Conduit
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Conduitfetch the latest 10-K filing for Apple"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Conduit
Real SEC filings as first-class agent tools. One URL, zero install.
Conduit is a free, open-source, remote (streamable-HTTP) MCP server over SEC EDGAR, built to run entirely on Cloudflare's free tier. It absorbs EDGAR's sharp edges once — CIK zero-padding, accession formats, XBRL taxonomy tags, and the strict fair-access policy — so every agent client gets clean, cited, token-lean filing data without installing anything.
Not affiliated with, endorsed by, or sponsored by the SEC. Provides public EDGAR data; not investment advice.
Status — scaffold only (2026-07-08)
This repository is at Phase 0 scaffold. What exists today:
Worker skeleton (Hono) exposing only
/healthz.TypeScript (strict), ESLint, Vitest on
@cloudflare/vitest-pool-workers(real workerd) with a passing smoke test.D1 migration pipeline (drizzle-kit →
wrangler d1 migrations apply) with a bootstrap migration.Typed analytics tracking plan (
analytics/events.ts) with the activation eventedgar_first_tool_successas instrument zero.The single EDGAR config module (
src/edgar/config.ts) holding the declared User-Agent.CI on push/PR: typecheck, lint, migration check, unit tests, gitleaks. No deploy job.
The single EDGAR client choke point (
src/edgar/) + the first tool (get_filing_section) behind a dev-only, flag-gated route.The [SECURITY/Opus] v0.5 security posture (see
docs/security-posture.md): global ≤10 req/s SEC fair-access budget (coordinator Durable Object), per-IP inbound abuse control (429 +Retry-After+RateLimit-*), body-size cap, site-wide security headers, CORS baseline, keyed-HMAC client identification (zero PII), outbound host allow-list + charset gates, and RFC 9457 problem+json errors.
What does NOT exist yet: the /mcp surface, the playground, and the Phase 2 controls (playground denial-of-wallet, prompt-injection posture, full CORS/hygiene sweep, keyed tiers). The charter (PRD.md, ARCHITECTURE.md, DESIGN-BRIEF.md, BUILD-PLAN.md, docs/) is the contract.
Phase 0 is NOT signed off. The stateless-connector spike (a real claude.ai connector against a public URL) is still unrun because it requires public exposure, which is gated on the security posture below.
Related MCP server: edgar-mcp
⚠️ Flagged for Sam (unratified)
License — Apache-2.0 (proposed). Applied now so the public repo is licensed from day one (
LICENSE,NOTICE). Ratify or change before accepting external contributions.EDGAR User-Agent contact (proposed). SEC fair access requires a declared User-Agent with real contact info. The proposed default lives in one module (
src/edgar/config.ts, env-overridable viaEDGAR_UA_CONTACT):Conduit/0.1 (+https://conduit.samlatino.dev) latinosammy22@gmail.comRatify the contact string before any non-local traffic.
🚫 No deploy yet — awaiting posture ratification
The v0.5 security posture is now implemented and tested (docs/security-posture.md), but deploy stays physically blocked by three independent layers, pending Sam's explicit ratification of the posture:
No CI deploy job exists (
.github/workflows/ci.ymlruns verification only).No publish target:
wrangler.tomlsetsworkers_dev = falseand declares no routes / custom domain, so a barewrangler deployhas nowhere to publish.Guard script:
npm run deploy(andpredeploy) runscripts/deploy-guard.mjs, which exits non-zero with the gate message.
Runtime evidence at this phase is local wrangler dev only — never --remote, never a tunnel, never workers.dev. The guards are lifted only after ratification, in a later commit, so their removal lands in git history after the posture, never before. A full security-review pass over /mcp + the EDGAR client + the playground remains a pre-launch gate.
Develop
npm install
cp .dev.vars.example .dev.vars # local-only vars; never committed
npm run migrate # apply D1 migrations to the local database
npm run dev # wrangler dev (local D1/KV), http://localhost:8787
curl http://localhost:8787/healthzCommand | What it does |
|
|
| Vitest in the real workerd runtime ( |
|
|
| ESLint. |
| drizzle-kit generates a new versioned migration from |
| Apply migrations to local D1 ( |
| Blocked — exits non-zero (security-posture gate). |
License
Apache-2.0 (proposed — see flags above). © 2026 Sam Latino.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/slatino-dev/conduit'
If you have feedback or need assistance with the MCP directory API, please join our Discord server