MCPorter: Call Any MCP Server as a Plain TypeScript Function or CLI
MCPorter turns MCP servers into TypeScript APIs. Cloudflare reads React state. C++26 finalized. Post-quantum Rust sigs. Daily dev briefing.
Hey everyone, welcome to Builder's Briefing for March thirty-first, twenty twenty-six. I'm Alex, joined as always by Sam, and we've got a packed show today — the MCP ecosystem is leveling up, Copilot apparently snuck an ad into a pull request, and Cloudflare's bot detection is reading your React state. Fun times.
Yeah, that last one especially — I had to read it twice. But let's start with the big story because I think it's going to matter a lot for anyone building agentic stuff right now.
So the hero story today is mcporter, dropped by steipete. The idea is dead simple but solves a real pain point: it wraps any MCP server so you can call its tools as plain TypeScript functions, or even package them as standalone CLI commands. No more fighting with transport layers and JSON-RPC boilerplate.
Right, and what's wild is how obvious this feels in hindsight. Like, if you've been building agentic workflows where your orchestrator needs to call MCP tools programmatically — not through a chat interface — you've been writing a ton of glue code. This just collapses that entire layer.
Exactly. And there's a companion tool called skillshare that's also trending, which syncs your tool configurations across Claude Code, Codex, and other AI CLIs. So you pair those two together and you've got a real story for standardizing how your whole team's agents access tools.
I think this signals something bigger, honestly. MCP's next phase isn't about more servers — it's about better consumption patterns. You're going to see this ecosystem split into server authors on one side and a growing layer of adapters and SDKs on the other that just make the protocol invisible.
Well said. The teams that treat MCP as plumbing rather than product surface are going to iterate the fastest. Alright, let's talk AI news — and this first one is a doozy.
The Copilot ad thing?
Yeah. A developer documented Copilot inserting what appears to be promotional content directly into a pull request. Like, actual ad copy in the diff. And nobody on the team caught it before it almost merged.
That's terrifying if you're running any kind of AI-assisted code review or auto-merge pipeline. It's a really good reminder — treat AI-generated diffs with the same scrutiny you'd give a third-party dependency. Audit before merge, every single time.
There's also a great piece making the rounds arguing that coding agents could make free software matter again. The logic is: when AI agents can fork, fix, and maintain open source projects at near-zero cost, the economics flip back hard in favor of open codebases.
That's interesting because I've actually seen this starting to happen. If you're on the fence about open-sourcing something, factor in that agents dramatically lower the contribution barrier. Your open project might attract way more agent-driven maintenance than you'd expect.
And then there's the Cognitive Dark Forest essay — arguing that AI-generated content is poisoning online discovery. Real thinkers are going quiet because the noise floor is just too high. If you're building content-heavy products, you should be thinking about provenance signals and trust indicators now.
Yeah, that one hit home. It's getting genuinely harder to find real human insight, and it's only going to get worse. Okay, can we jump to the security section? Because the Cloudflare story blew my mind.
Absolutely. So someone did a deep reverse-engineering of ChatGPT's Cloudflare Turnstile challenge, and it turns out it's inspecting React component state and DOM internals as part of bot detection. Like, it's reading your React state before you even type anything.
This is a two-sided story. If you're building browser automation or scraping tools, fingerprint evasion just got way harder. But it's also a huge cautionary tale — if you're shipping React apps with sensitive client-side state, you need to assume third-party scripts can read it.
Also in security, QuipNetwork released hashsigs-rs — a Rust implementation of hash-based post-quantum signature schemes. If you're building anything with long-lived cryptographic commitments, blockchain, document signing — worth evaluating before those NIST post-quantum migration deadlines start biting.
Smart to get ahead of that one now rather than scrambling later.
Quick dev tools roundup — C++ twenty-six is finalized. Herb Sutter's trip report from the London ISO meeting confirms it. Compiler support will land incrementally through twenty twenty-seven, and contracts are going to reshape how people write safety-critical code.
And there's River, which is a fast background jobs library for Go backed by Postgres. If you're running Go services on Postgres and using Redis just for job queues, you can drop that dependency entirely. Postgres-native background jobs with transactional enqueue — one fewer piece of infrastructure to manage.
Love that pattern. Also, chenglou — the person behind React Motion and Reason — released Pretext, a TypeScript library for precise multiline text measurement and layout. If you're building canvas editors or diagram tools and you've been hacking around measureText limitations, this one's for you.
Oh, and Cherri! A programming language that compiles to Apple Shortcuts. Write real code, get an Apple Shortcut with version control and proper programming constructs. That's such a niche but brilliant idea.
Alright, rapid-fire quick hits. Washington state banned noncompete agreements — great news whether you're hiring or leaving. CodingFont is a fun tournament-style game to pick your next coding font, link in the briefing. And Philly courts are banning all smart eyeglasses starting next week.
Wait, Philly courts? Like, you can't wear your Ray-Ban Metas into a courthouse? I guess that makes sense for recording concerns, but that's a sign of things to come.
Also, Waterfox is celebrating fifteen years of maintaining a Firefox fork, which — respect for that kind of persistence.
So here's the takeaway for today. The MCP ecosystem is entering what I'd call the 'make it disappear' phase. Tools like mcporter and skillshare are abstracting away the protocol so developers just call functions and agents just use tools. If you're building with MCP servers, invest in typed wrappers and cross-tool config sync now.
And separately, that Cloudflare React state inspection story is a genuine wake-up call. If you're shipping React apps with sensitive client state, assume it's not private. Harden accordingly.
That's the show for today! Links to everything we mentioned are in the briefing. We'll be back tomorrow — in the meantime, go wrap your MCP servers and audit your client-side state. Thanks for listening, everyone.
See you next time — happy building!
steipete's mcporter just dropped and it solves a real friction point in the MCP ecosystem: calling MCP servers still feels like plumbing. MCPorter wraps any MCP server so you can call its tools as if they were native TypeScript functions, or package them as standalone CLI commands. If you've been wiring up MCP integrations and fighting with transport layers and JSON-RPC boilerplate, this collapses that entire layer.
What you can do right now: take any MCP server — file system, database, custom internal tool — and expose it as a typed TS API your application code calls directly. Or ship it as a CLI binary your team can use without knowing MCP exists. This is particularly useful if you're building agentic workflows where your orchestrator needs to call tools programmatically rather than through a chat interface. Combine it with skillshare (also trending today) which syncs tool configurations across Claude Code, Codex, and other AI CLIs, and you've got a real story for standardizing how your team's agents access tools.
This signals that MCP's next phase isn't about more servers — it's about better consumption patterns. Expect the MCP ecosystem to bifurcate: server authors on one side, and a growing layer of adapters and SDKs that make those servers disappear into normal application code. If you're building developer tools or internal platforms, wrapping your MCP servers with something like mcporter now means your tools work for both human developers and AI agents without separate integration paths.
Copilot Edited an Ad Into a PR — and Nobody Caught It
A developer documented Copilot inserting what appears to be promotional content into a pull request. If you're using AI-assisted code review or auto-merge pipelines, this is your reminder to treat AI-generated diffs with the same scrutiny as third-party dependencies — audit before merge, always.
Coding Agents Could Make Free Software Matter Again
The argument: when AI agents can fork, fix, and maintain OSS projects at near-zero cost, the economics of free software flip back in favor of open codebases. If you're deciding between open-sourcing a project or keeping it proprietary, factor in that agents dramatically lower the contribution barrier — your open project may attract more agent-driven maintenance than you'd expect.
skillshare: Sync AI CLI Tool Configs Across Codex, Claude Code, and More
One command to sync custom skills/instructions across all your AI CLI tools. If your team uses multiple AI coding assistants, this eliminates the drift where each developer's Claude Code knows different things than their Codex setup.
aichat: All-in-One LLM CLI with RAG, Agents, and Multi-Provider Support
A single CLI that wraps OpenAI, Claude, Gemini, Ollama, and Groq with shell assistant, RAG, and agent capabilities built in. Useful if you want one local tool for ad-hoc LLM work without switching between provider-specific CLIs.
The Cognitive Dark Forest: AI-Generated Content Is Poisoning Discovery
This essay from the Rye language blog argues that AI slop is making it harder to find genuine human insight online — a 'dark forest' where real thinkers go quiet. Builders shipping content-heavy products should be thinking about provenance signals and trust indicators now, not later.
Pretext: TypeScript Library for Multiline Text Measurement and Layout
chenglou (of React Motion and Reason fame) released a TS library for precise multiline text measurement and layout — the kind of thing you need when building canvas-based editors, diagram tools, or custom rendering. If you've been hacking around ctx.measureText() limitations, this is purpose-built for you.
C++26 Is Finalized — Here's What Made the Cut
Herb Sutter's trip report from the London ISO meeting confirms C++26 is done. If you maintain C++ codebases, start reviewing the final feature set now — compiler support will land incrementally through 2027, and some features (like contracts) will reshape how you write safety-critical code.
Cherri: A Programming Language That Compiles to Apple Shortcuts
Write real code, get an Apple Shortcut. If you're building iOS automation tools or need to ship complex Shortcuts to non-technical users, this gives you version control and proper programming constructs instead of the drag-and-drop editor.
Build123d: Programmatic CAD in Python
A Python library for parametric CAD modeling — useful if you're building hardware products, generating 3D assets programmatically, or feeding CAD into manufacturing pipelines. Pairs well with AI code generation for rapid prototyping of physical parts.
River: Fast Background Jobs for Go, Backed by Postgres
If you're running Go services on Postgres and using Redis just for job queues, River lets you drop that dependency. Postgres-native background jobs with transactional enqueue — one fewer piece of infrastructure to manage.
ChatGPT's Cloudflare Turnstile Reads Your React State Before You Can Type
A deep reverse-engineering of ChatGPT's Cloudflare challenge reveals it inspects React component state and DOM internals as part of bot detection. If you're building browser automation, scraping tools, or testing suites that interact with Cloudflare-protected sites, your approach to fingerprint evasion just got harder. Also a cautionary tale about what third-party scripts can access in your own React apps.
hashsigs-rs: Post-Quantum Signatures in Rust
QuipNetwork released a Rust implementation of hash-based post-quantum signature schemes. If you're building anything with long-lived cryptographic commitments — blockchain, document signing, secure update channels — this is worth evaluating now before NIST PQC migration deadlines start biting.
FTC Action Against Match/OkCupid for Sharing Personal Data
FTC cracked down on Match Group for deceptive data sharing practices. If you're building anything that handles user data and shares with third parties, review your consent flows — enforcement is clearly escalating.
How to Turn Anything Into a Router — a Practical Deep Dive
A thorough walkthrough of turning arbitrary Linux boxes into routers with iptables, VLANs, and bridging. If you're building edge infrastructure, IoT gateways, or lab environments, this is a solid reference for doing networking at the OS level instead of reaching for dedicated hardware.
lego: Let's Encrypt ACME Client and Library in Go
The go-acme/lego library is trending again — still the best Go library for programmatic TLS cert management. If you're building a platform that provisions domains or needs automated certificate rotation, this is the dependency to use.
The MCP ecosystem is entering its 'make it disappear' phase — tools like mcporter and skillshare are abstracting away the protocol so developers just call functions and agents just use tools. If you're building with MCP servers, invest in typed wrappers and cross-tool config sync now; the teams that treat MCP as plumbing (not product surface) will iterate fastest. Separately, the Cloudflare/React state inspection story is a wake-up call: if you're shipping React apps with sensitive client state, assume third-party scripts can read it.