Capsid
Provides tools for reading and writing files, creating branches, and opening pull requests on GitHub repositories, using a dedicated GitHub App for authentication and access.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Capsidsearch for documents about deployment"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Capsid
Capsid is a single-user, Cloudflare-native MCP server that serves a consolidated knowledge base from D1 and R2, and reaches your GitHub repositories directly. It speaks MCP over Streamable HTTP and exposes a small, purposeful tool set:
Documents: list, read, write, delete, move, find, search (FTS5), namespaces
Repo access: list_repo_tree, read_repo_file, search_code, write_repo_file, create_branch, open_pr
Maintenance: lint (the consolidation loop)
It also exposes the rest of the MCP surface: Resources (every document addressable at capsid://<namespace>/<path>) and Prompts (reusable templates stored as documents).
All access is gated. Human clients (claude.ai, MCP Inspector) authenticate via GitHub OAuth, and only the configured admin GitHub account is admitted. Headless agents and cron use a separate operator-key endpoint. Every write snapshots the prior version into document_versions and appends to audit_log, so you get history and rollback for free.
Stack
Cloudflare Worker (TypeScript), stateless MCP via
createMcpHandlerfrom the Agents SDKworkers-oauth-provider wrapping the MCP handler: OAuth 2.1 with PKCE, dynamic client registration, and token storage in KV
GitHub OAuth App as the identity provider for login, locked to a single admin account
A separate GitHub App for repo access, minting short-lived installation tokens
D1 for documents, versions, namespaces, and audit log, with FTS5 full text search
R2 (
MEDIAbinding) for mediaKV (
APP_KVbinding) for app state, plus anOAUTH_KVbinding for OAuth tokens
Related MCP server: WikiJS MCP Server
Knowledge model
Documents are typed. The model is Karpathy's LLM Wiki pattern: raw sources compiled into a maintained wiki.
coreone always-loaded summary per namespace, read first to orientconcept,decision,note,spec,task,protocol,postthe compiled knowledge and contentepisodicsession summaries, written at the end of a work session so the next session resumesproceduralagent-updatable rulespromptreusable prompt templates with{{variable}}placeholderssourceraw, un-compiled input
Namespaces are projects, each mapped to its GitHub repo(s) in the namespaces table.
Repo access
Capsid reaches your repositories directly through a dedicated GitHub App. The Worker mints a short-lived installation token (RS256 JWT signed with Web Crypto, exchanged for an installation access token, cached in KV), so no long-lived token is stored. The repo per namespace is resolved from the namespaces table.
Read (open to admitted clients):
list_repo_tree,read_repo_file,search_codeWrite (operator-gated):
write_repo_file,create_branch,open_pr.write_repo_filedefaults tomode: "pr"(commit to a new branch and open a pull request);mode: "direct"commits straight to the default branch.
Consolidation (lint)
The lint tool runs the wiki maintenance loop. The Worker never calls an LLM; the driving client does the reasoning with the ordinary read and write tools.
lint(namespace, mode: "gather")returns a read-only packet: the namespacecore.md, the compiledconceptanddecisiondocs, every un-archivedepisodicandsourcedoc, and the schema and conventions. The driving LLM synthesizes an updatedcore.mdand any new concept docs from this.lint(namespace, mode: "finalize", consumed: [paths])archives the consumed raw entries under anarchive/path prefix and writes one audit row. It only moves and never deletes, so nothing is lost, andgatherexcludesarchive/, so the loop is idempotent.
Endpoints
POST /mcpMCP over Streamable HTTP, requires an OAuth access token (admin only)POST /ops/mcpMCP over Streamable HTTP for headless agents, requires the operator key asAuthorization: Bearer <key>POST /ops/backupruns a backup on demand, requires the operator key, returns a JSON summaryGET /authorize,POST /authorize,GET /callbackGitHub OAuth flowPOST /token,POST /registerOAuth token exchange and dynamic client registration (served by the library)GET /.well-known/oauth-authorization-serverandGET /.well-known/oauth-protected-resourceOAuth discovery metadata (served by the library)GET /healthreturnsok, no auth
Auth model
Two parallel paths, both fully gated:
OAuth (
/mcp) for human clients. The client discovers the server via the.well-knownendpoints, registers itself dynamically, and is sent through/authorize. After a one-time approval screen, the browser goes to GitHub. On return, the GitHub user is checked againstADMIN_GITHUB_LOGIN: set it to your GitHub username, or to your immutable numeric GitHub user id (find it athttps://api.github.com/users/<login>). Any other GitHub account gets a 403. The admin check runs again on every/mcprequest as defense in depth.Operator key (
/ops/mcp) for agents and cron. Same tools, same server, gated by the existing sha256-hashed bearer key (OPERATOR_KEY_HASH). The OAuth library never sees this route, so the two paths cannot interfere.
Login and repo access use two different GitHub credentials: a GitHub OAuth App for login (OAuth Apps cannot mint installation tokens) and a separate GitHub App for repo access. Keep both.
Destructive writes need confirmation
delete, and any write that would overwrite an existing document, ask for confirmation first. When the connected client supports MCP elicitation, the server sends an elicitation request and proceeds only on an explicit accept. Most Streamable HTTP clients run stateless and cannot answer server-initiated requests, so the fallback applies: the tool rejects with a clear message and you re-run it with confirm: true. Creating a brand new document never needs confirmation.
Deletes are never unrecoverable at the data layer: every delete (and every overwrite) snapshots the prior row into document_versions first, so recovery exists regardless of how the confirmation went.
Backups
D1 Time Travel already provides 30-day point-in-time recovery, so backups here are for longer retention and portability, not short-term recovery.
A daily Cron Trigger (09:00 UTC) exports the whole database to the MEDIA R2 bucket:
backups/json/<timestamp>.jsona full JSON dump of all four tables (documents, namespaces, document_versions, audit_log). The 14 most recent dumps are kept; older ones are pruned automatically.backups/markdown/<namespace>/<path>a plain-markdown mirror of every document body, verbatim, one file per document. This mirror tracks the current state (files for deleted documents are pruned), so the knowledge base stays readable and portable with no Capsid dependency.
Run one on demand with the operator key:
curl -X POST https://capsid.<your-subdomain>.workers.dev/ops/backup -H "Authorization: Bearer <key>"Clone setup
Install dependencies:
npm installCreate your own Cloudflare resources:
npx wrangler d1 create capsid npx wrangler kv namespace create APP_KV npx wrangler r2 bucket create capsid-mediaCopy the config template and fill in your IDs from step 2. The
OAUTH_KVbinding can reuse the same KV namespace id asAPP_KV(the OAuth library prefixes all of its keys), or point at a dedicated namespace if you prefer:cp wrangler.jsonc.example wrangler.jsoncThe real
wrangler.jsoncis gitignored on purpose. Never commit it.Apply the migration (idempotent,
IF NOT EXISTSeverywhere):npx wrangler d1 migrations apply capsid --remoteGenerate an operator key and store its sha256 hash as a secret. Keep the raw key safe; headless MCP clients send it as the bearer token on
/ops/mcp:npx wrangler secret put OPERATOR_KEY_HASHCreate a GitHub OAuth App (for login) at https://github.com/settings/developers with:
Homepage URL:
https://capsid.<your-subdomain>.workers.devAuthorization callback URL:
https://capsid.<your-subdomain>.workers.dev/callback
Then set the OAuth secrets:
npx wrangler secret put GITHUB_CLIENT_ID npx wrangler secret put GITHUB_CLIENT_SECRET npx wrangler secret put COOKIE_ENCRYPTION_KEY # openssl rand -hex 32 npx wrangler secret put ADMIN_GITHUB_LOGIN # your GitHub username, or your numeric GitHub user idFor repo access, create a GitHub App (this is separate from the OAuth App above). Permissions: Repository contents read and write, Pull requests read and write, Metadata read. Install it on your account or org, on the repositories you want reachable. Note its Client ID, generate a private key (
.pem), then:# put the App client id in wrangler.jsonc vars as GITHUB_APP_CLIENT_ID npx wrangler secret put GITHUB_APP_PRIVATE_KEY # paste the .pem contents npx wrangler secret put GITHUB_APP_INSTALLATION_ID # optional; auto-resolved if omittedOnly the private key is used to mint installation tokens; the App client secret is not needed.
Type check and deploy:
npx tsc --noEmit npx wrangler deployConnect claude.ai: Settings, Connectors, Add custom connector, URL
https://capsid.<your-subdomain>.workers.dev/mcp. The connector registers itself via dynamic client registration and walks you through the GitHub login. Only theADMIN_GITHUB_LOGINaccount gets in.Or test the flow first with the MCP Inspector:
npx @modelcontextprotocol/inspectorSet transport to Streamable HTTP, URL to
https://capsid.<your-subdomain>.workers.dev/mcp, open the Auth tab, and run Quick OAuth Flow.
Roadmap
Phase 1 (done): single operator token on
/ops/mcp, bearer key checked againstOPERATOR_KEY_HASH.Phase 2 (done): GitHub OAuth via workers-oauth-provider on
/mcp, locked to a single admin account.Phase 3 (deferred): first-class service tokens for agents and cron, issued and revocable per client, replacing the single shared operator key; an autonomous, scheduled lint run once agents exist to drive it.
License
MIT
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/DrDustinEdwards/capsid-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server