Skip to content

Groupthink-dev/cloudflare-blade-mcp

BranchesTags

Repository files navigation

Cloudflare Blade MCP

A token-efficient MCP server for the Cloudflare platform. 78 tools across DNS, Workers KV, D1, Tunnels, Workers, Pages, R2, Vectorize, AI Search, AI Gateway, Workers AI, and Cache — with safety gates on every destructive operation.

Why another Cloudflare MCP?

Official CF MCP mcp-cloudflare This
Scope Workers/KV/R2/D1 (no DNS) DNS + Workers + KV DNS + KV + D1 + Tunnels + Workers + Pages + R2 + Vectorize + AI + Cache
Tools 12 14 78 (targeted)
Token cost Full API responses Full API responses 60-80% savings via concise mode
Write safety None None Confirm gates on all destructive ops
Transport stdio only stdio only stdio + Streamable HTTP
Deployment Local only Local only Local + Cloudflare Workers

The official Cloudflare MCP (cloudflare/mcp-server-cloudflare) covers Workers, KV, R2, and D1 but has no DNS tools — one of the most common Cloudflare management tasks. Its responses return full Cloudflare API payloads, exhausting token budgets on large zones.

This MCP is designed for agentic platforms that need:

  • Broad platform coverage — DNS, KV, D1, Tunnels, Workers, Pages, R2, Vectorize, AI Search, AI Gateway, Workers AI, and Cache from a single server.
  • Token discipline — concise mode strips 60-80% of response payload by default. Summary and random-sample modes for large zones.
  • Safe writes — every delete, bulk operation, and config replacement requires explicit confirm: true.
  • Flexible deployment — stdio for local clients, Streamable HTTP for remote access, Cloudflare Workers for always-on.

Quick Start

Install

# From source
git clone https://github.com/groupthink-dev/cloudflare-blade-mcp.git
cd cloudflare-blade-mcp
npm install && npm run build

Configure

# Required — create at dash.cloudflare.com/profile/api-tokens
export CLOUDFLARE_API_TOKEN="your-api-token"

# Required for account-level tools (KV, D1, Tunnel, Workers, Pages, R2, Vectorize, AI)
export CLOUDFLARE_ACCOUNT_ID="your-account-id"

API token permissions — create a custom token with:

  • Zone > DNS > Edit — DNS tools
  • Account > Workers KV Storage > Edit — KV tools
  • Account > D1 > Edit — D1 tools
  • Account > Cloudflare Tunnel > Edit — Tunnel tools
  • Account > Workers Scripts > Edit — Workers tools
  • Account > Cloudflare Pages > Edit — Pages tools
  • Account > R2 > Edit — R2 tools
  • Account > Vectorize > Edit — Vectorize tools
  • Account > AI Search > Read/Edit — AI Search tools
  • Account > AI Gateway > Read/Edit — AI Gateway tools
  • Account > Workers AI > Read/Write — Workers AI tools
  • Zone > Cache Purge > Purge — Cache tools

You can scope the token to only the services you need. DNS-only users don't need account-level permissions.

Run

# stdio (default — for Claude Code, Claude Desktop)
node dist/index.js

# HTTP transport (for remote access, tunnels)
TRANSPORT=http MCP_API_TOKEN=your-secret node dist/index.js

Claude Code / Claude Desktop

{
  "mcpServers": {
    "cloudflare": {
      "command": "node",
      "args": ["/path/to/cloudflare-blade-mcp/dist/index.js"],
      "env": {
        "CLOUDFLARE_API_TOKEN": "your-api-token",
        "CLOUDFLARE_ACCOUNT_ID": "your-account-id"
      }
    }
  }
}

Tools (78)

DNS (10 tools)

Tool Description Token Cost
cf_dns_list_zones List domains with status/name filtering Low
cf_dns_get_zone Get zone by ID or domain name Low
cf_dns_list_records List/filter records, summary mode, random sampling Medium
cf_dns_get_record Get a single record by ID Low
cf_dns_export_records Export zone as BIND zonefile High
cf_dns_create_record Create A, AAAA, CNAME, MX, TXT, SRV, CAA, NS... Low
cf_dns_update_record Partial update (PATCH) — change only what you specify Low
cf_dns_delete_record Delete record (confirm required) Low
cf_dns_bulk_create Create up to 100 records in one call Medium
cf_dns_bulk_update Update up to 100 records in one call Medium

Workers KV (9 tools)

Tool Description Token Cost
cf_kv_list_namespaces List KV namespaces in account Low
cf_kv_create_namespace Create a KV namespace (confirm required) Low
cf_kv_delete_namespace Delete a KV namespace (confirm + exact title required) Low
cf_kv_list_keys List keys with prefix filter + cursor pagination Medium
cf_kv_get Read a key's value Varies
cf_kv_put Write a key-value pair with optional TTL + metadata Low
cf_kv_delete Delete a key (confirm required) Low
cf_kv_bulk_put Write up to 10,000 key-value pairs Medium
cf_kv_bulk_delete Delete up to 10,000 keys (confirm required) Low

D1 (9 tools)

Tool Description Token Cost
cf_d1_list_databases List D1 databases in account Low
cf_d1_get_database Get database details (size, tables, version) Low
cf_d1_create_database Create a D1 database (confirm required) Low
cf_d1_delete_database Delete a D1 database (confirm + exact name required) Low
cf_d1_query Execute read-only SQL with bind parameters Varies
cf_d1_execute Execute write SQL (confirm required, blocks DROP DATABASE) Low
cf_d1_export Export all table schemas + row counts Medium
cf_d1_list_tables List tables with row counts Low
cf_d1_describe_table Describe table schema via PRAGMA Low

Tunnels (7 tools)

Tool Description Token Cost
cf_tunnel_list List tunnels with name filter Low
cf_tunnel_get Get tunnel status + connection count Low
cf_tunnel_create Create a new Cloudflare Tunnel Low
cf_tunnel_delete Delete a tunnel (confirm required) Low
cf_tunnel_list_configs List ingress routing rules Low
cf_tunnel_update_config Replace ingress rules (confirm required) Low
cf_tunnel_list_connections List active cloudflared connectors Low

Workers (13 tools)

Tool Description Token Cost
cf_workers_list_scripts List all Worker scripts in account Low
cf_workers_get_script Get script metadata, settings, schedules, deployment Low
cf_workers_get_settings Get Worker settings and bindings Medium
cf_workers_upsert_binding Insert or replace a Worker binding (confirm required) Low
cf_workers_delete_binding Remove a Worker binding (confirm required) Low
cf_workers_list_deployments List deployments with version routing Low
cf_workers_create_deployment Deploy versions with percentage routing (confirm required) Low
cf_workers_list_versions List script versions Low
cf_workers_list_secrets List secret binding names (values never exposed) Low
cf_workers_put_secret Set/update a secret binding (confirm required) Low
cf_workers_delete_secret Delete a secret binding (confirm required) Low
cf_workers_get_schedules Get cron triggers Low
cf_workers_put_schedules Set cron triggers — replaces all (confirm required) Low

Pages (7 tools)

Tool Description Token Cost
cf_pages_list_projects List all Pages projects Medium
cf_pages_get_project Get project details with latest deployment Low
cf_pages_list_deployments List deployments, filter by environment Medium
cf_pages_get_deployment Get deployment details with stages and trigger Low
cf_pages_rollback Rollback production to a previous deployment (confirm required) Low
cf_pages_list_domains List custom domains for a project Low
cf_pages_purge_build_cache Purge build cache (confirm required) Low

R2 (4 tools)

Tool Description Token Cost
cf_r2_list_buckets List R2 buckets with name filter Low
cf_r2_get_bucket Get bucket details (location, storage class) Low
cf_r2_create_bucket Create a new R2 bucket (confirm required) Low
cf_r2_delete_bucket Delete an empty R2 bucket (confirm required) Low

Vectorize (8 tools)

Tool Description Token Cost
cf_vectorize_list_indexes List Vectorize indexes Low
cf_vectorize_get_index Get a Vectorize index Low
cf_vectorize_get_index_info Get operational index info Low
cf_vectorize_create_index Create a Vectorize index (confirm required) Low
cf_vectorize_delete_index Delete a Vectorize index (confirm + exact name required) Low
cf_vectorize_list_metadata_indexes List metadata indexes Low
cf_vectorize_create_metadata_index Create a metadata index (confirm required) Low
cf_vectorize_delete_metadata_index Delete a metadata index (confirm required) Low

AI (10 tools)

Tool Description Token Cost
cf_ai_search_query Query an AI Search / AutoRAG instance Varies
cf_ai_gateway_list_gateways List AI Gateways Low
cf_ai_gateway_get_gateway Get an AI Gateway Low
cf_ai_gateway_create_gateway Create an AI Gateway (confirm required) Low
cf_ai_gateway_update_gateway Update an AI Gateway (confirm required) Low
cf_ai_gateway_delete_gateway Delete an AI Gateway (confirm required) Low
cf_ai_gateway_list_logs List AI Gateway logs Medium
cf_ai_gateway_get_log Get an AI Gateway log Medium
cf_workers_ai_list_models Search Workers AI models Medium
cf_workers_ai_run_model Run a Workers AI model (confirm required) Varies

Cache (1 tool)

Tool Description Token Cost
cf_cache_purge Purge by URLs, tags, hosts, prefixes, or everything (confirm required) Low

Token Efficiency

All read tools default to concise mode — only the fields needed for decision-making are returned.

# Concise (default) — 6 fields
{ "id": "abc123", "type": "A", "name": "www.example.com",
  "content": "1.2.3.4", "proxied": true, "ttl": "auto" }

# Full (include_details=true) — 20+ fields
{ "id": "abc123", "type": "A", "name": "www.example.com",
  "content": "1.2.3.4", "proxied": true, "ttl": 1,
  "zone_id": "...", "zone_name": "...", "created_on": "...",
  "modified_on": "...", "proxiable": true, "locked": false,
  "meta": { "auto_added": false, "managed_by_apps": false },
  "comment": null, "tags": [], ... }

Additional modes for large zones:

Mode Use case Example
summary_only=true Audit record distribution Returns { total: 142, by_type: { A: 45, CNAME: 30, ... } }
random_sample=true Spot-check a large zone Returns 5 random records (configurable)
Filters Narrow before fetching filter_type="MX", filter_name="www", filter_proxied=true

Security Model

Layer Mechanism
Token validation API token verified against Cloudflare on startup — fails fast if invalid
Confirm gates All destructive tools require confirm: true (Zod z.literal(true))
DROP protection cf_d1_execute rejects DROP DATABASE statements
Bearer auth Optional MCP_API_TOKEN for HTTP transport (timing-safe comparison)
X-API-Key fallback Auto-generated or env-set key for HTTP when bearer is not configured
No credential leakage API tokens never appear in tool responses or error messages

Environment Variables

Variable Required Default Purpose
CLOUDFLARE_API_TOKEN Yes API token
CLOUDFLARE_ACCOUNT_ID For account-level tools Account ID (also overridable per-call)
TRANSPORT No stdio stdio or http
PORT No 8787 HTTP server port
MCP_API_TOKEN No Bearer token for HTTP auth
CLOUDFLARE_DNS_MCP_API_KEY No auto-generated X-API-Key for HTTP transport

Architecture

src/
├── index.ts                 — Entry point: stdio / HTTP transport selection
├── server.ts                — MCP server factory, registers all 78 tools
├── constants.ts             — Shared config (limits, record types, field lists)
├── tools/
│   ├── zones.ts             — cf_dns_list_zones, cf_dns_get_zone
│   ├── records-read.ts      — cf_dns_list_records, cf_dns_get_record, cf_dns_export_records
│   ├── records-write.ts     — cf_dns_create_record, cf_dns_update_record, cf_dns_delete_record
│   ├── records-bulk.ts      — cf_dns_bulk_create, cf_dns_bulk_update
│   ├── kv.ts                — 9 Workers KV tools
│   ├── d1.ts                — 9 D1 database tools
│   ├── tunnels.ts           — 7 Cloudflare Tunnel tools
│   ├── workers.ts           — 13 Workers script/deployment/secret/binding tools
│   ├── pages.ts             — 7 Pages project/deployment tools
│   ├── r2.ts                — 4 R2 bucket management tools
│   ├── vectorize.ts         — 8 Vectorize index tools
│   ├── ai.ts                — 10 AI Search, AI Gateway, and Workers AI tools
│   └── cache.ts             — 1 Cache purge tool
├── schemas/                 — Zod validation schemas per domain
├── formatters/              — Token-efficient output formatters per domain
├── services/
│   ├── cloudflare.ts        — SDK singleton, REST helper, account ID resolution, token validation
│   └── auth.ts              — Bearer + X-API-Key auth for HTTP transport
└── utils/
    ├── pagination.ts        — Pagination meta, truncation, random sampling
    └── errors.ts            — Cloudflare SDK error → actionable message mapping

Dependencies: @modelcontextprotocol/sdk, cloudflare (official SDK), zod, hono. No Cloudflare dashboard scraping — pure API.

Development

npm install              # install dependencies
npm run dev              # stdio with hot-reload
npm run dev:http         # HTTP with hot-reload
npm test                 # run tests (vitest)
npm run typecheck        # type-check only
npm run build            # compile to dist/

Tool output shape

As of 0.4.0, multi-record list tools (and a handful of single-call introspection tools — cf_d1_query, cf_d1_describe_table, cf_d1_export, cf_dns_export_records) append a single-line _meta envelope to their text response per DD-338 Phase C:

<existing JSON / text payload>

_meta: {"matched_total":42,"returned":10,"filtered_by":["database_id=abc"],"latency_ms":12}

Wire shape:

  • Required: matched_total: Int, returned: Int, filtered_by: [String], latency_ms: Int.
  • Optional (omitted when empty / null): redactions: [String], next_cursor: String?, error_notes: [String].
  • filtered_by is sorted alphabetically for hash reproducibility.
  • The literal \n\n_meta: separator + single-line JSON tail match the Stallari assembler regex \n\n_meta: (\{.*\})$.

Existing consumers that string-match the JSON payload front are forward-compatible — the envelope is purely additive. cf_d1_query redacts the raw SQL to a sha256-12 base64-urlsafe digest (sql=<12 chars>) for privacy and token economy.

Stallari Marketplace

This MCP conforms to the edge-platform-v2 service contract (78/78 operations) across ten service domains: dns, kv, d1, tunnel, workers, pages, r2, vectorize, ai, cache.

See stallari-plugin.yaml for the full plugin manifest.

License

MIT

About

No description, website, or topics provided.

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages