A secure MCP (Model Context Protocol) server for WorkBoard OKR and strategy execution platform.
This MCP server is designed to be:
- Secure by default - Comprehensive threat modeling, input validation, and token protection
- No third-party services - Runs locally via stdio, your API token never leaves your machine
- Cross-platform - Works on Linux, macOS, and Windows
- Automatically updated - GitHub Actions monitor for CVEs and update dependencies
- Containerized - Available at
quay.io/crunchtools/mcp-workboardbuilt on Hummingbird Python base image
| Component | Name |
|---|---|
| GitHub repo | crunchtools/mcp-workboard |
| Container | quay.io/crunchtools/mcp-workboard |
| Python package (PyPI) | mcp-workboard-crunchtools |
| CLI command | mcp-workboard-crunchtools |
| Module import | mcp_workboard_crunchtools |
The container image is built on the Hummingbird Python base image from Project Hummingbird, which provides:
- Minimal CVE exposure - Built with a minimal package set, dramatically reducing attack surface
- Regular updates - Security patches applied promptly
- Optimized for Python - Pre-configured with uv package manager
- Production-ready - Proper signal handling and non-root user defaults
workboard_get_user- Get a user by ID or the current authenticated userworkboard_list_users- List all users (Data-Admin role required)workboard_create_user- Create a new user (Data-Admin role required)workboard_update_user- Update an existing user
workboard_get_objectives- Get objectives associated with a user (API capped at 15)workboard_get_objective_details- Get details for a specific objective with key resultsworkboard_get_my_objectives- Get the current user's owned objectives by ID (recommended)
uvx mcp-workboard-crunchtoolspip install mcp-workboard-crunchtoolspodman run -e WORKBOARD_API_TOKEN=your_token \
quay.io/crunchtools/mcp-workboard- Log in to your WorkBoard instance
- Navigate to Admin Settings > API Configuration
- Generate a JWT API token
- Copy the token immediately - store it securely
claude mcp add mcp-workboard \
--env WORKBOARD_API_TOKEN=your_token_here \
-- uvx mcp-workboard-crunchtoolsOr for the container version:
claude mcp add mcp-workboard \
--env WORKBOARD_API_TOKEN=your_token_here \
-- podman run -i --rm -e WORKBOARD_API_TOKEN quay.io/crunchtools/mcp-workboardUser: Who am I in WorkBoard?
Assistant: [calls workboard_get_user with no args]
User: List all WorkBoard users
Assistant: [calls workboard_list_users]
User: Show me objectives for user 12345
Assistant: [calls workboard_get_objectives with user_id=12345]
User: Get details on objective 67890 for user 12345
Assistant: [calls workboard_get_objective_details with user_id=12345, objective_id=67890]
User: Show me my objectives (IDs: 2900058, 2900075, 2901770)
Assistant: [calls workboard_get_my_objectives with objective_ids=[2900058, 2900075, 2901770]]
This server was designed with security as a primary concern. See SECURITY.md for:
- Threat model and attack vectors
- Defense in depth architecture
- Token handling best practices
- Input validation rules
-
Token Protection
- Stored as SecretStr (never accidentally logged)
- Environment variable only (never in files or args)
- Sanitized from all error messages
-
Input Validation
- Pydantic models for all inputs
- Positive integer validation for IDs
- Email validation for user creation
-
API Hardening
- Hardcoded API base URL (prevents SSRF)
- TLS certificate validation
- Request timeouts
- Response size limits
-
Automated CVE Scanning
- GitHub Actions scan dependencies weekly
- Automatic issues for security updates
- Dependabot alerts enabled
git clone https://github.com/crunchtools/mcp-workboard.git
cd mcp-workboard
uv syncuv run pytestuv run ruff check src tests
uv run mypy srcpodman build -t mcp-workboard .AGPL-3.0-or-later
Contributions welcome! Please read SECURITY.md before submitting security-related changes.