Connect a coding agent (MCP)

Obsidian ships a read-only MCP server that exposes its source-backed knowledge — repository posture, findings, migration candidates, developer context, and compliance status — to coding agents and developer tools. It runs over local stdio or remote Streamable HTTP, and never returns raw source, secret values, or clone credentials.

Local (stdio)

For tools running on the same machine as the database — Claude Desktop, Cursor, and the like:

CRYPTO_DISCOVERY_MCP_DB=data/crypto-discovery.db \
CRYPTO_DISCOVERY_MCP_ORG=acme \
crypto-discovery-mcp

Remote (HTTP)

For agent platforms, run the Streamable HTTP transport with bearer auth and an organization allowlist:

CRYPTO_DISCOVERY_MCP_DB=data/crypto-discovery.db \
CRYPTO_DISCOVERY_MCP_ORG=acme \
CRYPTO_DISCOVERY_MCP_ALLOWED_ORGS=acme \
CRYPTO_DISCOVERY_MCP_BEARER_TOKEN='<long-random-token>' \
crypto-discovery-mcp --transport=http --listen=127.0.0.1:8092

Every request needs an Authorization: Bearer <token> header. The server binds to loopback by default and fails closed when no organization scope is set — expose it through a TLS-terminating proxy for shared environments. All MCP variables are listed in Configuration.

Available tools

Tool	Use it for
`find_crypto_risks`	Organization-wide triage and risk summaries.
`get_finding_context`	Full context for a specific finding.
`summarize_repo_crypto_posture`	Posture for one repository.
`list_migration_candidates`	Readiness scoring and remediation prioritization.
`build_developer_context_bundle`	A context bundle for a developer or coding agent.
`get_compliance_status`	Compliance summaries and policy gaps.

Every response includes summary, sources, and limitations. Results default to 25 per call and clamp at 100. Agents should cite the sources and preserve the limitations rather than inventing missing facts.