feat: Cloudflare One Email Security MCP Server

Author: frankmeszaros

apps/cloudflare-one-email-security/.dev.vars.example

@@ -0,0 +1,5 @@
+CLOUDFLARE_CLIENT_ID=
+CLOUDFLARE_CLIENT_SECRET=
+DEV_DISABLE_OAUTH=
+DEV_CLOUDFLARE_API_TOKEN=
+DEV_CLOUDFLARE_EMAIL=

apps/cloudflare-one-email-security/package.json

@@ -0,0 +1,34 @@
+{
+	"name": "cloudflare-email-security-mcp-server",
+	"version": "0.0.1",
+	"private": true,
+	"scripts": {
+		"check:lint": "run-eslint-workers",
+		"check:types": "run-tsc",
+		"deploy": "run-wrangler-deploy",
+		"dev": "wrangler dev",
+		"start": "wrangler dev",
+		"types": "wrangler types --include-env=false",
+		"test": "vitest run"
+	},
+	"dependencies": {
+		"@cloudflare/workers-oauth-provider": "0.0.5",
+		"@hono/zod-validator": "0.4.3",
+		"@modelcontextprotocol/sdk": "1.10.2",
+		"@repo/mcp-common": "workspace:*",
+		"@repo/mcp-observability": "workspace:*",
+		"agents": "0.0.67",
+		"cloudflare": "4.2.0",
+		"hono": "4.7.6",
+		"zod": "3.24.2"
+	},
+	"devDependencies": {
+		"@cloudflare/vitest-pool-workers": "0.8.14",
+		"@types/jsonwebtoken": "9.0.9",
+		"@types/node": "22.14.1",
+		"prettier": "3.5.3",
+		"typescript": "5.5.4",
+		"vitest": "3.0.9",
+		"wrangler": "4.10.0"
+	}
+}

apps/cloudflare-one-email-security/src/email-security.app.ts

@@ -0,0 +1,123 @@
+import OAuthProvider from '@cloudflare/workers-oauth-provider'
+import { McpAgent } from 'agents/mcp'
+
+import {
+	createAuthHandlers,
+	handleTokenExchangeCallback,
+} from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import { handleDevMode } from '@repo/mcp-common/src/dev-mode'
+import { getUserDetails, UserDetails } from '@repo/mcp-common/src/durable-objects/user_details.do'
+import { getEnv } from '@repo/mcp-common/src/env'
+import { RequiredScopes } from '@repo/mcp-common/src/scopes'
+import { CloudflareMCPServer } from '@repo/mcp-common/src/server'
+import { registerAccountTools } from '@repo/mcp-common/src/tools/account.tools'
+import { MetricsTracker } from '@repo/mcp-observability'
+
+import { registerEmailSecurityTools } from './tools/email-security.tools'
+
+import type { AuthProps } from '@repo/mcp-common/src/cloudflare-oauth-handler'
+import type { Env } from './email-security.context.ts'
+
+export { UserDetails }
+
+const env = getEnv<Env>()
+
+const metrics = new MetricsTracker(env.MCP_METRICS, {
+	name: env.MCP_SERVER_NAME,
+	version: env.MCP_SERVER_VERSION,
+})
+
+// Context from the auth process, encrypted & stored in the auth token
+// and provided to the DurableMCP as this.props
+type Props = AuthProps
+
+type State = { activeAccountId: string | null }
+
+export class EmailSecurityMCP extends McpAgent<Env, State, Props> {
+	_server: CloudflareMCPServer | undefined
+	set server(server: CloudflareMCPServer) {
+		this._server = server
+	}
+
+	get server(): CloudflareMCPServer {
+		if (!this._server) {
+			throw new Error('Tried to access server before it was initialized')
+		}
+
+		return this._server
+	}
+
+	constructor(ctx: DurableObjectState, env: Env) {
+		super(ctx, env)
+	}
+
+	async init() {
+		this.server = new CloudflareMCPServer({
+			userId: this.props.user.id,
+			wae: this.env.MCP_METRICS,
+			serverInfo: {
+				name: this.env.MCP_SERVER_NAME,
+				version: this.env.MCP_SERVER_VERSION,
+			},
+		})
+
+		registerAccountTools(this)
+		registerEmailSecurityTools(this)
+	}
+
+	async getActiveAccountId() {
+		try {
+			// Get UserDetails Durable Object based off the userId and retrieve the activeAccountId from it
+			// we do this so we can persist activeAccountId across sessions
+			const userDetails = getUserDetails(env, this.props.user.id)
+			return await userDetails.getActiveAccountId()
+		} catch (e) {
+			this.server.recordError(e)
+			return null
+		}
+	}
+
+	async setActiveAccountId(accountId: string) {
+		try {
+			const userDetails = getUserDetails(env, this.props.user.id)
+			await userDetails.setActiveAccountId(accountId)
+		} catch (e) {
+			this.server.recordError(e)
+		}
+	}
+}
+
+const EmailSecurityScopes = {
+	...RequiredScopes,
+	'account:read':
+		'See your account info such as account details, analytics, and memberships.',
+	'email_security:read': 'See Cloud Email Security data for your account',
+} as const
+
+export default {
+	fetch: async (req: Request, env: Env, ctx: ExecutionContext) => {
+		if (env.ENVIRONMENT === 'development' && env.DEV_DISABLE_OAUTH === 'true') {
+			return await handleDevMode(EmailSecurityMCP, req, env, ctx)
+		}
+
+		return new OAuthProvider({
+			apiHandlers: {
+				'/mcp': EmailSecurityMCP.serve('/mcp'),
+				'/sse': EmailSecurityMCP.serveSSE('/sse'),
+			},
+			// @ts-ignore
+			defaultHandler: createAuthHandlers({ scopes: EmailSecurityScopes, metrics }),
+			authorizeEndpoint: '/oauth/authorize',
+			tokenEndpoint: '/token',
+			tokenExchangeCallback: (options) =>
+				handleTokenExchangeCallback(
+					options,
+					env.CLOUDFLARE_CLIENT_ID,
+					env.CLOUDFLARE_CLIENT_SECRET
+				),
+			// Cloudflare access token TTL
+			accessTokenTTL: 3600,
+			clientRegistrationEndpoint: '/register',
+		}).fetch(req, env, ctx)
+	},
+}

apps/cloudflare-one-email-security/src/email-security.context.ts

@@ -0,0 +1,16 @@
+import type { EmailSecurityMCP, UserDetails } from './email-security.app'
+
+export interface Env {
+	ENVIRONMENT: 'development' | 'staging' | 'production'
+	MCP_SERVER_NAME: string
+	MCP_SERVER_VERSION: string
+	MCP_OBJECT: DurableObjectNamespace<EmailSecurityMCP>
+	MCP_METRICS: AnalyticsEngineDataset
+	AI: Ai
+	CLOUDFLARE_CLIENT_ID: string
+	CLOUDFLARE_CLIENT_SECRET: string
+	USER_DETAILS: DurableObjectNamespace<UserDetails>
+	DEV_DISABLE_OAUTH: string
+	DEV_CLOUDFLARE_API_TOKEN: string
+	DEV_CLOUDFLARE_EMAIL: string
+}

apps/cloudflare-one-email-security/src/tools/email-security.tools.ts

@@ -0,0 +1,76 @@
+import { z } from 'zod'
+
+import { withAccountCheck } from '@repo/mcp-common/src/api/account.api'
+import { getCloudflareClient } from '@repo/mcp-common/src/cloudflare-api'
+
+import type { EmailSecurityMCP } from '../email-security.app'
+
+const PAGE_SIZE = 20
+
+// Define tool parameters
+const searchQueryParam = z
+	.string()
+	.optional()
+	.describe(
+		"Space-delimited search terms used to filter email messages. Matches various metadata fields such as subject, sender, hashes, etc. If omitted, all messages are returned."
+	)
+
+const startParam = z
+	.string()
+	.optional()
+	.describe('ISO 8601 datetime string marking beginning of search range. Defaults to 30 days ago if omitted.')
+
+const endParam = z
+	.string()
+	.optional()
+	.describe('ISO 8601 datetime string marking end of search range. Defaults to now if omitted.')
+
+export function registerEmailSecurityTools(agent: EmailSecurityMCP) {
+	agent.server.tool(
+		'email_security_search_messages',
+		'Search Cloudflare Email Security messages via Investigate list endpoint',
+		{ query: searchQueryParam, start: startParam, end: endParam },
+		withAccountCheck<{
+			query?: string
+			start?: string
+			end?: string
+		}>(
+			agent,
+			async ({ query, start, end, accountId, apiToken }: {
+				query?: string
+				start?: string
+				end?: string
+				accountId: string | null
+				apiToken: string
+			}) => {
+				const client = getCloudflareClient(apiToken)
+
+				const params: any = { account_id: accountId }
+				if (query) params.query = query
+				if (start) params.start = start
+				if (end) params.end = end
+				// Limit page result count per_page to PAGE_SIZE
+				params.per_page = PAGE_SIZE
+
+				const messages: any[] = []
+				try {
+					for await (const item of client.emailSecurity.investigate.list(params)) {
+						messages.push(item)
+					}
+				} catch (error) {
+					return {
+						error:
+							error instanceof Error
+								? error.message
+								: 'Unknown error occurred while fetching messages',
+					}
+				}
+
+				return {
+					messagesCount: messages.length,
+					messages,
+				}
+			}
+		)
+	)
+}

apps/cloudflare-one-email-security/tsconfig.json

@@ -0,0 +1,4 @@
+{
+	"extends": "@repo/typescript-config/workers.json",
+	"include": ["*/**.ts", "./types.d.ts", "./vitest.config.ts"]
+}

apps/cloudflare-one-email-security/types.d.ts

@@ -0,0 +1,5 @@
+import type { TestEnv } from './vitest.config'
+
+declare module 'cloudflare:test' {
+	interface ProvidedEnv extends TestEnv {}
+}

apps/cloudflare-one-email-security/vitest.config.ts

@@ -0,0 +1,24 @@
+import { defineWorkersConfig } from '@cloudflare/vitest-pool-workers/config'
+
+import type { Env } from './src/email-security.context'
+
+export interface TestEnv extends Env {
+	CLOUDFLARE_MOCK_ACCOUNT_ID: string
+	CLOUDFLARE_MOCK_API_TOKEN: string
+}
+
+export default defineWorkersConfig({
+	test: {
+		poolOptions: {
+			workers: {
+				wrangler: { configPath: `${__dirname}/wrangler.jsonc` },
+				miniflare: {
+					bindings: {
+						CLOUDFLARE_MOCK_ACCOUNT_ID: 'mock-account-id',
+						CLOUDFLARE_MOCK_API_TOKEN: 'mock-api-token',
+					} satisfies Partial<TestEnv>,
+				},
+			},
+		},
+	},
+})