Skip to main content
Glama

Conduit

Real SEC filings as first-class agent tools. One URL, zero install.

Conduit is a free, open-source, remote (streamable-HTTP) MCP server over SEC EDGAR, built to run entirely on Cloudflare's free tier. It absorbs EDGAR's sharp edges once — CIK zero-padding, accession formats, XBRL taxonomy tags, and the strict fair-access policy — so every agent client gets clean, cited, token-lean filing data without installing anything.

Not affiliated with, endorsed by, or sponsored by the SEC. Provides public EDGAR data; not investment advice.

Status — scaffold only (2026-07-08)

This repository is at Phase 0 scaffold. What exists today:

  • Worker skeleton (Hono) exposing only /healthz.

  • TypeScript (strict), ESLint, Vitest on @cloudflare/vitest-pool-workers (real workerd) with a passing smoke test.

  • D1 migration pipeline (drizzle-kit → wrangler d1 migrations apply) with a bootstrap migration.

  • Typed analytics tracking plan (analytics/events.ts) with the activation event edgar_first_tool_success as instrument zero.

  • The single EDGAR config module (src/edgar/config.ts) holding the declared User-Agent.

  • CI on push/PR: typecheck, lint, migration check, unit tests, gitleaks. No deploy job.

  • The single EDGAR client choke point (src/edgar/) + the first tool (get_filing_section) behind a dev-only, flag-gated route.

  • The [SECURITY/Opus] v0.5 security posture (see docs/security-posture.md): global ≤10 req/s SEC fair-access budget (coordinator Durable Object), per-IP inbound abuse control (429 + Retry-After + RateLimit-*), body-size cap, site-wide security headers, CORS baseline, keyed-HMAC client identification (zero PII), outbound host allow-list + charset gates, and RFC 9457 problem+json errors.

What does NOT exist yet: the /mcp surface, the playground, and the Phase 2 controls (playground denial-of-wallet, prompt-injection posture, full CORS/hygiene sweep, keyed tiers). The charter (PRD.md, ARCHITECTURE.md, DESIGN-BRIEF.md, BUILD-PLAN.md, docs/) is the contract.

Phase 0 is NOT signed off. The stateless-connector spike (a real claude.ai connector against a public URL) is still unrun because it requires public exposure, which is gated on the security posture below.

Related MCP server: edgar-mcp

⚠️ Flagged for Sam (unratified)

  1. License — Apache-2.0 (proposed). Applied now so the public repo is licensed from day one (LICENSE, NOTICE). Ratify or change before accepting external contributions.

  2. EDGAR User-Agent contact (proposed). SEC fair access requires a declared User-Agent with real contact info. The proposed default lives in one module (src/edgar/config.ts, env-overridable via EDGAR_UA_CONTACT): Conduit/0.1 (+https://conduit.samlatino.dev) latinosammy22@gmail.com Ratify the contact string before any non-local traffic.

🚫 No deploy yet — awaiting posture ratification

The v0.5 security posture is now implemented and tested (docs/security-posture.md), but deploy stays physically blocked by three independent layers, pending Sam's explicit ratification of the posture:

  1. No CI deploy job exists (.github/workflows/ci.yml runs verification only).

  2. No publish target: wrangler.toml sets workers_dev = false and declares no routes / custom domain, so a bare wrangler deploy has nowhere to publish.

  3. Guard script: npm run deploy (and predeploy) run scripts/deploy-guard.mjs, which exits non-zero with the gate message.

Runtime evidence at this phase is local wrangler dev only — never --remote, never a tunnel, never workers.dev. The guards are lifted only after ratification, in a later commit, so their removal lands in git history after the posture, never before. A full security-review pass over /mcp + the EDGAR client + the playground remains a pre-launch gate.

Develop

npm install
cp .dev.vars.example .dev.vars   # local-only vars; never committed
npm run migrate                  # apply D1 migrations to the local database
npm run dev                      # wrangler dev (local D1/KV), http://localhost:8787
curl http://localhost:8787/healthz

Command

What it does

npm run dev

wrangler dev — local Worker with local D1/KV.

npm test

Vitest in the real workerd runtime (@cloudflare/vitest-pool-workers).

npm run typecheck

tsc --noEmit (strict).

npm run lint

ESLint.

npm run migrate:generate

drizzle-kit generates a new versioned migration from src/db/schema.ts.

npm run migrate

Apply migrations to local D1 (wrangler d1 migrations apply). Never db push.

npm run deploy

Blocked — exits non-zero (security-posture gate).

License

Apache-2.0 (proposed — see flags above). © 2026 Sam Latino.

A
license - permissive license
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/slatino-dev/conduit'

If you have feedback or need assistance with the MCP directory API, please join our Discord server