npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@google/chrome-enterprise-premium-mcp

v1.9.0

Published

Chrome Enterprise Premium MCP server

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

google-wombotgoogle-wombotofrobotsofrobotsmrdoobmrdoob

Keywords

Readme

Chrome Enterprise Premium MCP Server

A Model Context Protocol (MCP) server for Chrome Enterprise Premium (CEP). CEP extends Chrome's built-in security with Data Loss Prevention (DLP), real-time threat protection (phishing and malware scanning), and Context-Aware Access controls. This server exposes CEP's DLP rules, content detectors, connector policies, browser telemetry, and license management as MCP tools, so any MCP-compatible AI agent can inspect and configure a Chrome Enterprise environment.

Quick start

Get up and running in less than 2 minutes using the bundled Google-managed OAuth client. No repository cloning required!

1. Sign in

Run the authentication CLI once before you connect your MCP client:

npx @google/chrome-enterprise-premium-mcp auth login

A browser tab opens on Google's consent screen. Sign in with your Google Workspace administrator account and approve the requested permissions.

Once approved, the CLI retrieves an access token and saves it securely to ~/.config/cep-mcp/tokens.json (file mode 0600). The MCP server reads this file on every tool call, so you only need to sign in once.

2. Connect your MCP client

The server uses stdio transport; your MCP client launches it as a child process. Depending on your client, connect the server using one of the following methods:

If you are using the Gemini CLI, you can install this repository directly as an extension with a single command. This automatically configures the MCP connection and loads the built-in AI guidance rules:

gemini extensions install https://github.com/google/chrome-enterprise-premium-mcp

For all other MCP-compatible clients (such as Claude Desktop, Cursor, Windsurf, or VSCode), add this configuration block to your client's settings file (e.g., claude_desktop_config.json or ~/.gemini/settings.json):

{
  "mcpServers": {
    "cep": {
      "command": "npx",
      "args": ["-y", "@google/chrome-enterprise-premium-mcp@latest"],
      "env": { "GCP_STDIO": "true" }
    }
  }
}

3. Verify

Restart your MCP client, then ask the agent:

"What Chrome Enterprise Premium tools do you have access to?"

You should see the available tools listed in the response. If they don't appear, see Troubleshooting.

Security & Blast Radius Warning

[!CAUTION] This server is an administrator-level interface to Chrome Enterprise Premium. When you connect it to an MCP client, you can use natural-language prompts to:

  • Create and modify DLP rules and content detectors.
  • Change connector policies.
  • Force-install browser extensions onto every managed Chrome browser.
  • Enable Google Cloud APIs on your project.

An attacker who plants hidden instructions in untrusted inputs—mail, documents, scraped pages, ticket bodies—can hijack the connected MCP client through indirect prompt injection. The attacker can then run those tools without your consent.

To reduce the blast radius:

  • Connect this server only to MCP clients you trust, on data sources you trust.
  • Treat every document, message, and webpage you put in front of the agent as untrusted. It might contain hidden instructions.
  • Pay extra attention to mutating tools (create_*, update_*, enable_*); they have tenant-wide security impact.
  • Use a dedicated, least-privilege admin account when experimenting.

Workspace Scopes & Permissions

The scope set requested during the "Sign in" consent flow maps directly to the underlying Google APIs needed for the server's tools:

| Scope | API | Used for | | :------------------------------------ | :------------------------------------------------------------------------------ | :--------------------------------------------------- | | openid, userinfo.email | OpenID Connect | Identifies the logged-in admin in startup output | | chrome.management.policy | Chrome Policy | Reading and writing connector and extension policies | | chrome.management.reports.readonly | Chrome Management | Telemetry version counts | | chrome.management.profiles.readonly | Chrome Management | Listing managed browser profiles | | admin.reports.audit.readonly | Admin SDK Reports | Fetching Chrome activity logs | | admin.directory.orgunit.readonly | Admin SDK Directory | Organizational Unit hierarchy | | admin.directory.customer.readonly | Admin SDK Directory | Customer ID resolution | | apps.licensing | Enterprise License Manager | CEP subscription and per-user license checks | | cloud-identity.policies | Cloud Identity | Managing DLP rules and content detectors (CRUD) | | service.management | Service Usage | Verifying and enabling required Google Cloud APIs |

[!NOTE] OAuth App Trust Required: If your organization restricts third-party app access, a Super Admin must trust the OAuth client in the Admin Console before you can authenticate.

[!IMPORTANT] Workspace Admin Role Required: Chrome Management and Admin SDK APIs require a Google Workspace admin role in addition to Google Cloud IAM roles. You must hold an admin role in the Admin Console (Super Admin or delegated with Chrome Management permissions). With only Google Cloud IAM permissions, calls will return 403 Permission Denied with no indication that a Workspace role is missing.

Advanced Authentication Options

For production environments, headless systems, or customized configurations, the server supports alternative auth pathways:

  • Custom OAuth Client: To run under your own Google Cloud project instead of the default managed one (enabling you to manage your own consent screen and credentials), see Use a Custom OAuth Client.
  • Headless / SSH Sessions: To authenticate on remote hosts or CI runners without a web browser, see Sign In from a Host Without a Browser.
  • Hosted Deployments: For Cloud Run, Vertex AI Agent Engine, or service-account automation, see the Authentication Setup Matrix.

Configuration

For environment variables and stdio vs. HTTP transport, see docs/configuration.md.

Prerequisites

| Requirement | Details | | :----------------------- | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Node.js | >= 20.0.0 (node --version to check) | | Google Workspace | Any edition, plus a Chrome Enterprise Premium license (60-day free trial available) | | Admin role | Google Workspace Super Admin, or a delegated admin with Chrome Management and DLP permissions | | Google Cloud project | Linked to your Workspace domain, with required APIs enabled | | OAuth App Trust | The OAuth client must be trusted in the Admin Console for sensitive scopes. |

[!IMPORTANT] Chrome Management and Admin SDK APIs require a Google Workspace admin role in addition to Google Cloud IAM roles. You must hold an admin role in the Admin Console (Super Admin or delegated with Chrome Management permissions). With only Google Cloud IAM permissions, calls return 403 Permission Denied with no indication that a Workspace role is missing.

Available tools and prompts

Prompts

| Prompt | Description | | :------------- | :------------------------------------------------------------------------------------- | | cep:health | Health check of the Chrome Enterprise environment (APIs, DLP, connectors, extensions). | | cep:optimize | Rule-by-rule review with tuning, enforcement, and cleanup recommendations. | | cep:expert | Manually re-injects the expert persona and rules (useful if the agent loses context). |

Tools

The server exposes tools for reading and managing Chrome Enterprise resources:

  • Discovery: get customer ID, list org units, count browser versions, list customer profiles
  • Licensing: check CEP subscription status, check per-user license assignment
  • DLP: list/create DLP rules, list/create detectors (regex, word list, URL list), create default rule sets
  • Connectors: get connector policy status, enable Chrome Enterprise connectors
  • Extensions: check SEB extension status, install SEB extension
  • Security: get Chrome activity logs, check and enable required APIs
  • Knowledge: retrieve documentation from the built-in Chrome Enterprise Premium knowledge base

Architecture

The codebase has three layers: API clients in lib/api/ (one interface + real implementation per Google API), MCP tools and prompts in tools/ and prompts/, and the server entry point in mcp-server.js. Integration tests redirect the real API clients at an in-process Express fake under test/helpers/. For the directory layout, design patterns, and how the test backends are wired, see docs/architecture.md.

Troubleshooting

For known issues with auth, permissions, Node.js setup, and MCP client integration (including the /mcp reload tip when CEP tools do not show up right after restart), see docs/troubleshooting.md.

FAQ

For license requirements, Workspace edition, service-account auth, experimental features, and other recurring questions, see docs/faq.md.

Reporting bugs

If something isn't working:

  1. In Gemini CLI, run /bug to capture session diagnostics. Attach the generated file to your issue.
  2. Run npm run presubmit and paste the output; this lets maintainers tell environmental problems from real code bugs.
  3. Describe what you expected vs. what actually happened, including the exact error message.

Contributing

Contributions are welcome! For local development setup, building, testing, and contributor guidelines, please see CONTRIBUTING.md.

Legal

This repository is provided as a reference implementation that customers can explore and adapt under the Apache 2.0 license. It is not an officially supported Google product.