, resources, prompts, workflows, and permission metadata — without you writing a single line of MCP boilerplate.

Here's the architecture at a high level:

  1. Analyzers — Specialized modules that scan different parts of your codebase
  2. Schema Engine — Maps your data models (Prisma, Drizzle, Mongoose) into queryable agent surfaces
  3. MCP Generator — Produces a runnable MCP server from the analysis
  4. Permission Layer — Enforces scopes, roles, and audit trails at the tool boundary
  5. Sync Engine — Regenerates tools whenever your code changes

What sets it apart from rolling your own solution is the breadth of analysis. MCPify doesn't just look at your API routes. It digs into backend services (AST analysis of controllers, services, and routes), frontend components (React, Vue, Svelte), OpenAPI specs, database schemas, event systems (webhooks, queues, pub/sub), and even multi-step workflows.

Architecture & Approach: How It Works Under the Hood

For our e-commerce SaaS example, the app has:

  • Backend services: orders.ts (15+ functions like checkoutCart, refundOrder, processPayment), products.ts, support.ts
  • A React frontend with cart, checkout, and admin components
  • An OpenAPI spec at openapi.json
  • A Prisma schema defining the database models
  • Event hooks and workflow patterns (like "refund and notify")

MCPify's backend analyzer performs deep AST traversal on the TypeScript services. It picks up every exported function, its JSDoc comments, parameter types, return types — and maps them directly to MCP tool definitions. Here's the clever bit: because the analysis is based on the actual source code, the generated tools are always accurate. If you rename a function, add a parameter, or change a return type, the MCP server updates on the next compile.

The frontend analyzer is particularly interesting. It scans JSX/TSX components for interactive elements — buttons, forms, modals — and extracts them as "UI actions" that an agent can trigger. For our e-commerce app, it discovered checkoutCart, applyDiscountCode, and removeItemFromCart directly from the Cart component.

Then there's the workflow engine. MCPify detected completePurchase and resolveRefund as multi-step workflows because they chain multiple backend calls together. Each became a single MCP tool that an agent can invoke to execute an entire business process atomically.

Step-by-Step: Making an E-Commerce SaaS Agent-Operable

Let me walk you through exactly how this plays out in practice. I ran MCPify against the e-commerce example from the repository.

1. Install and Run

You don't even need to install it. The quickest path is via npx:

npx mcpify-cli analyze ./examples/ecommerce-saas \
  --output ./examples/ecommerce-saas/.mcpify \
  --prisma ./examples/ecommerce-saas/prisma/schema.prisma \
  --swagger ./examples/ecommerce-saas/openapi.json

That's one command. It runs the full pipeline: backend analysis, OpenAPI parsing, Prisma schema mapping, frontend extraction, workflow detection, permission classification, and MCP server generation.

2. What Gets Generated

After analyze completes, the output directory contains:

  • An MCP server (server.ts or compiled JS) with all tools auto-registered
  • Tool definitions — every backend function, API endpoint, and UI action becomes a callable MCP tool
  • Database tools — CRUD operations derived from the Prisma schema
  • Workflow tools — multi-step processes exposed as single atomic actions
  • Permission configs — scopes, roles, and audit rules
  • AGENTS.md — documentation on how to connect any MCP client to the server

3. Connecting to an Agent

Start the generated server:

cd ./examples/ecommerce-saas
npx @mcpified/server

Then point any MCP client at it — Claude Code, Codex, or a custom agent. The agent suddenly has access to:

Backend: getOrderById, refundOrder, cancelOrder, processPayment, assignOrderToAgent...
Frontend: checkoutCart, applyDiscountCode, removeItemFromCart...
API: GET /orders/{id}, POST /orders/{id}/refund...
Database: listProducts, queryOrders, getCustomerByEmail...
Workflows: completePurchase, resolveRefund...

Every tool comes with auto-generated descriptions, parameter schemas, and type information. The agent understands what each tool does without any hand-written documentation.

4. Real Agent Interaction

Here's what an actual conversation looks like after connecting the generated server to a Codex-like agent:

User: "What customer-facing actions are available from the cart UI?"

Agent: Inspects tools and reports: checkoutCart(customerId), applyDiscountCode(customerId, code), removeItemFromCart(customerId, productId).

User: "Show me pending orders."

Agent: Calls getOrdersByStatus('pending') — returns real order data from the service layer.

User: "Refund order_001."

Agent: Calls refundOrder('order_001'). Returns updated order with refund status.

User: "Run the refund-and-notify workflow for order_001."

Agent: Calls the resolveRefund workflow tool, which internally chains refundOrder and sendMessage — all as a single atomic operation.

This isn't a simulation. These are real function calls against the actual service code. The agent is operating your production application through the exact same code paths a human developer would use.

Production Considerations

Before you run this in production, there are a few things to think through.

Permission scoping. MCPify's permission layer lets you assign roles and scopes to generated tools. A read-only agent shouldn't be able to call refundOrder. The permission configs generated during analysis give you hooks to enforce this, but you need to define the actual policies.

Rate limiting and audit trails. The generated server doesn't include rate limiting out of the box — you'll want to wrap it in your own middleware for production use. Audit logging is partially handled by the permission layer, but you should consider comprehensive request logging for compliance.

Database connectivity. By default, the e-commerce demo uses an in-memory store. For production, set DATABASE_URL and MCPIFY_DATABASE_MODE=prisma to wire it to your real database. The schema engine adapts automatically.

Frontend execution. The frontend tools return an automation plan by default. To execute actions in a real browser, install Playwright and set MCPIFY_FRONTEND_BASE_URL. This is useful for testing but introduces browser automation fragility in production — consider whether you really need UI-level actions or if backend/API equivalents suffice.

CI/CD integration. This is where MCPify really shines. Wire the analyze command into your CI pipeline so MCP tools regenerate on every commit. Schema changes, new endpoints, renamed services — everything stays in sync automatically. No more "the agent broke because we renamed the checkout function."

Competitor comparison. How does MCPify stack up against alternatives? The main options are:

  • Manual MCP tooling (hand-written servers) — gives you full control but doesn't scale beyond a handful of tools
  • OpenAPI-to-MCP converters (like mcp-openapi) — great for REST APIs but miss frontends, databases, and workflows
  • Browser automation tools (Playwright MCP, Puppeteer MCP) — work for UI but are slow and brittle for backend operations

MCPify is the only tool I've seen that combines backend, frontend, database, API, and workflow analysis into a single pipeline. The trade-off is that it requires your codebase to be well-structured (TypeScript, standard patterns) for the analyzers to work effectively. If you're using a non-standard framework or dynamically generated routes, you may need to supplement with manual definitions.

What I Learned From Shipping This

The biggest surprise was how little configuration was needed. The e-commerce example went from source code to a working MCP server with zero hand-edited tool definitions. The workflow detection found completePurchase and resolveRefund automatically because they chain multiple service calls — I didn't have to annotate them as workflows.

The permission layer is a different story. The generated config correctly identified admin actions (refundOrder, cancelOrder) as high-sensitivity, but I still had to define the actual access control policies. That feels like the right trade-off — the tool does the discovery and classification, but you make the security decisions.

The sync engine is the killer feature. In a real team setting, where services get refactored weekly, the ability to regenerate MCP definitions on every CI run eliminates the drift problem entirely. One of the demos I found online shows exactly this pattern — teams running mcpify analyze as part of their build pipeline and never thinking about MCP maintenance again.

There's also a growing ecosystem forming around MCPify. The GitHub repository has active discussions about new analyzers (GraphQL support is in the works) and the simulate command lets you test your agent surface against AI simulations before shipping — a nice safety net for production deployments.

Ready to Make Your App Agent-Operable?

Give MCPify a try on your own codebase. The quickest path is literally one command:

npx mcpify-cli analyze ./your-app

Download the tool from GitHub, run the e-commerce demo, or just drop it on your project and see what it discovers. The compile step takes seconds, and you get a full MCP server with tools, permissions, and workflows — all derived from code you already wrote.

Try MCPify on GitHub →

Want to see the complete walkthrough with more detail? Check out the full demo documentation on the e-commerce SaaS example.

And if you're evaluating different approaches, I also wrote up a comparison guide covering MCPify vs. manual MCP tooling and browser automation — read it here.

Frequently Asked Questions

Does MCPify work with any programming language?
Right now, the deepest analysis targets TypeScript and JavaScript (Node.js), with AST-level backend and frontend analysis. OpenAPI-based analysis is language-agnostic — if your app has an OpenAPI spec, MCPify can generate tools from it regardless of your backend language. Prisma schema analysis also works independently.

Will MCPify modify my source code?
No. MCPify is a read-only compiler. It scans your codebase and generates MCP artifacts in a separate output directory. Your source files stay completely untouched. The only thing you add is the generated server as a dev dependency.

How do I handle authentication and authorization for the MCP server?
The generated permission layer creates scopes and role definitions based on the analysis, but you need to wire them to your auth provider. Think of it as MCPify drawing the security blueprint — you still need to set the locks. The permission configs are designed to integrate with standard middleware patterns.

What happens when my API changes? Does the MCP server break?
This is the core value proposition. Instead of manually updating MCP tool definitions when your API changes, you re-run mcpify analyze. The sync engine regenerates everything from your current code. Wire it into CI/CD, and your MCP server is always up to date with zero manual effort.

Can I use MCPify with databases other than Prisma?
Yes. MCPify supports Prisma, Drizzle, and Mongoose schemas out of the box. The schema engine adapts its generated tools based on the database ORM it detects. If your schema isn't covered, you can still use the backend and API analyzers — they don't depend on database-level analysis.

Conclusion

Making your application operable by AI agents doesn't have to mean weeks of boilerplate or brittle browser scripts. MCPify's compiler-based approach turns your existing codebase into a rich MCP surface in minutes, with automatic sync baked in. The e-commerce example proves it works end-to-end — backend functions, frontend actions, database queries, and multi-step workflows all become first-class agent tools without a single line of hand-written MCP code.

If you're building agent-integrated applications or modernizing an existing SaaS for AI access, this is worth your time. Stop writing MCP tools by hand. Compile your stack once, and let your agents actually use your application the way it was meant to work.

For more context, here's the full MCPify documentation on GitHub, and I also cross-posted a shorter overview on Dev.to if you want the tl;dr version.