convergence-gambit-mcp
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@convergence-gambit-mcplist campaign resources"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
The Convergence Gambit MCP Server
Bespoke, single-tenant MCP server connecting Claude to the campaign's LegendKeeper wiki. Two clients, one project, design philosophy baked into source. No multi-tenancy, no database, no apologies.
Current state: walking skeleton, now behind GitHub OAuth. No LK API key
yet, LegendKeeper calls backed by an in-memory fake seeded with campaign
data. Every tool now sits behind OAuth (see "Authentication" below) — only
GitHub account Kishotta is ever issued a token. Its job is to prove the
full path: Claude mobile app → custom connector → GitHub login → Cloudflare
Worker → LegendKeeperClient seam.
Skeleton toolset
Tool | Purpose |
| Proves the transport. |
| Serves the Architecture & Presentation Charter verbatim. |
| Proves the client seam (fake-backed). |
| Proves parameterized reads. |
Related MCP server: mcp-wikijs
Setup (day one)
Prereqs: Node 18+, a free Cloudflare account.
npm install
npx wrangler login # opens browser, authorizes wrangler
npm run typecheck # sanity check
npm run dev # local server at http://localhost:8787/mcp
npx wrangler deploy # → https://convergence-gambit-mcp.<account>.workers.devOptional local verification before deploying:
npx @modelcontextprotocol/inspector
# connect to http://localhost:8787/mcp (Streamable HTTP)
# Inspector will walk you through the GitHub login popup — see Authentication belowThen on the phone: Customize → Connectors → Add custom connector, paste
https://convergence-gambit-mcp.<account>.workers.dev/mcp. Claude will
prompt a GitHub login before the connector activates. Once connected, ask
Claude to ping and list_resources. If Morte comes back, the skeleton
walks.
Authentication
Every tool sits behind GitHub OAuth (@cloudflare/workers-oauth-provider +
a GitHub-OAuth defaultHandler, in src/auth/). No token is ever issued to
any GitHub account other than Kishotta — the callback in
src/auth/github-handler.ts rejects everyone else with a 403 before
completeAuthorization is ever called. This is stricter than Cloudflare's
own reference pattern (which authenticates any GitHub user and just hides
extra tools) because the campaign data behind these tools is
spoiler-sensitive, not just at mutation risk.
One-time setup, before wrangler dev or deploy will work:
Create two GitHub OAuth Apps at github.com/settings/developers → OAuth Apps → New OAuth App:
Dev: Authorization callback URL
http://localhost:8787/callbackProd: Authorization callback URL
https://convergence-gambit-mcp.<account>.workers.dev/callback(or the custom domain, once phase 3 lands — a new callback URL is needed on that cutover too)
Create the KV namespace OAuthProvider needs for state + client-approval storage (already done for this repo; re-run only if it's ever deleted):
npx wrangler kv namespace create OAUTH_KV # paste the resulting id into wrangler.jsonc's kv_namespaces bindingLocal dev: copy
.dev.vars.exampleto.dev.vars(gitignored) and fill in the dev app's client id/secret, plus a randomCOOKIE_ENCRYPTION_KEY(any random string — used to HMAC-sign the client-approval cookie):node -e "console.log(crypto.randomUUID())"Production secrets, from the prod app:
npx wrangler secret put GITHUB_CLIENT_ID npx wrangler secret put GITHUB_CLIENT_SECRET npx wrangler secret put COOKIE_ENCRYPTION_KEY # can reuse the dev value or generate a new one
Once all three secrets exist in both places, npm run dev / wrangler deploy work as before, just with GitHub login gating /mcp and /sse.
Two different "Client ID"s — don't cross them. This tripped us up on first deploy. There are two unrelated OAuth relationships stacked here:
Who authenticates to whom
Where the credential lives
GitHub OAuth App
our Worker → github.com
wrangler secret put GITHUB_CLIENT_ID/_SECRET— never touched by ClaudeThis server's own OAuth clients
Claude → our Worker
auto-registered by Claude itself via
/register(RFC 7591) — nobody ever types this inWhen adding the custom connector in Claude, enter only the server URL and leave any Client ID / Client Secret fields blank. If you paste the GitHub OAuth App's credentials into Claude's connector setup,
/authorizewill fail withInvalid client. The clientId provided does not match to this client.(thrown by@cloudflare/workers-oauth-providerwhen it can't find that client_id inOAUTH_KV— because it was never registered there in the first place). Also: Worker secrets and KV are different storage systems — don't addGITHUB_CLIENT_IDetc. as KV key-value pairs in theOAUTH_KVnamespace's dashboard browser;wrangler secret put(or the dashboard's Variables & Secrets tab) is the only thing that actually reachesenv.GITHUB_CLIENT_IDin the Worker.
Version drift note. The
agentspackage (Cloudflare'sMcpAgent) moves fast. Ifnpm installortypecheckcomplains, scaffold Cloudflare's current authless remote-MCP template into a scratch directory (npm create cloudflare@latest -- scratch --template=cloudflare/ai/demos/remote-mcp-authless), copy itspackage.jsondependency versions and any changedMcpAgent/serveidioms into this repo, and keep oursrc/content. The template is the authority on plumbing; this repo is the authority on everything above the seam.
The seam
Everything meaningful lives behind one interface:
src/lk/types.ts LegendKeeperClient + domain types (from the API screenshot)
src/lk/fake.ts In-memory implementation, seeded with campaign articles
src/index.ts MCP tools — talk only to the interfaceWhen the real API ships, we add src/lk/http.ts implementing
LegendKeeperClient against the v2 endpoints and swap one constructor
call in index.ts. Tools never change at cutover.
Speculative type fields are tagged SPEC-DRIFT — grep for them when the
real docs land.
Nightly backups (stub)
A cron trigger (0 9 * * * in wrangler.jsonc) calls src/backup.ts
nightly, which exports the project via LegendKeeperClient.exportProject()
and writes a snapshot to the BACKUPS R2 bucket (convergence-gambit-backups),
pruning anything older than 30 days.
Whether the real LegendKeeper API can export a whole project at all is
unconfirmed (SPEC-DRIFT CRITICAL UNKNOWN #3 in src/lk/types.ts) —
today this runs against the fake client, which proves the R2 storage and
retention path end-to-end with fake data. When the real answer is known,
only src/lk/client.ts needs to change.
One-time setup before this can deploy: R2 must be enabled on the Cloudflare account (dashboard only, not scriptable), then create the bucket:
npx wrangler r2 bucket create convergence-gambit-backupsTo exercise the cron locally, with npm run dev already running:
curl "http://localhost:8787/cdn-cgi/handler/scheduled".
Phases
Walking skeleton (done) — authless, fake-backed, deployed, connected from the phone.
Auth (done) — GitHub OAuth in front of every tool (see "Authentication" above), allowlisted to
Kishottaonly. Only now, with auth in place, is it safe to move on to real LegendKeeper credentials:npx wrangler secret put LK_API_KEY/LK_PROJECT_ID.Custom domain — point
connoreaves.dev(orkishotta.com) DNS at Cloudflare, uncomment the route inwrangler.jsonc, redeploy tomcp.connoreaves.dev.Real client —
src/lk/http.tsagainst the shipped API.Charter-aware tools —
create_npc_article,create_location_article,stage_reveal, the markdown→LK converter. Designed only after phase 4 confirms the two critical unknowns.
Phases 4 and 5 both trigger on the same event (LegendKeeper publishing the
v2 API docs) and are the reason this repo currently has nothing left to do
— see docs/real-api-cutover.md for the full
runbook for that day, written up in advance so it isn't reconstructed from
scratch later.
The two critical unknowns (verify the day the docs drop)
Does the API expose the visibility model? Element/tab/block secrecy is load-bearing for the whole architecture charter. If absent, every write tool must warn that a manual secrecy pass is required before the article is player-safe.
What format do
pagedocuments accept? Expected: ProseMirror-style JSON, not markdown. The converter targets whatever this turns out to be; until thenLKDocument.contentis deliberatelyunknown.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Kishotta/convergence-gambit-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server