KVMFleet Server

A Model Context Protocol server that lets AI assistants (Claude Desktop, Cursor, Continue, etc.) work across your KVM Fleet fleet through the official REST API. All access is RBAC-enforced, policy-checked, and audited server-side.

What you can ask it to do

Read mode (default):

• "How many devices do I have? Which are offline?"
• "Show me failed logins in the last 24 hours."
• "What approvals are waiting on me right now?"
• "Generate this month's NIS2 compliance snapshot — surface the dropped controls."
• "What alerts fired overnight?"
• "Verify my audit log integrity."
• "When was my audit chain last anchored to a witness?"
• "Why was [email protected] denied access to srv-pdx-3 yesterday?" (logged decision + reason)
• "Show the CPU-temp trend for R7525-NORD-1 over the last 12 hours."
• "Run the compliance-evidence workflow for ISO 27001 and give me an auditor link." (prompt)

Write mode (opt-in, see below):

• "Power-cycle host R7525-NORD-1."
• "Mount ubuntu-24.04.iso on R7525-NORD-1 — I'll reinstall."
• "Approve the access request from [email protected] for the kernel-patching ticket."
• "End the console session that's been open more than 8 hours on srv-pdx-3."
• "Acknowledge the disk-full alert on the prod database host."

Tools

Reads (always available)

Tool	Maps to
list_devices	GET /v1/devices
get_device_health	GET /v1/devices/{id}
get_power_state	GET /v1/devices/{id}/power
get_device_metrics	GET /v1/devices/{id}/metrics
query_audit_log	GET /v1/audit/events
verify_audit_integrity	GET /v1/audit/integrity
get_audit_chain_head	GET /v1/audit/head
get_inclusion_proof	POST /v1/audit/inclusion-proof
list_audit_witnesses	GET /v1/audit-witnesses
list_open_console_sessions	GET /v1/console-sessions?open_only=true
list_access_grants	GET /v1/access-grants
list_policies	GET /v1/policies
list_policy_evaluations	GET /v1/policy-evaluations
list_alerts	GET /v1/alerts/history
list_isos	GET /v1/isos
list_team	GET /v1/team
get_compliance_config	GET /v1/compliance
get_compliance_score	POST /v1/reports/{framework}?format=json
render_compliance_report	POST /v1/reports/{framework} (json / csv)
list_report_shares	GET /v1/report-shares

list_policy_evaluations returns logged past decisions — each with one result and one human-readable reason. It is not a live rule-by-rule trace.

Writes (opt-in via KVMFLEET_MCP_ALLOW_WRITES=true)

Tool	Maps to	Confirm?
power_action	POST /v1/devices/{id}/power	yes for off / off_hard / cycle
request_access	POST /v1/devices/{id}/access-requests	—
approve_access	POST /v1/access-grants/{id}:approve	—
deny_access	POST /v1/access-grants/{id}:deny	—
revoke_access	POST /v1/access-grants/{id}:revoke	yes
mount_iso	POST /v1/devices/{id}/iso:mount	yes
unmount_iso	POST /v1/devices/{id}/iso:unmount	—
end_console_session	POST /v1/console-sessions/{id}:end	yes
acknowledge_alert	POST /v1/alerts/history/{id}/acknowledge	—
resolve_alert	POST /v1/alerts/history/{id}/resolve	—
create_report_share	POST /v1/report-shares	yes (publishes an external link)

Write tools requiring confirm: true will refuse the call with a clear error if the LLM omits the flag. This protects against "AI accidentally power-cycled prod".

Prompts

Curated, one-shot governance workflows — invoke them as slash-commands in clients that surface MCP prompts (e.g. Claude Desktop). Each composes only the tools above and is verb-bounded: it assembles and summarises; it never attests, detects, or diagnoses.

Prompt	Composes	Produces
compliance-evidence <framework>	render_compliance_report + get_inclusion_proof + (writes) create_report_share	an evidence pack: report summary, offline-verifiable proof bundle, optional auditor link
access-review [days]	list_access_grants + query_audit_log	a who-accessed-what summary over the window for a human reviewer
audit-integrity-check	verify_audit_integrity + get_audit_chain_head	the chain re-walk result + current chain head
policy-posture	list_policies + list_policy_evaluations	configured rules + how they have been deciding access

Install

npm install -g @kvmfleet/mcp

Or use npx directly in the Claude Desktop config below.

Get an API token

1. Log into app.kvmfleet.io.
2. Account → API tokens → Create token.
3. Copy the token (shown exactly once).

The token inherits your current org role. Power actions / ISO mount / console-session end require org_admin or operator. Revoke any time from the same page — it stops working immediately.

Wire up Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "kvmfleet": {
      "command": "npx",
      "args": ["-y", "@kvmfleet/mcp"],
      "env": {
        "KVMFLEET_API": "https://app.kvmfleet.io",
        "KVMFLEET_TOKEN": "kvmf_paste_your_token_here"
      }
    }
  }
}

Restart Claude Desktop. Read tools are now available.

Enabling write mode

Add KVMFLEET_MCP_ALLOW_WRITES to the env block:

{
  "mcpServers": {
    "kvmfleet": {
      "command": "npx",
      "args": ["-y", "@kvmfleet/mcp"],
      "env": {
        "KVMFLEET_API": "https://app.kvmfleet.io",
        "KVMFLEET_TOKEN": "kvmf_paste_your_token_here",
        "KVMFLEET_MCP_ALLOW_WRITES": "true"
      }
    }
  }
}

When unset (or anything other than the literal string "true"), write tools are not advertised to the LLM at all. When enabled, destructive actions still require an explicit confirm: true arg.

What the platform still enforces

The MCP layer is a thin SDK. The platform does the real work on every call:

• RBAC — power actions need org_admin/operator; approving an access request needs the appropriate role; the token inherits the operator's role.
• Policy engine — time-of-day rules, require_mfa, max_concurrent_sessions, approval_required, etc. all fire on agent-originated calls the same way they fire on human-originated ones.
• JIT access — a power action against a device that requires JIT access will refuse if there's no active grant.
• 4-eyes approval — an operator approving their own access request is refused server-side.
• Audit chain — every action lands as an audit-event row in the per-org hash chain. The agent's calls are tagged via the x-kvmfleet-mcp-client header so a human auditor can correlate.
• Rate limits — per-device, per-user, per-action limits apply unchanged.

If a call is refused, the error from the platform is surfaced verbatim so the LLM can read it and act on it.

Privacy

The token is sent to your KVM Fleet platform only — never to Anthropic, the MCP package, or any third party. Read the platform's Privacy Policy for what's logged on our side (audit-event row per call).

Local dev

cd kvmfleet/mcp
npm install
npm run build
npm start                                              # reads only
KVMFLEET_MCP_ALLOW_WRITES=true npm start               # reads + writes

Roadmap

• MSP context-switch — KVMFLEET_MSP_PARENT_ORG_ID env to scope tools to a single managed customer.
• Tagged audit rows — the platform will surface actor_type=agent on audit rows originating from the MCP, so compliance reviewers can split human vs. agent action history.
• Token-scope enforcement — once API tokens grow a scope: read | write field on the platform, the MCP will refuse to expose writes on a read-only token.

License

MIT — see LICENSE. Copyright 2026 KVM Fleet.