π
ScopeGate
Granular permission gateway for MCP agents. Per-agent scopes for Google Drive, Gmail, Calendar.
0 installs
Trust: 34 β Low
Security
Ask AI about ScopeGate
Powered by Claude Β· Grounded in docs
I know everything about ScopeGate. Ask me about installation, configuration, usage, or troubleshooting.
0/500
Loading tools...
Reviews
Documentation
ScopeGate
AI Access Proxy Layer. Connect external services (e.g. Google), define granular permissions, and receive an MCP endpoint URL for use in AI agents. Acts as a permission gateway β exposing only the specific capabilities you authorize, more granular than native OAuth scopes.
Tech Stack
- Framework: Next.js 16 (App Router)
- Language: TypeScript
- Database: PostgreSQL + Prisma 7
- UI: Tailwind CSS v4, shadcn/ui
- Auth: Better Auth (database-backed sessions, Prisma adapter)
- MCP:
@modelcontextprotocol/sdk(Streamable HTTP) - Package Manager: pnpm
Getting Started
Prerequisites
- Node.js 18+
- pnpm
- PostgreSQL
Setup
- Clone the repository and install dependencies:
pnpm install
- Copy the environment file and fill in your values:
cp .env.example .env
| Variable | Description |
|---|---|
DATABASE_URL | PostgreSQL connection string |
BETTER_AUTH_SECRET | Secret key for session signing |
BETTER_AUTH_URL | App base URL (e.g. http://localhost:3000) |
ADMIN_EMAIL | Bootstrap admin email |
ADMIN_PASSWORD | Bootstrap admin password |
- Run database migrations:
pnpm prisma migrate dev
- Start the development server:
pnpm dev
Open http://localhost:3000.
Project Structure
src/
βββ app/
β βββ (auth)/ # Login & register pages
β βββ (dashboard)/ # Protected dashboard pages
β β βββ projects/ # Project management, endpoints, audit, settings
β βββ api/
β β βββ auth/[...all]/ # Better Auth catch-all handler
β β βββ projects/ # Projects CRUD, endpoints, services, audit
β β βββ mcp/[apiKey]/ # MCP Streamable HTTP handler
β βββ layout.tsx
β βββ page.tsx # Landing page
βββ components/
β βββ ui/ # shadcn/ui components
β βββ layout/ # Sidebar, header
β βββ shared/ # Reusable app components
βββ lib/
β βββ db.ts # Prisma client singleton
β βββ auth.ts # Better Auth server instance
β βββ auth-client.ts # Better Auth client SDK
β βββ auth-middleware.ts # getCurrentUser() helper
β βββ bootstrap.ts # Admin user bootstrap on empty DB
β βββ mcp/
β βββ permissions.ts # Permission groups (source of truth)
β βββ tools.ts # MCP tool definitions
β βββ handler.ts # MCP server factory
βββ generated/prisma/ # Generated Prisma client
βββ middleware.ts # Route protection
Available Scripts
pnpm dev # Start development server
pnpm build # Production build
pnpm start # Start production server
pnpm lint # Run ESLint
pnpm prisma generate # Regenerate Prisma client
pnpm prisma migrate dev # Create and apply migrations
pnpm prisma studio # Open Prisma Studio (DB browser)
How It Works
- Login β sign in with admin credentials (bootstrapped from env vars on first run)
- Create a Project β organize endpoints and services by project
- Connect a Service β add a service connection to the project
- Create an MCP Endpoint β select a service connection and pick specific permissions (e.g.
gmail:read_emails,calendar:create_event) - Use the MCP URL β plug the endpoint URL into any MCP-compatible AI agent; only the allowed actions are exposed
- Monitor β track every request in the audit log
Permissions
Permissions are defined in src/lib/mcp/permissions.ts and grouped by service:
| Group | Actions |
|---|---|
| Gmail | gmail:read_emails, gmail:send_email, gmail:list_labels, gmail:search_emails |
| Google Calendar | calendar:list_events, calendar:create_event, calendar:update_event, calendar:delete_event |
| Google Drive | drive:list_files, drive:read_file, drive:create_file, drive:delete_file |
Database Schema
- User β authentication, team membership
- Session β database-backed auth sessions
- Account β auth provider credentials (email/password)
- Project β logical grouping for services and endpoints
- TeamMember β user-project relationship with roles (owner/member)
- ServiceConnection β OAuth tokens for connected services
- McpEndpoint β MCP endpoint with API key, rate limit, active status
- EndpointPermission β allowed actions per endpoint
- AuditLog β request log with action, status, duration, errors
License
See LICENSE.