Merge branch 'main' of https://github.com/cloudflare/mcp-server-cloudflare into fm/casb-api-improved-pagination-tools

Author: frankmeszaros

.github/workflows/evals.yml

@@ -22,9 +22,12 @@ jobs:
       - name: Create .dev.vars file
         run: |
           echo "OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}" > ./apps/sandbox-container/.dev.vars
+          echo "OPENAI_API_KEY=${{ secrets.OPENAI_API_KEY }}" > ./apps/workers-bindings/.dev.vars
+          echo "DEV_CLOUDFLARE_API_TOKEN=${{ secrets.DEV_CLOUDFLARE_API_TOKEN }}" >> ./apps/workers-bindings/.dev.vars
       - name: Verify .dev.vars file
         run: |
           du -h ./apps/sandbox-container/.dev.vars
+          du -h ./apps/workers-bindings/.dev.vars
       - name: Install dependencies
         run: pnpm install
       - name: Run evals

README.md

@@ -6,12 +6,21 @@ These MCP servers allow your [MCP Client](https://modelcontextprotocol.io/client
 
 The following servers are included in this repository:
 
-| Server Name                                     | Description                                                                  | Server URL                                     |
-| ----------------------------------------------- | ---------------------------------------------------------------------------- | ---------------------------------------------- |
-| [**Documentation server**](/apps/docs-autorag)  | Get up to date reference information on Cloudflare                           | `https://docs.mcp.cloudflare.com/sse`          |
-| [**Workers Bindings server**](/apps/bindings)   | Build Workers applications with storage, AI, and compute primitives          | `https://bindings.mcp.cloudflare.com/sse`      |
-| [**Observability server**](/apps/observability) | Debug and get insight into your application’s logs and analytics             | `https://observability.mcp.cloudflare.com/sse` |
-| [**Radar server**](/apps/radar)                 | Get global Internet traffic insights, trends, URL scans, and other utilities | `https://radar.mcp.cloudflare.com/sse`         |
+| Server Name                                                    | Description                                                                                     | Server URL                                     |
+| -------------------------------------------------------------- | ----------------------------------------------------------------------------------------------- | ---------------------------------------------- |
+| [**Documentation server**](/apps/docs-vectorize)               | Get up to date reference information on Cloudflare                                              | `https://docs.mcp.cloudflare.com/sse`          |
+| [**Workers Bindings server**](/apps/workers-bindings)          | Build Workers applications with storage, AI, and compute primitives                             | `https://bindings.mcp.cloudflare.com/sse`      |
+| [**Observability server**](/apps/workers-observability)        | Debug and get insight into your application’s logs and analytics                                | `https://observability.mcp.cloudflare.com/sse` |
+| [**Radar server**](/apps/radar)                                | Get global Internet traffic insights, trends, URL scans, and other utilities                    | `https://radar.mcp.cloudflare.com/sse`         |
+| [**Container server**](/apps/sandbox-container)                | Spin up a sandbox development environment                                                       | `https://containers.mcp.cloudflare.com/sse`    |
+| [**Browser rendering server**](/apps/browser-rendering)        | Fetch web pages, convert them to markdown and take screenshots                                  | `https://browser.mcp.cloudflare.com/sse`       |
+| [**Logpush server**](/apps/logpush)                            | Get quick summaries for Logpush job health                                                      | `https://logs.mcp.cloudflare.com/sse`          |
+| [**AI Gateway server**](/apps/ai-gateway)                      | Search your logs, get details about the prompts and responses                                   | `https://ai-gateway.mcp.cloudflare.com/sse`    |
+| [**AutoRAG server**](/apps/autorag)                            | List and search documents on your AutoRAGs                                                      | `https://autorag.mcp.cloudflare.com/sse`       |
+| [**Audit Logs server**](/apps/auditlogs)                       | Query audit logs and generate reports for review                                                | `https://auditlogs.mcp.cloudflare.com/sse`     |
+| [**DNS Analytics server**](/apps/dns-analytics)                | Optimize DNS performance and debug issues based on current set up                               | `https://dns-analytics.mcp.cloudflare.com/sse` |
+| [**Digital Experience Monitoring server**](/apps/dex-analysis) | Get quick insight on critical applications for your organization                                | `https://dex.mcp.cloudflare.com/sse`           |
+| [**Cloudflare One CASB server**](/apps/cloudflare-one-casb)    | Quickly identify any security misconfigurations for SaaS applications to safeguard users & data | `https://casb.mcp.cloudflare.com/sse`          |
 
 ## Access the remote MCP server from any MCP client
 

apps/ai-gateway/.dev.vars.example

@@ -0,0 +1,5 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/ai-gateway/.eslintrc.cjs

@@ -0,0 +1,5 @@
+/** @type {import("eslint").Linter.Config} */
+module.exports = {
+	root: true,
+	extends: ['@repo/eslint-config/default.cjs'],
+}

apps/ai-gateway/CONTRIBUTING.md

@@ -0,0 +1,64 @@
+# Setup
+
+If you'd like to iterate and test your MCP server, you can do so in local development.
+
+## Local Development
+
+1. Create a `.dev.vars` file in your project root:
+
+   If you're a Cloudflare employee:
+
+   ```
+   CLOUDFLARE_CLIENT_ID=your_development_cloudflare_client_id
+   CLOUDFLARE_CLIENT_SECRET=your_development_cloudflare_client_secret
+   ```
+
+   If you're an external contributor, you can provide a development API token:
+
+   ```
+   DEV_DISABLE_OAUTH=true
+   # This is your global api token
+   DEV_CLOUDFLARE_API_TOKEN=your_development_api_token
+   ```
+
+2. Start the local development server:
+
+   ```bash
+   npx wrangler dev
+   ```
+
+3. To test locally, open Inspector, and connect to `http://localhost:8976/sse`.
+   Once you follow the prompts, you'll be able to "List Tools". You can also connect with any MCP client.
+
+## Deploying the Worker ( Cloudflare employees only )
+
+Set secrets via Wrangler:
+
+```bash
+npx wrangler secret put CLOUDFLARE_CLIENT_ID -e <ENVIRONMENT>
+npx wrangler secret put CLOUDFLARE_CLIENT_SECRET -e <ENVIRONMENT>
+```
+
+## Set up a KV namespace
+
+Create the KV namespace:
+
+```bash
+npx wrangler kv namespace create "OAUTH_KV"
+```
+
+Then, update the Wrangler file with the generated KV namespace ID.
+
+## Deploy & Test
+
+Deploy the MCP server to make it available on your workers.dev domain:
+
+```bash
+npx wrangler deploy -e <ENVIRONMENT>
+```
+
+Test the remote server using [Inspector](https://modelcontextprotocol.io/docs/tools/inspector):
+
+```bash
+npx @modelcontextprotocol/inspector@latest
+```

apps/ai-gateway/README.md

@@ -0,0 +1,52 @@
+# Cloudflare AI Gateway MCP Server 📡
+
+This is a [Model Context Protocol (MCP)](https://modelcontextprotocol.io/introduction) server that supports remote MCP
+connections, with Cloudflare OAuth built-in.
+
+It integrates tools powered by the [Cloudflare AI Gateway API](https://developers.cloudflare.com/ai-gateway/) to provide global
+Internet traffic insights, trends and other utilities.
+
+## 🔨 Available Tools
+
+Currently available tools:
+
+| **Tool**                | **Description**                                                                                                                     |
+| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------- |
+| `list_gateways`         | Lists all AI Gateways associated with the account, supporting pagination for easy navigation.                                       |
+| `list_logs`             | Retrieves logs for a specified gateway, offering filters such as date ranges, feedback scores, success status, model, and provider. |
+| `get_log_details`       | Fetches detailed information about a specific log identified by its log ID within a gateway.                                        |
+| `get_log_request_body`  | Retrieves the request body associated with a specific log in a gateway.                                                             |
+| `get_log_response_body` | Retrieves the response body associated with a specific log in a gateway.                                                            |
+
+**Note:** To use these tools, ensure you have an active account set. If not, use `accounts_list` to list your accounts and `set_active_account` to set one as active.
+
+This MCP server is still a work in progress, and we plan to add more tools in the future.
+
+### Prompt Examples
+
+- `List all my AI Gateways.`
+- `Show logs for gateway 'gateway-001' between January 1, 2023, and January 31, 2023.`
+- `Fetch the latest errors from gateway-001 and debug what might have happened wrongly`
+
+## Access the remote MCP server from from any MCP Client
+
+If your MCP client has first class support for remote MCP servers, the client will provide a way to accept the server URL (`https://ai-gateway.mcp.cloudflare.com`) directly within its interface (for example in[Cloudflare AI Playground](https://playground.ai.cloudflare.com/)).
+
+If your client does not yet support remote MCP servers, you will need to set up its resepective configuration file using mcp-remote (https://www.npmjs.com/package/mcp-remote) to specify which servers your client can access.
+
+Replace the content with the following configuration:
+
+```json
+{
+	"mcpServers": {
+		"cloudflare": {
+			"command": "npx",
+			"args": ["mcp-remote", "https://ai-gateway.mcp.cloudflare.com/sse"]
+		}
+	}
+}
+```
+
+Once you've set up your configuration file, restart MCP client and a browser window will open showing your OAuth login page. Proceed through the authentication flow to grant the client access to your MCP server. After you grant access, the tools will become available for you to use.
+
+Interested in contributing, and running this server locally? See [CONTRIBUTING.md](CONTRIBUTING.md) to get started.

apps/ai-gateway/package.json

@@ -0,0 +1,33 @@
+{
+	"name": "cloudflare-ai-gateway-mcp-server",
+	"version": "0.0.1",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "run-wrangler-deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"types": "wrangler types --include-env=false",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.5",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.10.2",
+		"@repo/mcp-common": "workspace:*",
+		"@repo/mcp-observability": "workspace:*",
+		"agents": "0.0.67",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"zod": "3.24.2"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@types/node": "22.14.1",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}

apps/ai-gateway/src/context.ts

@@ -0,0 +1,17 @@
+import type { UserDetails } from '@repo/mcp-common/src/durable-objects/user_details'
+import type { AIGatewayMCP } from './index'
+
+export interface Env {
+	OAUTH_KV: KVNamespace
+	ENVIRONMENT: 'development' | 'staging' | 'production'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
+	MCP_OBJECT: DurableObjectNamespace<AIGatewayMCP>
+	USER_DETAILS: DurableObjectNamespace<UserDetails>
+	MCP_METRICS: AnalyticsEngineDataset
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
+}

apps/ai-gateway/src/index.ts

@@ -0,0 +1,122 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpAgent } from 'agents/mcp'
+
+import {
+	createAuthHandlers,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details'
+import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
+import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account'
+
+import { MetricsTracker } from '../../../packages/mcp-observability/src'
+import { registerAIGatewayTools } from './tools/ai-gateway'
+
+import type { AuthProps } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import type { Env } from './context'
+
+const env = getEnv<Env>()
+
+export { UserDetails }
+
+const metrics = new MetricsTracker(env.MCP_METRICS, {
+	name: env.MCP_SERVER_NAME,
+	version: env.MCP_SERVER_VERSION,
+})
+
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+type Props = AuthProps
+type State = { activeAccountId: string | null }
+
+export class AIGatewayMCP extends McpAgent<Env, State, Props> {
+	_server: CloudflareMCPServer | undefined
+	set server(server: CloudflareMCPServer) {
+		this._server = server
+	}
+	get server(): CloudflareMCPServer {
+		if (!this._server) {
+			throw new Error('Tried to access server before it was initialized')
+		}
+
+		return this._server
+	}
+
+	constructor(ctx: DurableObjectState, env: Env) {
+		super(ctx, env)
+	}
+
+	async init() {
+		this.server = new CloudflareMCPServer({
+			userId: this.props.user.id,
+			wae: this.env.MCP_METRICS,
+			serverInfo: {
+				name: this.env.MCP_SERVER_NAME,
+				version: this.env.MCP_SERVER_VERSION,
+			},
+		})
+
+		registerAccountTools(this)
+
+		// Register Cloudflare Log Push tools
+		registerAIGatewayTools(this)
+	}
+
+	async getActiveAccountId() {
+		try {
+			// Get UserDetails Durable Object based off the userId and retrieve the activeAccountId from it
+			// we do this so we can persist activeAccountId across sessions
+			const userDetails = getUserDetails(env, this.props.user.id)
+			return await userDetails.getActiveAccountId()
+		} catch (e) {
+			this.server.recordError(e)
+			return null
+		}
+	}
+
+	async setActiveAccountId(accountId: string) {
+		try {
+			const userDetails = getUserDetails(env, this.props.user.id)
+			await userDetails.setActiveAccountId(accountId)
+		} catch (e) {
+			this.server.recordError(e)
+		}
+	}
+}
+
+const AIGatewayScopes = {
+	...RequiredScopes,
+	'account:read': 'See your account info such as account details, analytics, and memberships.',
+	'aig:read': 'Grants read level access to AI Gateway.',
+} as const
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(AIGatewayMCP, req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiHandlers: {
+				'/mcp': AIGatewayMCP.serve('/mcp'),
+				'/sse': AIGatewayMCP.serveSSE('/sse'),
+			},
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: AIGatewayScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}