Labsco
gomcpgo logo

Filesystem MCP Server

โ˜… 5

from gomcpgo

A secure server for filesystem operations with controlled access to specified directories.

๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅ๐Ÿ”ฅโœ“ VerifiedFreeAdvanced setup

Filesystem MCP Server

A secure, single-binary MCP server for filesystem operations. No runtime dependencies โ€” download, configure allowed directories, and connect to any MCP client.

Tested extensively with Claude Desktop and Claude Code across real-world coding workflows including file editing, codebase search, refactoring, and multi-file batch operations.

Why this server?

  • Single binary โ€” no Node.js, Python, or other runtime needed. Download and run
  • Tested with real AI workflows โ€” battle-tested with Claude Desktop and Claude Code for day-to-day coding tasks
  • 18 tools โ€” goes beyond basic read/write with regex search, pattern-based replacement, auto-indented code insertion, and batch operations
  • Dry-run preview โ€” preview changes before applying them for replacement and insertion tools
  • Secure by default โ€” sandboxed to configured directories with symlink attack prevention and path traversal protection
  • Detailed error messages โ€” when access is denied, errors explain why and suggest fixes

Tools

Reading

  • read_file โ€” Read a single file, with optional start_line/end_line for partial reads
  • read_multiple_files โ€” Read multiple files simultaneously in one call
  • search_in_files โ€” Recursive regex search across files. Returns file paths, line numbers, and matched text. Skips binary files automatically. Params: path, pattern, file_extensions, max_results, case_sensitive

Writing

  • write_file โ€” Create or overwrite a file. Auto-creates parent directories
  • append_to_file โ€” Add content to end of file. Creates file if it doesn't exist
  • prepend_to_file โ€” Add content to beginning of file. Creates file if it doesn't exist

Text Replacement

All replacement tools support dry_run to preview changes without applying them.

  • replace_in_file โ€” Replace exact string occurrences in a file. Params: path, search, replace, occurrence (0=all), dry_run
  • replace_in_file_regex โ€” Replace regex pattern matches with capture group support ($1, $2). Params: path, pattern, replace, occurrence, case_sensitive, dry_run
  • replace_in_files โ€” Batch replace a string across multiple files. Validates all paths before applying. Params: paths, search, replace, dry_run

Regex-Based Insertion

All insertion tools support dry_run and autoIndent (match surrounding indentation).

  • insert_after_regex โ€” Insert content after a regex pattern match. Params: path, pattern, content, occurrence (0=all, default 1), autoIndent, dry_run
  • insert_before_regex โ€” Insert content before a regex pattern match. Same params as above

Line Copying

  • copy_lines โ€” Copy a line range from source to destination file directly on disk (no context overhead). Params: source_path, destination_path, start_line, end_line, append

Directory Operations

  • list_directory โ€” List directory contents with filtering by pattern, file type, recursion depth, hidden files, and metadata. Params: path, pattern, file_type, recursive, max_depth, max_results, include_hidden, include_metadata
  • create_directory โ€” Create directory and parents (idempotent)
  • list_allowed_directories โ€” Show accessible directories

File Management

  • move_file โ€” Move or rename files and directories
  • get_file_info โ€” Get file metadata (size, permissions, modification time)

Security

The server implements defense-in-depth security to prevent unauthorized file access.

Path Validation

  • Symbolic link resolution: All paths resolved to canonical form via filepath.EvalSymlinks() before validation
  • Path traversal prevention: Blocks ../ escape attempts
  • Prefix matching protection: Validates with path separators to prevent /allowed matching /allowed_attacker

Symbolic Link Handling

  • Symlinks within allowed directories are permitted if their target is also within allowed directories
  • Symlinks pointing outside allowed directories are blocked
  • Broken symlinks are rejected
  • Allowed directories themselves may be symbolic links (resolved during initialization)

Write Operation Security

  • Parent directory chain is validated for new file creation
  • Path resolution and validation occur atomically

Security Logging

  • All blocked access attempts are logged with SECURITY: prefix
  • Logs include both the requested path and its canonical resolution

Best Practices

  • Configure MCP_ALLOWED_DIRS with the minimum necessary directories
  • Use absolute paths for allowed directories
  • Monitor logs for SECURITY: messages

License

MIT License