@kvmfleet/mcp — MCP server for KVM Fleet

A Model Context Protocol server that lets AI assistants (Claude Desktop, Cursor, Continue, etc.) work across your KVM Fleet fleet through the official REST API. All access is RBAC-enforced, policy-checked, and audited server-side.

What you can ask it to do

Read mode (default):

• "How many devices do I have? Which are offline?"
• "Show me failed logins in the last 24 hours."
• "What approvals are waiting on me right now?"
• "Generate this month's NIS2 compliance snapshot — surface the dropped controls."
• "What alerts fired overnight?"
• "Verify my audit log integrity."
• "When was my audit chain last anchored to a witness?"

Write mode (opt-in, see below):

• "Power-cycle host R7525-NORD-1."
• "Mount ubuntu-24.04.iso on R7525-NORD-1 — I'll reinstall."
• "Approve the access request from [email protected] for the kernel-patching ticket."
• "End the console session that's been open more than 8 hours on srv-pdx-3."
• "Acknowledge the disk-full alert on the prod database host."

Tools

Reads (11 — always available)

| Tool | Maps to | |---|---| | list_devices | GET /v1/devices | | get_device_health | GET /v1/devices/{id} | | query_audit_log | GET /v1/audit/events | | verify_audit_integrity | GET /v1/audit/integrity | | list_open_console_sessions | GET /v1/console-sessions?open_only=true | | list_access_grants | GET /v1/access-grants | | list_alerts | GET /v1/alerts/history | | list_policies | GET /v1/policies | | list_isos | GET /v1/isos | | get_audit_chain_head | GET /v1/audit/head | | get_compliance_score | POST /v1/reports/{framework} |

Writes (10 — opt-in via KVMFLEET_MCP_ALLOW_WRITES=true)

| Tool | Maps to | Confirm? | |---|---|---| | power_action | POST /v1/devices/{id}/power | yes for off / off_hard / cycle | | request_access | POST /v1/devices/{id}/access-requests | — | | approve_access | POST /v1/access-grants/{id}:approve | — | | deny_access | POST /v1/access-grants/{id}:deny | — | | revoke_access | POST /v1/access-grants/{id}:revoke | yes | | mount_iso | POST /v1/devices/{id}/iso:mount | yes | | unmount_iso | POST /v1/devices/{id}/iso:unmount | — | | end_console_session | POST /v1/console-sessions/{id}:end | yes | | acknowledge_alert | POST /v1/alerts/history/{id}/acknowledge | — | | resolve_alert | POST /v1/alerts/history/{id}/resolve | — |

Write tools requiring confirm: true will refuse the call with a clear error if the LLM omits the flag. This protects against "AI accidentally power-cycled prod".

Install

npm install -g @kvmfleet/mcp

Or use npx directly in the Claude Desktop config below.

Get an API token

1. Log into app.kvmfleet.io.
2. Account → API tokens → Create token.
3. Copy the token (shown exactly once).

The token inherits your current org role. Power actions / ISO mount / console-session end require org_admin or operator. Revoke any time from the same page — it stops working immediately.

Wire up Claude Desktop

Edit ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "kvmfleet": {
      "command": "npx",
      "args": ["-y", "@kvmfleet/mcp"],
      "env": {
        "KVMFLEET_API": "https://app.kvmfleet.io",
        "KVMFLEET_TOKEN": "kvmf_paste_your_token_here"
      }
    }
  }
}

Restart Claude Desktop. Read tools are now available.

Enabling write mode

Add KVMFLEET_MCP_ALLOW_WRITES to the env block:

{
  "mcpServers": {
    "kvmfleet": {
      "command": "npx",
      "args": ["-y", "@kvmfleet/mcp"],
      "env": {
        "KVMFLEET_API": "https://app.kvmfleet.io",
        "KVMFLEET_TOKEN": "kvmf_paste_your_token_here",
        "KVMFLEET_MCP_ALLOW_WRITES": "true"
      }
    }
  }
}

When unset (or anything other than the literal string "true"), write tools are not advertised to the LLM at all. When enabled, destructive actions still require an explicit confirm: true arg.

What the platform still enforces

The MCP layer is a thin SDK. The platform does the real work on every call:

• RBAC — power actions need org_admin/operator; approving an access request needs the appropriate role; the token inherits the operator's role.
• Policy engine — time-of-day rules, require_mfa, max_concurrent_sessions, approval_required, etc. all fire on agent-originated calls the same way they fire on human-originated ones.
• JIT access — a power action against a device that requires JIT access will refuse if there's no active grant.
• 4-eyes approval — an operator approving their own access request is refused server-side.
• Audit chain — every action lands as an audit-event row in the per-org hash chain. The agent's calls are tagged via the x-kvmfleet-mcp-client header so a human auditor can correlate.
• Rate limits — per-device, per-user, per-action limits apply unchanged.

If a call is refused, the error from the platform is surfaced verbatim so the LLM can read it and act on it.

Privacy

The token is sent to your KVM Fleet platform only — never to Anthropic, the MCP package, or any third party. Read the platform's Privacy Policy for what's logged on our side (audit-event row per call).

Local dev

cd kvmfleet/mcp
npm install
npm run build
npm start                                              # reads only
KVMFLEET_MCP_ALLOW_WRITES=true npm start               # reads + writes

Roadmap

• MSP context-switch — KVMFLEET_MSP_PARENT_ORG_ID env to scope tools to a single managed customer.
• Tagged audit rows — the platform will surface actor_type=agent on audit rows originating from the MCP, so compliance reviewers can split human vs. agent action history.
• Token-scope enforcement — once API tokens grow a scope: read | write field on the platform, the MCP will refuse to expose writes on a read-only token.

License

MIT — see LICENSE. Copyright 2026 KVM Fleet.