Executor Cloudflare MCP Server

Executor Cloudflare MCP Server

Deploys an open-source integration layer for AI agents (Executor) to Cloudflare, providing a private MCP endpoint secured by Cloudflare Access, with D1 database, R2 storage, and Durable Objects for session management.

Category
Visit Server

README

Executor on Cloudflare

Deploy Executor (an open-source integration layer for AI agents) to your own Cloudflare account, private behind Cloudflare Access, and update its version remotely. Uses Alchemy to declare the resource graph, including the Access application and policy.

  • Deploy the whole graph with one command; private once bun run verify passes.
  • Agents and CLIs reach /mcp with an Access service token, no browser.
  • Update the pinned Executor version by redeploying, locally or via an approval-gated tool callable from the endpoint.

Updating Executor's version

The Executor version is pinned in scripts/bootstrap.ts. Updating means changing that pin and redeploying. Two ways:

# From the machine: override the pin and redeploy.
EXECUTOR_REVISION=<full-commit-sha> bun run deploy

Remotely: self_edit is a small server that runs where the repo and Cloudflare credentials live. You register it with Executor so it's callable from the gated /mcp endpoint. When called, it changes the pin, rebuilds that revision, and redeploys — the build and deploy run on that machine, not inside the Worker. So an update can be triggered from any client that can reach the endpoint, not just from the deploy machine directly. Every call is approval-gated. Walkthrough: docs/self-edit.md.

self_edit edits any file in this repo and redeploys, so it covers more than version bumps, but version updates are its purpose. Across an update, D1, R2, the Durable Object, the secret, the hostname, and Access are preserved.

What deploy sets up

One command provisions the whole graph in code, so there's no "deploy, copy the Access audience by hand, deploy again" step. All resources are created in your account (deployment still pulls from GitHub and npm):

Resource Purpose
Worker + web assets console, API, /mcp endpoint
D1 application data
R2 specs and plugin blobs
Durable Object MCP sessions
Encryption secret at-rest key (generated; Worker secret)
Custom hostname stable origin you own
Access app + email policy browser sign-in
Access service token + policy headless agents/CLIs

workers.dev and preview URLs are off.

Prerequisites

  • Bun 1.3+ and Git
  • A Cloudflare account where you can create Workers, D1, R2, Durable Objects, Worker secrets, custom hostnames, and Zero Trust Access apps/policies/tokens
  • A hostname in a zone on that account (e.g. executor.example.com)
  • A Zero Trust team domain (e.g. your-team.cloudflareaccess.com)

Setup

About 5 minutes once the prerequisites are ready (account enablement, Zero Trust onboarding, and the first Executor build can take longer). POSIX shell; on Windows use WSL.

git clone https://github.com/acoyfellow/executor-cloudflare
cd executor-cloudflare
bun install
cp .env.example .env   # then edit it; the variables and examples are in that file
bunx alchemy login
bun run deploy

deploy checks out the pinned Executor commit under vendor/, builds it, and applies the stack:

Done: 8 succeeded
{ url: "https://executor.example.com", mcpUrl: "https://executor.example.com/mcp" }

It also writes the generated Access service-token credentials to .env.mcp (git-ignored). Re-running with unchanged config reuses the data resources; the Worker and assets may update. Review the plan before applying; changed config or lost Alchemy state can replace resources.

Verify

bun run verify
Anonymous request blocked by Cloudflare Access (302).

This only proves anonymous requests are turned away. Also open the URL in a private window, sign in with the allowed email, and confirm the console loads.

Connect an agent

Agents reach /mcp with the Access service token the stack wrote to .env.mcp (no browser). The client id/secret are a bearer credential to the endpoint; anyone holding them gets the same access. See docs/connect-clients.md. Quick check:

bun --env-file=.env.mcp run scripts/verify-mcp.ts
# -> Headless MCP initialize succeeded (200). No browser involved.

Architecture

See docs/architecture.md. Executor's sandboxed catalog tools can only call what they connect to; they can't deploy. self_edit is a separate server running where the repo and credentials live; registering it lets Executor call it through /mcp, but the build and redeploy happen on that machine, not in the Worker:

agents --> <your-host>/mcp --> catalog tools     (sandboxed; can't deploy)
                               self_edit (registered) --> server on the deploy
                                                            machine: edit pin,
                                                            rebuild, redeploy
operator --> self_edit (local) --> same server, called directly

self_edit rejects paths resolving outside this repo (tested) and requires a bearer token. Deployment runs code from this repo, so repo-write is effectively code execution with the deploy process's Cloudflare credentials. The path check and approval prompt are controls, not a sandbox. There is no auto-approve mode.

Teardown

bun run destroy   # can delete D1/R2 data — don't run it on data you need

Development

bun run check   # tests + typecheck, no Cloudflare credentials needed

vendor/, .env, .env.mcp, and Alchemy state are git-ignored.

Security

  • Cloudflare Access authenticates requests to the hostname; an unguessable URL is never relied on for privacy. Access admits a client but doesn't authorize individual tools.
  • Catalog tools get only their configured bindings; they have no deploy path.
  • self_edit is high-authority (repo write plus deploy), guarded by a path check, a bearer token, and an approval prompt, not a sandbox.
  • Don't commit .env, .env.mcp, or Alchemy state. Treat MCP arguments and self_edit diffs as sensitive in logs. See SECURITY.md.

Limitations

  • An example, not a product; use a non-production account until you've reviewed it.
  • Treat destroy as destructive; D1/R2/Access retention isn't fully characterized.
  • Pins one Executor revision and one Alchemy version.
  • No unattended self-edit, and no production observability or scale envelope.
  • Setup is tested on macOS/Linux; Windows is untested (use WSL).

Layout

alchemy.run.ts         resource graph (Worker, D1, R2, DO, secret, Access)
src/config.ts          validated .env inputs
scripts/bootstrap.ts   pin + build vendored Executor (the version lives here)
scripts/verify*.ts     anonymous-access + headless-MCP checks
scripts/mcp-bridge.ts  stdio-to-HTTP bridge for local MCP clients
scripts/self-edit-*    edit-and-redeploy tool (core, local stdio, catalog HTTP)
docs/ · test/          architecture/self-edit/connect · config + boundary tests

License

MIT

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured