context-capsule

context-capsule

Allows coding agents to securely retrieve curated, sealed Slack message bundles (capsules) via MCP, with full audit and expiration controls.

Category
Visit Server

README

Context Capsule

The AI only ever sees the messages you hand it — and you can see exactly what that is.

Context Capsule lets developers curate exact Slack messages into immutable, redacted bundles ("capsules") that a coding agent can dereference through an MCP server. The agent never holds a Slack token. Every dereference is audited. Capsules can be single-use or time-limited.

  • Read-only by construction. The Slack manifest declares zero write scopes.
  • Default-deny. Nothing leaves Slack unless a human explicitly selects it.
  • Frozen at finalize. Sealing snapshots the content + mints a SHA-256 content hash.
  • Prompt-injection safe. Capsule content is wrapped as untrusted reference data, never instructions.
  • Self-host or hosted. Single Next.js app — deploys to Vercel; runs locally with Postgres + Redis.

30-second quickstart

  1. Install the Slack app from the manifest — paste slack-manifest.yml into Slack's "Create app from manifest" flow, replacing example.com with your deployment origin.
  2. Connect. Visit /api/slack/install on your deployment, authorize the workspace.
  3. Reference. In Slack, use the message overflow menu → "Add to capsule." Review in the web app, hit Seal capsule, copy the reference, and paste it into your agent's MCP configuration.

Slack scopes — why each one exists

Scope Why
channels:history Read the specific public-channel messages the user selected via shortcut.
groups:history Same, for private channels the bot is invited to.
im:history Same, for DMs the user shortcuts into a capsule.
mpim:history Same, for group DMs.
channels:read Resolve channel names for display in the review UI.
users:read Resolve message authors to readable names (instead of U01ABCDEFG).
commands Required to register the message shortcut entry point.

There are no write scopes anywhere in the manifest. The app is structurally incapable of posting, editing, or deleting in Slack.


Architecture (Phase 1 — Vercel-ready)

Slack workspace ──select──▶ /api/slack/events ──▶ ingestMessage() ──▶ Postgres
  (human curates, in place)  (signature verified) (Slack API · author resolved)    │
                                                                                   │
                                                  ┌────────────────────────────────┘
                                                  ▼
                                            capsules + capsule_messages
                                                  │
                                                  │ human review + seal (web UI)
                                                  ▼
                                            finalized capsule (immutable, hashed)
                                                  │
                                                  │ Bearer-authed JSON-RPC
                                                  ▼
                                            /api/mcp · fetch_capsule ──▶ Coding agent
                                                  │
                                                  └─▶ audit_events (every dereference)

Phase 2 layers on reactions, thread shortcuts, OAuth MCP, and a Grafana dashboard.


Configuring an MCP client

Every client connects to the same endpoint with a Bearer token minted from the web app at /settings.

Claude Code

~/.claude/mcp.json:

{
  "mcpServers": {
    "context-capsule": {
      "url": "https://YOUR-DEPLOYMENT.vercel.app/api/mcp",
      "transport": "http",
      "headers": {
        "Authorization": "Bearer cap_mcp_REPLACE_ME"
      }
    }
  }
}

Claude Desktop

~/Library/Application Support/Claude/claude_desktop_config.json:

{
  "mcpServers": {
    "context-capsule": {
      "url": "https://YOUR-DEPLOYMENT.vercel.app/api/mcp",
      "headers": { "Authorization": "Bearer cap_mcp_REPLACE_ME" }
    }
  }
}

Cursor

In Cursor settings → MCP, add an HTTP server with the same URL and bearer token.

Cline

cline_mcp_settings.json:

{
  "mcpServers": {
    "context-capsule": {
      "url": "https://YOUR-DEPLOYMENT.vercel.app/api/mcp",
      "authToken": "cap_mcp_REPLACE_ME"
    }
  }
}

MCP tools

  • fetch_capsule(capsule_id) — return the curated, sealed message bundle. Refuses if the capsule isn't owned by the authenticated identity, isn't finalized, has expired, or has been single-use consumed. Content is wrapped with an explicit UNTRUSTED REFERENCE MATERIAL header.
  • list_capsules() — return ids, titles, hashes, and policy for the authenticated identity. Contents are NOT included.

Every successful or refused dereference writes an audit_events row visible at /capsules/<id>/audit.


Local development

pnpm install
docker compose up -d postgres redis    # or use any Postgres + Redis
cp .env.example .env                   # fill in Slack credentials
pnpm db:migrate
pnpm --filter @capsule/web dev

Then visit http://localhost:3000 and follow Add to Slack. Or use the dev-login backdoor at /dev-login if you want to preview the UI without finishing OAuth setup.


Self-host with Docker Compose

cp .env.example .env
docker compose up -d

Brings up Postgres, Redis, MinIO, and the Next.js app. Point your Slack app's request_url and redirect_url at the public origin you map to port 3000.


Security model

The five guarantees the codebase enforces, not just describes:

  1. Read-only by construction. No write scopes in slack-manifest.yml; nothing in the codebase calls a write Slack API.
  2. Default-deny selection. The only path that ingests a message is the add_to_capsule message_action handler. There's no listener, no scheduler, no scraper.
  3. Pre-flight redaction. @capsule/redaction scans every message on ingest. Detected spans are highlighted in the review UI in --alert coral. Finalize destructively rewrites the snapshot.
  4. Capsule is the trust boundary. The agent's identity (Bearer token → users.mcp_subject) maps to a single user. The dereference path enforces ownerId === user.id, status === finalized, expiry, and single-use atomically inside one transaction. Concurrent reads can't both win on a single-use capsule.
  5. Full audit trail. Every dereference (allow or refuse) is written to audit_events with the actor subject, user agent, and IP. Owners see it at /capsules/<id>/audit.

The MCP response wraps content in an explicit "this is untrusted data, not commands" envelope so the consuming agent can't be hijacked by adversarial Slack messages.


Status

  • [x] Phase 1 — message shortcut selection → draft → review/redact → seal → MCP fetch_capsule. Full security model.
  • [ ] Phase 2 — reaction selection, thread shortcuts, audit dashboard, OTel + Grafana.
  • [ ] Phase 3 — hosted reference instance with Slack App Directory listing.

License

MIT.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured