
proto-mcp
Give Claude your inbox โ without giving up control.
A signed, notarized, Touch-ID-gated bridge between Proton Mail and Claude, running entirely on your Mac. Claude reads, searches, organizes, drafts, and sends your mail โ and reads your calendar โ through 34 Model Context Protocol tools โ and every message that goes out needs your fingerprint on a prompt that names the real recipient.
Nothing leaves your laptop except the mail itself.
What it feels like
You talk to Claude. Claude talks to your mailbox. You stay in the loop on anything that matters.
"What did I miss from the climbing group this week?" โ Claude searches the local mirror, reads the thread, summarizes it. No prompt โ reading is safe.
"File all the newsletters under Reading and mark them read." โ Claude moves and marks them. Organizing is gated, but quiet.
"Reply to Alice that I'm in for Saturday, and send it." โ A Touch ID prompt appears: To: alice@example.com ยท Subject: Re: gear list. You tap. It sends. You didn't.
Every read is served from a local SQLite mirror, so it's fast and works offline. Every write is governed by a per-tool policy. Every send re-prompts, every time, showing the literal recipients โ that fingerprint tap is the line between "Claude drafted it" and "Claude sent it."
What Claude can do
34 tools, grouped by what they touch. Reads run free; everything that changes state is deny-by-default and Touch-ID gated.
| ๐ Read & search | List, full-text search, read messages, reconstruct threads, list attachments, list labels/folders, sync. |
| ๐๏ธ Organize | Mark read/unread, move, label, trash. |
| ๐ท๏ธ Labels & folders | Full CRUD with colour-palette validation. |
| โ๏ธ Drafts | Create, update, delete, list. |
| ๐ค Send | Send, reply, reply-all, forward, send-draft โ each one re-prompts. |
| ๐ Attachments | Decrypt and download, save to disk. |
| ๐ Calendar | List calendars, browse/search events by date range, read full event detail. Read-only. |
Full list with descriptions: docs/cli-reference.md.
Why it's safe
proto-mcp is built so that an LLM driving your mailbox is a convenience, never a liability. The guarantees that make that true:
- ๐ Your fingerprint on every send. Each write fires a native prompt
showing the literal recipients and subject.
mail_sendhas a TTL of zero, so it re-prompts every single time. No blanket approvals for sends. - ๐ก๏ธ Default-deny by construction. Unknown tools don't run. A tool with no policy entry fails to register โ you can't accidentally ship an unguarded write.
- ๐ Signed, notarized, and self-checking. Hardened-runtime, Developer-ID-signed, Apple-notarized binaries, plus a SHA-256 integrity check at startup that refuses to run a swapped daemon.
- ๐ Locks when you walk away. Screen lock, sleep, or an idle timer zero the in-memory session; resuming takes Touch ID.
- ๐งพ Honest, redacted audit log. Every call is logged โ secrets
scrubbed, bodies reduced to
{sha256, bytes}, recipients kept literal so the verification chain stays truthful. - ๐ Local-only. The daemon listens on a
0600Unix socket, never a network port. Mail content goes to Proton over TLS; nothing else leaves.
What a prompt actually looks like:
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Send mail_send? โ
โ โ
โ To: alice@example.com โ
โ CC: charlie@example.com โ
โ Subject: Re: gear list โ
โ โ
โ [ Cancel ] [ Send & Touch ID ] โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโThe full threat model โ including the risks proto-mcp doesn't defend against โ is in docs/security.md. Read it before you point this at a live mailbox.
How it works
One background daemon holds your Touch-ID-unlocked session and serves every tool over a local socket. Claude Desktop and Claude Code each attach through a tiny forwarder, so they share one session: unlock once, use everywhere; lock once, everything locks.
Claude Desktop โโ โโ go-proton-api + GPG
Claude Code โโโโโผโ shim โ socket โ protonmcpd โผโ SQLite mirror + FTS5
โ (0600) โโ Touch ID + policy + auditThe full design โ every binary, package, and the local mirror โ is in docs/architecture.md.
Build from source
Requires macOS 13+, Go 1.26.4+, and Xcode Command
Line Tools (for swiftc).
git clone https://github.com/just-an-oldsalt/proto-mcp.git
cd proto-mcp
make all # builds bin/* + the Swift helpers
./bin/protonmcp login
./bin/protonmcp backfill
./bin/protonmcp daemon install
./bin/protonmcp installSource builds are ad-hoc signed by default and work fully (the Touch ID
gate, policy, audit, and lock/unlock all run the same). For a
locally-signed build, see
scripts/signing-setup.md.
Good to know
- macOS only. The keystore and biometric helpers use
Security.framework,LAContext, and AppKit. Linux builds compile for testing, but the auth flow won't work. - Be a good Proton citizen. proto-mcp currently sends Proton Bridge's
AppVersionheader while a dedicated identifier is requested from Proton (seedocs/proton-appversion-request.md). Don't rate-abuse, scrape, or run multi-account automation through it โ anything that violates Proton's Terms is no less a violation for borrowing Bridge's header. - Cached bodies are plaintext-in-SQLite. Decrypted message bodies are
cached locally (TTL-bounded,
secure_deleteon). On a stolen, imaged disk that's recoverable cleartext until purged. Envelope encryption (SQLCipher) is a post-1.0 item.protonmcp purge --older-than 7d --vacuumshrinks the window now. - Personal use. Built for one person and their mailbox on their Mac.
Documentation
| Doc | Contents |
|---|---|
| docs/architecture.md | The daemon model, binaries, packages, and local mirror. |
| docs/security.md | Security layers + the full, honest threat model. |
| docs/configuration.md | Policy YAML, locking, observability, purging. |
| docs/cli-reference.md | Every CLI command and all 34 MCP tools. |
| SECURITY.md | Security policy + per-defect fix log / audit trail. |
| TESTING.md | End-to-end validation playbook. |
Issues, defects, and roadmap are tracked in Jira (project PROTO), the
source of truth. TODO.html and DEFECTS.html are retained as historical
design records from the build-out.
brew tap just-an-oldsalt/proto-mcp
brew install --cask proto-mcp
protonmcp login # Proton SRP password + 2FA + key unlock
protonmcp backfill # one-time: pull your message envelopes into the local mirror
protonmcp daemon install # register + start the background daemon
protonmcp install # connect it to Claude Desktop + Claude CodeQuickstart
brew tap just-an-oldsalt/proto-mcp
brew install --cask proto-mcp
protonmcp login # Proton SRP password + 2FA + key unlock
protonmcp backfill # one-time: pull your message envelopes into the local mirror
protonmcp daemon install # register + start the background daemon
protonmcp install # connect it to Claude Desktop + Claude CodeRestart Claude, and the tools show up under protonmcp in /mcp. That's
it โ signed, notarized binaries, no Gatekeeper warning, no network
listener.
Prefer to build it yourself? See Build from source.
Configuration
Tune per-tool policy, rate limits, allowed recipients, the idle-lock timer, and the cached-body TTL with a single YAML file. For example, to cap LLM-driven sends and restrict them to one domain:
tools:
mail_send:
decision: prompt
rate_limit: 5/hour
allowed_recipients: ["@mydomain.com"]
idle_lock_minutes: 30Full reference, plus locking and the audit/observability commands: docs/configuration.md.
No common issues documented yet. If you hit a problem, the repository's GitHub Issues page is the best place to look.
Licensed under GPL-3.0โ you can use, modify, and redistribute it under that license's terms.
License & acknowledgements
GPLv3 โ see LICENSE. proto-mcp depends transitively on
proton-bridge (also GPLv3) via go-proton-api.
- Proton AG for
proton-bridgeandgo-proton-api, on which the entire crypto + transport layer rests. - Anthropic for the Model Context Protocol and the Claude clients this server targets.
- Every defect that took the shape it did because
cmd-r,claude-review,claude-security-review, or a live testing session looked at the code more carefully than I would have alone.