Trusted Gmail MCP server

This MCP server for Gmail allows secure access to your Gmail account through the Model Context Protocol, running within an AWS Nitro enclave for enhanced security. It implements a remote MCP server using Server-Sent Events (SSE) transport, providing a secure environment for accessing Gmail data.

Connecting to the MCP Server

To connect to the Gmail MCP server, you'll need a Gmail app-specific password:

1. Generate an app-specific password for your Gmail account
2. Add the following configuration to your MCP client's mcp.json file:

"gmail_mcp": {
  "url": "https://gmail.mcp.freysa.ai/sse/?ADDR=<[email protected]>&ASP=<your app-specific password>"
}

You may need to restart your client after making these changes.

Security Considerations

While this implementation works, be aware of these security limitations:

• Passing app-specific passwords in URLs is not ideal as URLs can be logged
• Consider using a dedicated app-specific password just for this purpose
• For additional security, you might want to run your own instance (instructions below)

Running Your Own Instance

You can run your own instance of the Gmail MCP server in an AWS Nitro TEE (Trusted Execution Environment) by following these steps:

Prerequisites

• An AWS EC2 instance with Nitro enclaves enabled
• Properly configured security groups with required ports open

Installation Steps

1. Clone the repository to your EC2 instance

2. Run the setup script to install dependencies:

   sudo ./setup.sh
   

3. Allocate memory for the enclave (if necessary):

   sudo nano /etc/nitro_enclaves/allocator.yaml
   sudo systemctl restart nitro-enclaves-allocator.service
   

4. Build the enclave:

   make
   

5. Run in production mode:

   make run
   

Running the Proxy

To use the MCP server, you'll need to run the gvproxy:

screen
./gvproxy.sh

Verifying Server Operation

Confirm that the MCP server is running properly:

curl http://127.0.0.1:7047/

Verifying Code Attestation

To verify that the intended code is running in the TEE:

1. Build the verification code:

   cd verifier
   pnpm install && pnpm run build
   

2. Run the verifier locally:

   cd mcp/react-ts-webpack
   pnpm i && pnpm run dev
   

3. Open http://localhost:8080/ in your browser

4. Enter the required verification fields:

   • PCR2 hash (hash of the codebase)
   • Code attestation (AWS-signed)

5. Click "Verify Attestation" to complete the verification process

How to add this MCP server to Cursor

There are two ways to add an MCP server to Cursor. The most common way is to add the server globally in the ~/.cursor/mcp.json file so that it is available in all of your projects.

If you only need the server in a single project, you can add it to the project instead by creating or adding it to the .cursor/mcp.json file.

Adding an MCP server to Cursor globally

To add a global MCP server go to Cursor Settings > MCP and click "Add new global MCP server".

When you click that button the ~/.cursor/mcp.json file will be opened and you can add your server like this:

{
    "mcpServers": {
        "cursor-rules-mcp": {
            "command": "npx",
            "args": [
                "-y",
                "cursor-rules-mcp"
            ]
        }
    }
}

Adding an MCP server to a project

To add an MCP server to a project you can create a new .cursor/mcp.json file or add it to the existing one. This will look exactly the same as the global MCP server example above.

How to use the MCP server

Once the server is installed, you might need to head back to Settings > MCP and click the refresh button.

The Cursor agent will then be able to see the available tools the added MCP server has available and will call them when it needs to.

You can also explictly ask the agent to use the tool by mentioning the tool name and describing what the function does.