Skip to content
STACK / CONTROL PLANE / v0.1.1 LIVE ON NPM
the only line you tell claude code

Stack my backend.

One prompt. 39 providers, real accounts, every key vaulted, .env + .mcp.json wired. In under a minute.

live demo·one prompt, six providers wired
you ›stack recommend "Build me a B2B SaaS with auth, AI, analytics, and error tracking."
install curl -fsSL stack.ashlr.ai/install.sh | bash
Source
FIG. 01 — PROVIDER CONSTELLATION 39 PROVIDERS
39 PROVIDERS · 3 ORBITS
live
3 orbits · headline → core → long-tail hover any logo
Supported providers
39 providers, wired the same way. Click any logo to see what stack add does for it.
Full catalog →
SupabaseNeonTursoConvexUpstashFirebaseModalVercelRailwayFly.ioCloudflareRenderAWSOpenAIAnthropicxAIDeepSeekReplicateBraintrustPostHogSupabaseNeonTursoConvexUpstashFirebaseModalVercelRailwayFly.ioCloudflareRenderAWSOpenAIAnthropicxAIDeepSeekReplicateBraintrustPostHog
SentryStripeGitHubLinearResendSendGridMailgunPostmarkMixpanelPlausibleDatadogGrafanaGCPDigitalOceanHetznerAuth0WorkOSClerkLaunchDarklySentryStripeGitHubLinearResendSendGridMailgunPostmarkMixpanelPlausibleDatadogGrafanaGCPDigitalOceanHetznerAuth0WorkOSClerkLaunchDarkly
§ 01b · Install in Claude Code
THREE PATHS · ONE OUTCOME

Get Stack into Claude. Then never leave chat again.

Pick the path that matches where you are. Each one ends with Claude able to call /stack:add, provision upstream services, vault every key in Phantom, and write .env + .mcp.json — without you touching a terminal.

Path 01 · Zero-config Recommended

Just tell Claude.

Paste this into any Claude Code session. The agent reads /llms.txt + ai-plugin.json, discovers Stack, and installs itself.

Paste to claude
Install Ashlr Stack (stack.ashlr.ai), then use it to wire up the services for this project.
Path 02 · One command Claude Code

Install the plugin.

Adds /stack:add, /stack:doctor, /stack:list, /stack:status — first-class slash commands.

Run in claude code
/plugin marketplace add ashlrai/ashlr-stack
/plugin install stack@ashlr
Path 03 · Any MCP client Cursor · Windsurf · Zed

Wire the MCP server.

Drop this into .mcp.json (or your editor's MCP settings). Exposes all 19 Stack tools to any agent.

.mcp.json
{
  "mcpServers": {
    "ashlr-stack": {
      "command": "npx",
      "args": ["-y", "ashlr-stack-mcp"]
    }
  }
}
→ Claude now has access to 19 MCP tools across 39 providers → Secrets land in Phantom, never in chat → MIT · source
39
providers
19
mcp tools
11
categories
05
templates
MIT
license
§ 02 · Before / After

Forty-five minutes. Or four seconds.

Wiring a single service the old way vs. stack add supabase. Scroll through the delta.

1. Create Supabase project (browser)

→ open supabase.com/dashboard → new project
→ pick region, wait ~60s for provision
→ settings › api › copy URL + anon + service_role

2. Paste keys into .env.local

$ vim .env.local
NEXT_PUBLIC_SUPABASE_URL=https://abc123.supabase.co
NEXT_PUBLIC_SUPABASE_ANON_KEY=eyJhbGci…
SUPABASE_SERVICE_ROLE_KEY=eyJhbGci…

3. Install client

$ bun add @supabase/supabase-js

4. Wire up MCP server by hand

$ vim .mcp.json
{ "mcpServers": { "supabase": {
"command": "npx",
"args": ["-y", "@supabase/mcp-server-supabase"],
"env": { "SUPABASE_ACCESS_TOKEN": "???" }
} } }

5. Generate personal access token (browser)

→ supabase.com/dashboard/account/tokens
→ copy, paste into .mcp.json, swear a little

6. Lint your .env out of git history (just in case)

⚠ you've done this part wrong before
$ git log -p | grep SERVICE_ROLE… # please no

7. Restart Claude Code, pray MCP attaches

→ quit. relaunch. squint at logs.

8. Realize you forgot to add Sentry, Resend, PostHog…

repeat steps 1–7, seven more times
45 minutes·Context-switches: 12·Secrets pasted into plain text: at least 3
§ 03 · Interactive

Try it live.

Not a recording. Scripted boot-up, then the prompt unlocks — type any stack command (try stack recommend "b2b saas with auth" or stack add supabase posthog) and see the real output the CLI would print, driven by the same provider catalog the binary ships with.

STK-01 · stack · interactive
§ 04 · Stack builder · 39 providers

Pick your stack. See the recipe — live.

Click any provider to inspect the real stack add invocation, every env var it writes, and — where present — the MCP entry Stack drops into .mcp.json. Tick as many as you want and export the whole recipe.

describe your project↵ to suggest
showing 39 / 39 providers
  • MCP
    Supabase· OAuth
    Postgres + Auth + Storage
    inspect →
  • MCP
    Neon· PAT
    Serverless Postgres
    inspect →
  • Turso· PAT
    Edge SQLite (libSQL)
    inspect →
  • key
    Convex· API key
    Reactive backend-as-a-service
    inspect →
  • key
    Upstash· API key
    Serverless Redis + Kafka
    inspect →
  • key
    Firebase· Service key
    Realtime DB + Auth
    inspect →
  • MCP
    Vercel· PAT
    Frontend platform
    inspect →
  • key
    Railway· API key
    Infra from a repo
    inspect →
  • key
    Fly.io· API key
    VMs at the edge
    inspect →
  • MCP
    Cloudflare· PAT
    Workers, R2, D1
    inspect →
  • key
    Render· API key
    Zero-config hosting
    inspect →
  • key
    Modal· API key
    Serverless GPU + sandbox
    inspect →
  • key
    AWS· API key
    S3, Lambda, RDS
    inspect →
  • key
    GCP· API key
    Google Cloud Platform
    inspect →
  • key
    DigitalOcean· PAT
    Droplets, Kubernetes, managed DBs
    inspect →
  • key
    Hetzner· API key
    Affordable European cloud servers
    inspect →
  • key
    OpenAI· API key
    GPT, Realtime, embeddings
    inspect →
  • key
    Anthropic· API key
    Claude models + MCP
    inspect →
  • key
    xAI· API key
    Grok + tool use
    inspect →
  • key
    DeepSeek· API key
    Open-weight models
    inspect →
  • key
    Replicate· PAT
    OSS model inference
    inspect →
  • key
    Braintrust· API key
    LLM evals + observability
    inspect →
  • MCPkey
    PostHog· API key
    Product analytics + flags
    inspect →
  • key
    Mixpanel· API key
    Product analytics
    inspect →
  • PL
    key
    Plausible· API key
    Privacy-friendly web analytics
    inspect →
  • key
    Datadog· API key
    Metrics, traces, logs
    inspect →
  • key
    Grafana· PAT
    Dashboards + alerting
    inspect →
  • MCP
    Sentry· PAT
    Error + performance tracking
    inspect →
  • MCPkey
    Stripe· API key
    Billing, subscriptions, tax
    inspect →
  • MCP
    GitHub· Device
    Repos, Actions, OAuth
    inspect →
  • MCPkey
    Linear· API key
    Issues, projects, cycles
    inspect →
  • key
    Resend· API key
    Transactional + React email
    inspect →
  • key
    SendGrid· API key
    High-volume transactional mail
    inspect →
  • key
    Mailgun· API key
    API-first email + routing
    inspect →
  • PO
    key
    Postmark· API key
    Deliverability-focused transactional
    inspect →
  • key
    Clerk· API key
    Drop-in auth + users
    inspect →
  • key
    Auth0· API key
    Identity platform
    inspect →
  • WO
    key
    WorkOS· API key
    Enterprise SSO + Directory Sync
    inspect →
  • LA
    key
    LaunchDarkly· API key
    Feature flags + experimentation
    inspect →

Brand marks provided by simple-icons and used for identification. All trademarks are property of their respective owners. Secret values never leave your machine — Phantom resolves phantom:// slots locally at read-time.

§ 05 · Mechanics

Three surfaces, one source of truth.

Stack coordinates the CLI, the vault, and your project files so every developer on a repo — and every agent with access — sees an identical stack. Click a step to pause the auto-walkthrough.

STK · 01 · CLI orchestrates
1 / 3
stack add supabase
·
▲ stack adding Supabase
·
auth · OAuth (PKCE) via the Ashlr Stack app
OAuth browser flowsigned in as mason@evero-consulting.com
provisioning project raven-prod · us-east-1db.abc123def.supabase.co
fetching SUPABASE_URL · ANON_KEY · SERVICE_ROLE_KEY
·
✓ supabase ready · 4.2s
guaranteeEvery upstream change is idempotent + reversible. Re-running stack add is safe.
§ 05a · Use cases

What it looks like in your Claude Code session.

Four canonical moments: a fresh SaaS scaffold, adding analytics to an existing app, rotating a leaked token, and picking a provider from the catalog. Each shows the actual chat turn, the stack command Claude invokes, and the terminal output your agent will see.

§ · use case 01

Spin up a new SaaS — zero to deployable

Start a new SaaS: auth, Postgres, product analytics, error tracking, transactional email. Wire everything so I can `bun dev` in one minute.

the one command
stack init --template saas && stack add supabase posthog sentry resend
chat transcript
you
Start a new SaaS project. I want Supabase for auth + DB, PostHog for analytics, Sentry for errors, Resend for email.
claude code
I'll scaffold it with Stack's saas template and batch-add those four providers. One moment.
stack_init · template=saas
scaffolded package.json + .stack.toml + .stack.local.toml
stack_add · supabase + posthog + sentry + resend
Supabase · OAuth PKCE · project raven-prod · us-east-1 · 3 secrets → phantom
PostHog · API key paste · POSTHOG_PERSONAL_API_KEY → phantom · MCP server registered
Sentry · PAT · project raven · DSN fetched · MCP server registered
Resend · API key paste · RESEND_API_KEY → phantom · domain verified
✓ 4 providers ready · 11 env vars · 3 MCP servers wired
claude code
Done. `.env.local` resolves through Phantom; your Claude Code session will see the new MCP servers after a restart. Ready for `bun dev`.
outcome

5 providers provisioned, 11 env vars in Phantom, 3 MCP servers wired. `.env.local` + `.mcp.json` are ready. Claude Code can now query the DB + tail Sentry without copy-paste.
§ 06 · Starter stacks · 05

Opinionated starters, wired end-to-end.

Each template is a real stack — not a boilerplate dump. Pick one; see the exact stack add invocations, every env var that lands in .env, and the .mcp.json your Claude Code session will see.

§ · nextjs-supabase-posthog

Next.js + Supabase + PostHog

App Router, Supabase Auth + Postgres, PostHog events from server actions.

3 providers5 env vars3 MCP servers
template init
stack init --template nextjs-supabase-posthog
which runs
stack add vercel supabase posthog
.env written
# Vercel — Personal access token
VERCEL_TOKEN=<phantom://vercel/VERCEL_TOKEN>

# Supabase — OAuth (PKCE)
SUPABASE_URL=<phantom://supabase/SUPABASE_URL>
SUPABASE_ANON_KEY=<phantom://supabase/SUPABASE_ANON_KEY>
SUPABASE_SERVICE_ROLE_KEY=<phantom://supabase/SUPABASE_SERVICE_ROLE_KEY>

# PostHog — API key
POSTHOG_PERSONAL_API_KEY=<phantom://posthog/POSTHOG_PERSONAL_API_KEY>
.mcp.json written
{
  "mcpServers": {
    "vercel": {
      "command": "stack",
      "args": [
        "mcp",
        "run",
        "vercel"
      ],
      "env": {
        "VERCEL_TOKEN": "<phantom://vercel/VERCEL_TOKEN>"
      }
    },
    "supabase": {
      "command": "stack",
      "args": [
        "mcp",
        "run",
        "supabase"
      ],
      "env": {
        "SUPABASE_URL": "<phantom://supabase/SUPABASE_URL>",
        "SUPABASE_ANON_KEY": "<phantom://supabase/SUPABASE_ANON_KEY>",
        "SUPABASE_SERVICE_ROLE_KEY": "<phantom://supabase/SUPABASE_SERVICE_ROLE_KEY>"
      }
    },
    "posthog": {
      "command": "stack",
      "args": [
        "mcp",
        "run",
        "posthog"
      ],
      "env": {
        "POSTHOG_PERSONAL_API_KEY": "<phantom://posthog/POSTHOG_PERSONAL_API_KEY>"
      }
    }
  }
}
Don't see your stack? stack init opens an interactive picker — tick providers, stack provisions them.
§ 07 · Agent-native
MCP · Claude Code plugin

Your agent can run Stack directly.

Stack ships as an MCP server + a first-party Claude Code plugin. From chat, call /stack:add and Claude provisions the upstream resource, stores every secret in Phantom, and re-wires .mcp.json — zero copy-paste.

  • MCP-native
    Every CLI command is exposed as an MCP tool.
  • Plugin commands
    /stack:add · /stack:doctor · /stack:open live in chat.
  • Phantom-gated
    The agent sees a slot name, never a key.
# one-time setup — in any Claude Code session
/plugin marketplace add ashlrai/ashlr-stack
/plugin install stack@ashlr
Claude Code·raven
Ask Claude anything…
⌘ K
§ 08 · Agent surface

Every MCP-capable agent, out of the box.

Stack's MCP server drops into Claude Code, Cursor, Windsurf, Codex, or ashlrcode with the same stack mcp serve entry point. Click a client to see the exact config Stack writes — path + JSON.

Protocol: Model Context Protocol · modelcontextprotocol.io · 17 tools · 3 resources · stdio + SSE
§ 09 · The Ashlr constellation

Four tools. One coherent platform.

Stack is the control plane. Phantom is the vault. ashlr-plugin is the context compressor. ashlrcode is the multi-model runtime. They compose — none of them require the others, but together they're load-bearing. Hover a satellite to highlight the relationship.

Control plane
Stack

The CLI + MCP that provisions, wires, and operates every service.

you are here
Vault
Phantom Secrets

E2E-encrypted secret storage. Stack writes every credential through Phantom.

↔ writes secrets through Stack
Context compressor
ashlr-plugin

Drops Claude Code token spend ~80% on large repos with genome-indexed read/grep.

↔ shares .stack.toml with Stack
Multi-model CLI
ashlrcode

Route the same prompt across Claude, GPT, Grok, DeepSeek. Compare, diff, stream.

↔ resolves slots via Stack
→ Stack writes through Phantom → ashlr-plugin shares the same .stack.toml → ashlrcode respects the same secret slots
§ 10 · Plain answers

Questions — answered.

The honest objections first. If a question isn't here, open one on GitHub Discussions — I'll add it here.

# escape hatch
phantom export > .env.local
Materialises every slot into literal values — zero Stack lock-in.

No — .env is the last step. Stack owns everything before: the provider-side OAuth, the upstream resource creation, the secret rotation surface. .env is where Stack *publishes* the result, but the secret value lives only in Phantom's E2E-encrypted vault. If you rotate a key in Phantom, every consumer (your dev server, your agent, CI) sees the new value on the next read — no file edits, no commits.

Stack holds slot names (phantom://supabase/SUPABASE_URL), not values. The CLI shells out to the Phantom binary whenever a value needs to be materialised, and the materialisation is scoped to a single subprocess call (stack exec -- …). The agent-facing MCP server is configured with the slot names; values are fetched per-tool-call, never cached. Stack's own code has no code path that can leak a secret outside the subprocess that asked for it.

Those are pure secret managers. Stack is a thin coordinator on top of one: you use Phantom for storage, Stack for the provisioning + wiring workflow. Stack can provision a new Supabase project, a new Vercel token, a new Sentry DSN — not just store one you already have. The MCP integration is also specific: Stack wires .mcp.json so your Claude Code session sees a consistent stack without manual copy-paste.

Claude Code is the primary surface (first-party plugin + MCP server). Anything that reads a standard .mcp.json — Cursor, Windsurf, Zed's AI panel, the Codex CLI, any Anthropic SDK client — picks up the same configuration. The .env side is framework-agnostic: Next.js, Bun, Deno, Rails, Django all read it the same way.

Your .env.local and .mcp.json are normal files. If you delete Stack, those files keep working — you'll just have raw phantom:// slots in .env that your shell won't resolve. Running `phantom export > .env.local` materialises every slot into literal values, at which point you can walk away with a conventional .env file and no trace of Stack left. Stack writes a managed block with `# Ashlr Stack — managed block` markers so unmanaged lines are never touched.

v0.1: the 39 providers in the catalog above, the CLI (26 commands), the Claude Code plugin, the MCP server, 5 starter templates. Full OAuth provisioning ships for Supabase + GitHub + Vercel + Cloudflare; the rest are API-key paste flows. Roadmap: Stripe Connect, AWS IAM role-chaining, an Ashlr-hosted control plane for team sync. Everything is MIT-licensed on GitHub.

Stack is free and MIT-licensed. Phantom has a free tier for local-only vaults; Phantom Cloud (the team-sync surface) is paid but not required. Every underlying provider is billed by the provider — Stack doesn't mark anything up. The hosted control plane (coming soon) will have a free tier for solo developers.

Yes. Provider adapters live in packages/core/src/providers/*.ts and are a single file each — three exports: authKind, secrets[], and provision(ctx). The README walks through adding a new one in under 50 lines. PRs welcome.