Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Cf

БесплатноНе проверен

Read-only Cloudflare MCP server for SOC investigation, exposing Cloudflare services like WAF, bot management, analytics, and Zero Trust for querying and discove

GitHubEmbed

Описание

Read-only Cloudflare MCP server for SOC investigation, exposing Cloudflare services like WAF, bot management, analytics, and Zero Trust for querying and discovery.

README

Read-only Cloudflare MCP server for SOC investigation agents (companion to sumologic-mcp, flare-mcp, mcp-virustotal).

Exposes:

  • Discovery — accounts, zones
  • Rulesets & WAF — custom rules, rate-limit rules, managed rulesets
  • Bot Management — config, Super Bot Fight Mode
  • Analytics (GraphQL) — firewall events, HTTP requests, bot events, baseline traffic diff
  • Cloudflare One / Zero Trust — Access apps & policies, Gateway rules, WARP devices, IdPs
  • Logpush — job metadata
  • Helpers — dashboard URL builder, wirefilter validator

v1 is strictly read-only. Every non-GET HTTP request is refused at the client layer when CF_READ_ONLY=true (default).

Install

uv sync

Configure

Store your Cloudflare API token in the OS credential store (Windows Credential Manager / macOS Keychain / Linux Secret Service):

uv run cf-mcp-setup

Alternatively, set the CF_API_TOKEN environment variable in your MCP client config — useful on headless Linux hosts where no keyring backend is available.

Required token scopes

Create an API token at https://dash.cloudflare.com/profile/api-tokens with at least these read permissions:

  • Zone Read
  • Zone WAF Read
  • Account Rulesets Read
  • Account Settings Read
  • Bot Management Read
  • Analytics Read (Account + Zone)
  • Logs Read
  • Access: Apps Read, Access: Policies Read
  • Zero Trust: Gateway Read

Optional env vars

  • CF_ACCOUNT_ID — default account ID for account-scoped tools.
  • CF_ZONE_ALLOWLIST — comma-separated zone names; zone-scoped tools refuse zones not in the list, even if the token has broader access.
  • CF_READ_ONLY — defaults to true; set false only if a future v1.5 ships mutating tools and you've reviewed them.

MCP client config

Claude Desktop (claude_desktop_config.json)

{
  "mcpServers": {
    "cloudflare": {
      "command": "uv",
      "args": ["run", "--project", "/path/to/cf-mcp", "cf-mcp"],
      "env": {
        "CF_ACCOUNT_ID": "<your-account-id>",
        "CF_ZONE_ALLOWLIST": "example.com,example.net"
      }
    }
  }
}

Development

uv sync
uv run ruff check src tests
uv run mypy --strict src
uv run pytest tests/unit
CF_LIVE_TEST=true uv run pytest tests/integration

Architecture notes

  • One async httpx client per process, shared across all tool calls.
  • No retry on 429 — the agent decides; retry_after_s is surfaced in the error envelope. Retry 502/503/504 with exponential backoff + jitter, max 3 attempts, ~10s total budget.
  • No internal rate-limit accountant — Cloudflare's edge and the agent are the only governors. REST quota is 1200/5min; GraphQL is a separate 300/5min.
  • No cache in v1 — the cache_meta envelope field is reserved for v1.5.
  • Compact-mode by default — GraphQL tools return only dimensions + counts. Detail drill-down via verbose=true on cf_query_firewall_events_raw and cf_query_http_requests_raw.
  • Hard ~20K-token response ceiling — exceeding tools return response_too_large with a hint, never silent truncation.

Response envelope

{
  "data": {...},
  "next_cursor": "v1.<base64>",
  "cache_meta": {"hit": false, "age_s": 0, "ttl_s": 0},
  "api_endpoint_called": "POST /graphql",
  "correlation_id": "uuid",
  "error": null
}

On error, data is null and error has:

{
  "code": "rate_limited|auth|not_found|validation|upstream|response_too_large|read_only_violation|zone_not_allowed",
  "http_status": 429,
  "cf_errors": [{"code": 10000, "message": "..."}],
  "retry_after_s": 30,
  "hint": "narrow the time range or reduce limit"
}

from github.com/wojtekkura/cf-mcp

Установка Cf

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/wojtekkura/cf-mcp

FAQ

Cf MCP бесплатный?

Да, Cf MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Cf?

Нет, Cf работает без API-ключей и переменных окружения.

Cf — hosted или self-hosted?

Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.

Как установить Cf в Claude Desktop, Claude Code или Cursor?

Открой Cf на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Cf with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development