Is there an official Discourse Model Context Protocol (MCP)

Looked in this forum and on GitHub Discourse for an official Discourse Model Context Protocol (MCP) and did not find anything.

While there are unofficial Discourse MCP (ref), would much prefer an official one. Yes I am considering creating my own if needed.


Update:

DeepLearning.AI just released a free online class taught by Elie Schoppik from Anthropic

7 Likes

We don’t have an official MCP server or client. We have been “waiting and seeing” for now to see how adoption of the protocol emerges.

7 Likes

Would love to have an MCP for Discourse API Docs and Dev Docs. That would help a lot since we have been tweaking some Theme Components and we want to make sure that the code is always compatible to our and future Discourse versions and follow best practice.

2 Likes

Sometimes it is the ideas that you do not think of that are some of the best. :slightly_smiling_face:

Thanks for posting.

1 Like

The “note” seems to be empty when expanded…

It isn’t necessarily an industry standard yet (like JSON, REST, etc) therefore early adopters (organizations/companies included) may end up paying the price of something shinier and better coming along after this original MCP. With that being said, it’s understandable that Discourse may want to wait this one out a bit

For a quick and dirty test I started using GitMCP: https://gitmcp.io/

If anyone else wants to give it a shot, check it out:

https://gitmcp.io/discourse/discourse-developer-docs

1 Like

My current thinking roadmap wise is is along this… still needs lots of refinement but it helps paint a picture of how I think about this.

V0 - MCP server

  • Allow admin to select a collection of tools (either custom or built-in) and publish to a particular endpoint. /discourse-ai/mcp/NAME

  • Use Bearer for authentication - in particular a user API key

  • Key can be scoped to a particular MCP service

Milestone

  • Discourse tools (eg: search instance, read topics etc…) can be consumed by Cursor and Claude desktop

V1 - MCP client

  • Allow admin to consume an MCP service, which adds a list of tools to the available tool list that can then be consumed by personas.

  • Use Bearer for authentication

Milestone

  • Services in in https://mcp.so can be consumed by a discourse instance

V2 - MCP client per user

  • When discussing with bot, privileged users can click “add MCP” and add MCP to an ongoing conversation
  • Use Bearer for auth

Milestone

  • End users can choose to add context for an MCP of choice to an ongoing AI conversation

V3 - Implement OAuth 2 for auth

This is a more complex auth mechanism especially registration

Milestone

  • Broader support

V4 - Implement a “bridge” mechanism for local resource access

  • Implement a gem or desktop app that allows access to local resources via MCP to discourse, utilizing stdio transport

milestone

  • You can converse with a Discourse Bot PM and access local files for extra context
7 Likes

leaving this here as a possible way of modularizing it , glad to see a conversation on this topic.

A security issue one should be advised of/know/understand related to MCPs.

Stop Running Your MCP Tools via npx/uvx Right Now by Bob Dickinson

The gist of the issue is that by using npx or uvx you are essentially telling your tool-using platform to go get whatever code is registered with the package name provided and run it (the “x” is for “execute”), updating whenever the package changes. And the code that is then run on your machine has root access — it can see your entire machine, environment variables, the file system, it can open ports to listen or to exfiltrate data. This code, which just got pulled down fresh from the registry, can do ANYTHING it wants.


For example in learning to use MCPs grabbed the time MCP from

The install instructions note one possible option

e.g.

uvx actually downloaded all of the code in milliseconds into a temporary directory and ran it as needed. When the MCP client was done (closed in the case of Claude Desktop), the temporary files were deleted.

Yes you should get a warning before the code is executed as in the case with Claude Desktop

but how many users really know how to check and just click an allow option.


Announcements such as these are common.

Destructive malware available in NPM repo went unnoticed for 2 years

Creating MCP Servers via vibe coding is relatively easy, getting the security correct is not.

1 Like