Skip to content

slatino-dev/conduit

Repository files navigation

Conduit

Real SEC filings as first-class agent tools. One URL, zero install.

Conduit is a free, open-source, remote (streamable-HTTP) MCP server over SEC EDGAR, built to run entirely on Cloudflare's free tier. It absorbs EDGAR's sharp edges once — CIK zero-padding, accession formats, XBRL taxonomy tags, and the strict fair-access policy — so every agent client gets clean, cited, token-lean filing data without installing anything.

Not affiliated with, endorsed by, or sponsored by the SEC. Provides public EDGAR data; not investment advice.

Status — scaffold only (2026-07-08)

This repository is at Phase 0 scaffold. What exists today:

  • Worker skeleton (Hono) exposing only /healthz.

  • TypeScript (strict), ESLint, Vitest on @cloudflare/vitest-pool-workers (real workerd) with a passing smoke test.

  • D1 migration pipeline (drizzle-kit → wrangler d1 migrations apply) with a bootstrap migration.

  • Typed analytics tracking plan (analytics/events.ts) with the activation event edgar_first_tool_success as instrument zero.

  • The single EDGAR config module (src/edgar/config.ts) holding the declared User-Agent.

  • CI on push/PR: typecheck, lint, migration check, unit tests, gitleaks. No deploy job.

  • The single EDGAR client choke point (src/edgar/) + the first tool (get_filing_section) behind a dev-only, flag-gated route.

  • The [SECURITY/Opus] v0.5 security posture (see docs/security-posture.md): global ≤10 req/s SEC fair-access budget (coordinator Durable Object), per-IP inbound abuse control (429 + Retry-After + RateLimit-*), body-size cap, site-wide security headers, CORS baseline, keyed-HMAC client identification (zero PII), outbound host allow-list + charset gates, and RFC 9457 problem+json errors.

What does NOT exist yet: the /mcp surface, the playground, and the Phase 2 controls (playground denial-of-wallet, prompt-injection posture, full CORS/hygiene sweep, keyed tiers). The charter (PRD.md, ARCHITECTURE.md, DESIGN-BRIEF.md, BUILD-PLAN.md, docs/) is the contract.

Phase 0 is NOT signed off. The stateless-connector spike (a real claude.ai connector against a public URL) is still unrun because it requires public exposure, which is gated on the security posture below.

⚠️ Flagged for Sam (unratified)

  1. License — Apache-2.0 (proposed). Applied now so the public repo is licensed from day one (LICENSE, NOTICE). Ratify or change before accepting external contributions.
  2. EDGAR User-Agent contact (proposed). SEC fair access requires a declared User-Agent with real contact info. The proposed default lives in one module (src/edgar/config.ts, env-overridable via EDGAR_UA_CONTACT): Conduit/0.1 (+https://conduit.samlatino.dev) latinosammy22@gmail.com Ratify the contact string before any non-local traffic.

🚫 No deploy yet — awaiting posture ratification

The v0.5 security posture is now implemented and tested (docs/security-posture.md), but deploy stays physically blocked by three independent layers, pending Sam's explicit ratification of the posture:

  1. No CI deploy job exists (.github/workflows/ci.yml runs verification only).
  2. No publish target: wrangler.toml sets workers_dev = false and declares no routes / custom domain, so a bare wrangler deploy has nowhere to publish.
  3. Guard script: npm run deploy (and predeploy) run scripts/deploy-guard.mjs, which exits non-zero with the gate message.

Runtime evidence at this phase is local wrangler dev only — never --remote, never a tunnel, never workers.dev. The guards are lifted only after ratification, in a later commit, so their removal lands in git history after the posture, never before. A full security-review pass over /mcp + the EDGAR client + the playground remains a pre-launch gate.

Develop

npm install
cp .dev.vars.example .dev.vars   # local-only vars; never committed
npm run migrate                  # apply D1 migrations to the local database
npm run dev                      # wrangler dev (local D1/KV), http://localhost:8787
curl http://localhost:8787/healthz
Command What it does
npm run dev wrangler dev — local Worker with local D1/KV.
npm test Vitest in the real workerd runtime (@cloudflare/vitest-pool-workers).
npm run typecheck tsc --noEmit (strict).
npm run lint ESLint.
npm run migrate:generate drizzle-kit generates a new versioned migration from src/db/schema.ts.
npm run migrate Apply migrations to local D1 (wrangler d1 migrations apply). Never db push.
npm run deploy Blocked — exits non-zero (security-posture gate).

License

Apache-2.0 (proposed — see flags above). © 2026 Sam Latino.

About

Free, open-source remote MCP server over SEC EDGAR. One URL, zero install. Cloudflare free tier.

Resources

License

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors