A beginner-friendly, production-aware Model Context Protocol server for a local Markdown notes workspace.
Give an AI assistant useful access to a folder of Markdown notes without giving it your whole hard drive.
This repository is a small, inspectable MCP server for local Markdown notes. An MCP-compatible AI application can discover its tools, validate their inputs, and invoke them over a standard protocol.
The server can:
- list notes
- read one note
- search notes
- create a safely named note
- append to an existing note
- expose a read-only note index as a resource
- provide a reusable
summarize_noteprompt
The important part is what it cannot do: access a file outside the configured notes workspace.
Without a protocol, every AI application and every tool provider needs a custom integration. MCP standardizes the conversation: servers describe capabilities, clients discover them, and hosts decide when and how the model may use them.
MCP is not magic and it is not the model itself. It is a contract around context and actions. Permissions, validation, user intent, and operational security are still your responsibility.
flowchart LR
U["User"] --> H["MCP Host<br/>AI application"]
H --> C["MCP Client"]
C <-->|"MCP over stdio"| S["MCP Notes Server"]
S --> V["Validation and safe path resolution"]
V --> W[("Configured notes workspace<br/>Markdown only")]
V -. "blocked" .-> X["Everything outside"]
The host owns the user experience and model. Its MCP client connects to this server. The server advertises tools, validates each request, and touches only the configured directory. See ARCHITECTURE.md for the full model.
Prerequisites: Python 3.11+ and, optionally, uv.
git clone https://github.com/revanthpp/mcp-notes-server.git
cd mcp-notes-server
python -m venv .venv
source .venv/bin/activate
python -m pip install -e ".[dev]"
cp .env.example .env
export MCP_NOTES_DIR="$PWD/examples/sample_notes"
mcp-notes-serverThe process waits for MCP messages on stdin. That quiet terminal is normal. Logs go to stderr so they do not corrupt the stdio protocol.
With uv, the equivalent setup is:
uv sync --extra dev
MCP_NOTES_DIR="$PWD/examples/sample_notes" uv run mcp-notes-serverpytest
ruff check .The tests cover normal note workflows and attacks involving absolute paths,
.. traversal, hidden files, non-Markdown files, and symlinks that point outside
the workspace.
Most local clients accept a command, arguments, and environment variables for a stdio server. Use an absolute repository path:
{
"mcpServers": {
"notes": {
"command": "/absolute/path/to/mcp-notes-server/.venv/bin/mcp-notes-server",
"args": [],
"env": {
"MCP_NOTES_DIR": "/absolute/path/to/mcp-notes-server/examples/sample_notes",
"MCP_NOTES_LOG_LEVEL": "INFO"
}
}
}
}Configuration filenames and UI steps differ by client. Use its documentation, restart or reconnect the client, then check that these five tools appear.
You can also inspect the server interactively:
MCP_NOTES_DIR="$PWD/examples/sample_notes" \
npx -y @modelcontextprotocol/inspector \
.venv/bin/mcp-notes-server| Capability | Input | Result |
|---|---|---|
list_notes |
none | titles and workspace-relative paths |
read_note |
filename |
title, path, and Markdown content |
search_notes |
query |
matching notes and short snippets |
create_note |
title, content |
created path and status message |
append_to_note |
filename, content |
updated path and status message |
Resource notes://index |
none | read-only JSON note index |
Prompt summarize_note |
filename |
reusable summarization instruction |
Python type hints and Pydantic models become MCP input and output schemas through the official SDK. This lets clients discover more than function names. They can see the shape of a valid call before making one.
The wire format is handled by your MCP client, but the logical calls look like:
{"name": "list_notes", "arguments": {}}{"name": "read_note", "arguments": {"filename": "mcp-basics.md"}}{
"name": "create_note",
"arguments": {
"title": "My First MCP Note",
"content": "The protocol connects hosts, clients, and servers."
}
}The last call creates my-first-mcp-note.md. It will not overwrite an existing
file with that name.
Every user-supplied filename passes through the same resolver. It:
- rejects empty and absolute paths
- rejects any
..component - rejects hidden paths and non-
.mdfiles - resolves symlinks and normalizes the target
- proves the resolved target is still under the configured workspace
This is defense in depth, not a claim of perfect isolation. Run the process as a low-privilege user and configure the smallest useful directory. Read the threat model in SECURITY.md.
- A broadly configured workspace exposes more notes than intended.
- A model may invoke the wrong tool or append unwanted text.
- Sensitive content in a note can flow into model context or provider logs.
- Concurrent writes can interleave because this teaching project has no locking.
- Huge workspaces can make listing and searching slow.
- A remotely exposed server needs authentication, authorization, rate limits, transport security, and tenant isolation that this local stdio demo does not add.
The host should show tool activity and ask for confirmation before writes. The server should still validate everything because model behavior is not a security boundary.
For a real deployment, add identity and per-user authorization, audit events with redaction, file size and request limits, atomic writes and locking, pagination or an index, encrypted storage, retention controls, telemetry, dependency scanning, and explicit approval policies for mutations. Pin and regularly update the MCP SDK. Keep local stdio and remote HTTP threat models separate.
The current dependency uses the maintained MCP Python SDK 1.x line and includes an upper bound before the forthcoming 2.x breaking release. Upgrade deliberately after reviewing its migration guide.
src/mcp_notes_server/
├── server.py # MCP registration and stdio entry point
├── tools.py # application-facing tool service
├── note_store.py # filesystem boundary and note operations
├── schemas.py # typed inputs and outputs
├── config.py # environment configuration
└── logging_config.py # structured stderr logging
tests/ proves behavior and boundaries. examples/ contains safe sample notes.
diagrams/, articles/, and video-scripts/ turn the implementation into
reusable teaching material.
Try the sample workspace, connect your preferred MCP client, and inspect every tool call. Then experiment with one improvement at a time: frontmatter metadata, tags, an approval step for writes, or SQLite-backed search.
If you are learning, start with ARCHITECTURE.md. If you are deploying, start with SECURITY.md. Contributions are welcome.
Created by revanthpp as part of a practical beginner series on AI systems.