Skip to content
Restura Docs

ADR 0011 — Restura as an MCP server

Accepted · 2026-06-02

Context

Section titled “Context”

Restura is an MCP client, but the inverse is also valuable: let an agent (Claude, or any MCP-capable tool) drive Restura — list collections, read an environment, query history — so it can construct and reason about requests. This exposes Restura’s stored data to an automated, potentially adversarial consumer, which is exactly the threat ADR 0007 was written to contain (an agent calling get_environment and reading a plaintext AWS secret key).

Decision

Section titled “Decision”

Ship a Restura-as-MCP-server mode (src/features/mcp-server/, hosted on desktop by electron/main/mcp-server-handler.ts + mcp-context-loader.ts), with two safety properties baked in:

  • Pure, testable tool dispatch. The tool surface (list_collections, list_requests, list_environments, get_environment, get_history) is implemented as pure functions over loaded context, fully unit-testable without Electron.
  • Consent gating + redaction. Agent access is gated by explicit user consent, and every tool response is run through secret redaction so SecretRef handles and inline secrets never reach the agent.

The mode is desktop-only — it needs a long-lived local process to host the server.

Consequences

Section titled “Consequences”

Positive

  • Agents can build and reason about requests against the user’s real collections/environments without ever seeing secrets.
  • Pure tool dispatch keeps the security-critical surface easy to test exhaustively.
  • Consent gating keeps the user in control of what an agent can read.

Negative

  • Another agent-readable surface to keep in sync with the redaction policy; any new tool must be audited against ADR 0007.
  • Desktop-only, so the capability differs across platforms (capability matrix).

References

Section titled “References”
Restura The API client that speaks every protocol.
Built by Dipjyoti Metia GitHub MIT licensed