proton-pass-community-mcp

proton-pass-community-mcp is an MCP server for Proton Pass, with broad coverage of pass-cli operations.

It is an independent community project. It is not affiliated with or endorsed by Proton AG.

It is designed as a production-ready integration layer:

• typed tool inputs with zod

• stdio transport for MCP clients

📌 Current Version of pass-cli used in development: v2.0.2

Available Tools

The server exposes the following MCP tool surface:

Coverage goal: provide comprehensive support for Proton Pass CLI workflows that fit MCP tool semantics. Intentionally excluded are CLI behaviors that are purely interactive or otherwise not a good fit for reliable MCP tool execution.

The search_items operation is additional functionality that is not provided by the base CLI.

Mutative tools currently require write gate opt-in (ALLOW_WRITE=1) and explicit per-call confirmation (confirm: true).

Proposed protocol-aligned confirmation policy (elicitation-first with fail-closed fallback) is documented in docs/TOOL_SCHEMA_PLAN.md.

Available Resources

The server also exposes static MCP resources for item-create template snapshots:

• pass://templates/item-create (catalog/index)

• pass://templates/item-create/login

• pass://templates/item-create/note

• pass://templates/item-create/credit-card

• pass://templates/item-create/wifi

• pass://templates/item-create/custom

• pass://templates/item-create/identity

Snapshot artifact source:

• docs/testing/item-create-templates.snapshot.json

These template resources are example well-formed payloads from pass-cli --get-template, not authoritative validation schemas.

Item Discovery Contract

list_items and search_items return token-efficient results. These operations do not contain the full contents or secrets of any items, thus preventing unnecessary leakage of sensitive data from the CLI to the host application or the LLM.

list_items and search_items both support MCP pagination:

• Input fields:

  • pageSize (optional, 1..250, default 100 for JSON output)

  • cursor (optional non-negative integer string offset, for example "100")

• Behavior:

  • Response includes items, pageSize, cursor, returned, total, and nextCursor.

  • Use nextCursor in a follow-up call to fetch the next page.

list_items also forwards filterType, filterState, and sortBy to pass-cli item list.

search_items semantics:

• title-only search (field: "title")

• matching modes: contains, prefix, exact

• optional caseSensitive

Requirements

• Node.js 24 (.nvmrc)

• pass-cli installed and authenticated

• MCP client capable of stdio transport

• For project development and testing, use the repo wrapper (npm run pass -- <args> or scripts/pass-dev.sh <args>) instead of bare pass-cli so auth stays in the repo-local session scope.

Run Locally

npm ci
npm run build
npm run dev

For project-side pass-cli work, prefer:

npm run pass -- info

This routes through the repo wrapper, which uses a project-local session dir and avoids OS keychain/keyring by default. To assert that the active repo-local session is the intended throwaway account before mutative work:

export PASS_DEV_EXPECTED_ACCOUNT=<throwaway-account-identifier>
npm run pass:dev:preflight

Install and Run via npm/npx

Install from npm or run directly with npx:

npm install --global proton-pass-community-mcp
proton-pass-community-mcp --allow-version-drift

or:

npx -y proton-pass-community-mcp --allow-version-drift

Release operations for maintainers are documented in docs/DEPLOYMENT.md.

Anonymized Demo Shell (Docker)

Use this when recording demos and you want a neutral workspace path in tooling metadata:

npm run demo:shell

This launches a container with the project mounted at /workspace/project.

To run a single command instead of an interactive shell:

npm run demo:shell -- npm run check

Notes:

• Shell prompt aliases/PS1 tweaks only change terminal display; they do not change real working-directory metadata emitted by tools.

• For true path anonymization in logs, run the host/tooling process from inside this containerized workspace.

MCP Client Configuration

Example MCP server config using npx package execution:

{
  "mcpServers": {
    "proton-pass-community-mcp": {
      "command": "npx",
      "args": ["-y", "proton-pass-community-mcp", "--allow-version-drift"]
    }
  }
}

If you are developing locally from source, use a direct local build path:

Example MCP server config using command-line args:

{
  "mcpServers": {
    "proton-pass-community-mcp": {
      "command": "node",
      "args": ["/absolute/path/to/proton-pass-community-mcp/dist/index.js", "--allow-version-drift"]
    }
  }
}

Example MCP server config using environment overrides:

{
  "mcpServers": {
    "proton-pass": {
      "command": "node",
      "args": ["/absolute/path/to/proton-pass-community-mcp/dist/index.js"],
      "env": {
        "PASS_CLI_BIN": "pass-cli",
        "PASS_CLI_ALLOW_VERSION_DRIFT": "true"
      }
    }
  }
}

Authentication Model

1. Authentication is user-managed outside MCP with pass-cli login.

2. The pass-cli session may be established with normal account credentials or with a pre-provisioned personal access token (PAT).

3. On auth failure, tools return standardized AUTH_* errors and a retry instruction.

4. The MCP server does not collect credentials, OTP codes, private keys, or PAT values.

5. PAT-backed login does not change the boundary: login/logout remain outside MCP, and PAT provisioning is not currently exposed as an MCP tool surface.

6. For project development, the canonical pass-cli entrypoint is the repo wrapper (npm run pass -- <args> / scripts/pass-dev.sh <args>), not bare pass-cli.

7. The repo wrapper isolates project auth into .tmp/proton-pass-dev-session and avoids default keychain/keyring access, but it does not by itself prove the correct account is active; use scripts/pass-dev-preflight.sh or npm run pass:dev:preflight to assert the expected throwaway account.

8. Use check_status once as a session preflight (not per tool call); rely on AUTH_* fallback errors if the session later expires.

9. check_status compares your local CLI version against the development baseline and reports a version assessment for LLMs:

   • equal: exact semver match

   • compatible: semver differs but appears compatible by policy

   • possibly_incompatible: semver indicates potential drift, or version parsing/execution prevented a strict comparison

10. Version assessments are advisory. check_status is marked as an MCP error only when connectivity/authentication fails.

11. There is no MCP-specific API token auth layer in this server. Authentication methods are those supported by pass-cli in the server process environment.

Test Account Workflow

For disposable test-account usage in local development and CI (including account preflight checks and session isolation), see docs/testing/TEST_ACCOUNT_WORKFLOW.md.

Startup Flags

• --allow-version-drift: treat semver mismatch/version-parse uncertainty as compatible for check_status

Equivalent environment variable:

• PASS_CLI_ALLOW_VERSION_DRIFT=true|false (accepted truthy values: true, 1, yes, on; falsy: false, 0, no, off)

• If both are set, the CLI flag takes precedence.

Example:

npm run dev -- --allow-version-drift

Notes

• This is not an official Proton project.

• This project currently targets Proton Pass via pass-cli only.

• See ROADMAP.md for planned features.

• In addition to the MCP server, there is an agent skill file that is intended to be integrated with this MCP - however, it is currently only a draft.

• Developer runtime configuration and validation workflows are documented in CONTRIBUTING.md.

• Disposable account setup and contributor/CI guidance are documented in docs/testing/TEST_ACCOUNT_WORKFLOW.md.

• See CONTRIBUTING.md if you're interested in contributing to this project. Contributors are welcome.

LICENSE

GPL-3 © 2026 Really Him