miyo-kado

miyo-kado

Security-first MCP server plugin for Obsidian that gives AI assistants granular, permissioned access to vault notes and files through tools like read, write, delete, rename, search, and open-notes.

Category
访问服务器

README

<p align="center"> <img src="assets/kado_banner_final.svg" alt="MiYo Kado banner" width="480" /> </p>

MiYo Kado -- Obsidian MCP Gateway

Security-first Model Context Protocol server plugin for Obsidian. Gives AI assistants controlled, granular access to your vault through six tools: kado-read, kado-write, kado-delete, kado-rename, kado-search, and kado-open-notes.

Part of the MiYo family. The plugin is referred to as MiYo Kado in the Obsidian community-plugin index and in the settings UI; "Kado" alone is used as a short form throughout this README and the source.

<p align="center"> <img src="assets/MiYo-Kado.png" alt="MiYo Kado logo" width="160" /> </p>

Why MiYo Kado?

Letting an AI assistant talk to your vault sounds great until you realize most integrations give the assistant everything -- every note, every file, full read/write. Kado is built around the opposite default:

  • Nothing is exposed by default. You opt every path and every data type in, explicitly.
  • Per-key scopes. Different assistants get different keys with different permissions. Revoke any key independently.
  • Audit trail. Every allowed and denied request is logged so you can see exactly what an assistant touched.
  • Local-first. The MCP server runs inside Obsidian on 127.0.0.1 by default. No cloud, no telemetry, no third party.

If you've ever wanted to say "this assistant can read my project notes but not my journal, and can delete drafts but never touch archived material", Kado is for you. For a deeper look at why AI permissioning matters for PKM workflows -- and why guardrails are not the same as real permissions -- see Permissioning your AI.

Features

  • Default-deny security -- nothing is accessible until explicitly whitelisted
  • Two-tier access control -- global security scope defines what is eligible; per-key scope defines what is permitted
  • Five permission gates -- authenticate, global-scope, key-scope, datatype-permission, path-access
  • Four data types -- notes (markdown), frontmatter (YAML as JSON), files (binary as base64), Dataview inline fields
  • Partial note read/write -- read a slice (firstXChars, section by heading, range by line/char) and write in place (append/prepend, insertUnderHeading, replaceSection/replaceRange) without round-tripping the whole body; omitting the mode is byte-for-byte backward compatible
  • Rename & move -- kado-rename renames or moves notes and files with backlinks updated automatically; one folder ⇒ rename (needs update), across folders ⇒ move (needs delete on the source + create on the target). Works best with Obsidian's "Automatically update internal links" on (silent, links updated); with it off the tool is hidden unless you opt in, and then each rename prompts Obsidian's link-update dialog (the file still moves, but inbound links update only when you answer)
  • Seven search operations -- byName, byTag, byContent, byFrontmatter, listDir, listTags, listNotes
  • Optimistic concurrency -- timestamp-based conflict detection on writes
  • Rate limiting -- 200 requests/minute per IP
  • Audit logging -- NDJSON log with rotation (metadata only, no content)
  • Status bar indicator -- the 門 gate glyph shows server state at a glance (listening / off / bind error) and throbs on each tool call, colour-coded for reads vs. writes, with the acting key's name in the tooltip; a rejected call lingers red for a few seconds then self-clears. Click it to open Kado's settings

Architecture & the MiYo ecosystem

MiYo Kado is one component of the MiYo multi-repo system. Kado is the Obsidian-side MCP gateway: it owns the vault access-control model (two-layer path eligibility + per-key CRUD scopes) and exposes the MCP tool surface that companion tools such as MiYo Tomo consume. The authoritative record for cross-repo contracts, system-level architecture, and governance decisions lives in MiYo Kokoro; this repo's local design docs (below, and docs/XDD/specs/) defer to Kokoro for project-wide principles. Cross-component contract changes (e.g. new MCP tools) are handed off to Kokoro via _outbox/for-kokoro/.

Internally Kado follows a four-layer clean architecture: MCP boundary (src/mcp/) → permission gates + policy (src/core/) → Obsidian adapters (src/obsidian/) → canonical types (src/types/). See How It Works for the enforcement flow.

Documentation

Document Audience Content
Installation Everyone Community Plugins, BRAT, manual install
Configuration Guide Vault owners Settings UI, security setup, API key management
Client Setup Vault owners Claude Code, Claude Desktop, Cursor, Windsurf
How It Works Vault owners Architecture, security model, enforcement logic, audit log
Example Configurations Vault owners Common setups with permission matrices
API Reference MCP client developers Tool schemas, parameters, examples, error codes
Development Guide Contributors Build, test, lint, architecture, live testing
Permissioning your AI PKM practitioners Why AI permissioning matters, guardrails vs enforcement

Roadmap

Tracked as GitHub issues:

  • Tag permissions beyond read-only (#81) -- deny permission so tags can exclude matching items from otherwise-allowed paths.
  • Granular whitelist / blacklist toggle (#82) -- per-section toggle for mixed strategies.
  • Real-time permission testing (#83) -- dry-run in the settings UI.
  • Settings import / export (#84) -- backup/restore for the whole config.
  • Opt-in content truncation on kado-read (#85) -- first ~1000 words with a hint that more exists.

Shipped: sub-path key scopes (narrower sub-paths inside an allowed parent) landed in v0.15.0.

Known edge cases

Editing a note the AI wants access to

  • Edit-while-reading gap. If you're actively typing in a note and your AI assistant reads it via Kado at the same moment, the assistant may see the version from up to 2 seconds ago -- Obsidian saves your edits to disk on a ~2 second pause. Pause briefly (or press Cmd/Ctrl+S) before asking the AI about your most recent sentence.
  • Write while the same note is open and dirty. If an AI tries to write to a note you are currently editing with unsaved keystrokes, Kado refuses the write with a CONFLICT error and shows a Notice ("Kado wanted to modify <note> ..."). Your typing always wins. The AI client sees the same conflict signal used for any concurrent change and is expected to re-read and retry, so once you pause typing (~2 s Obsidian autosave) and it retries, its write is applied on top of your latest edits.

Quick Start

  1. Install the plugin
  2. Open Settings > MiYo Kado
  3. Add paths to the global security whitelist (e.g. notes/, projects/, or ** for full vault)
  4. Create an API key and assign it paths and per-data-type permissions
  5. Enable the server
  6. Connect your AI client
{
  "mcpServers": {
    "kado": {
      "type": "http",
      "url": "http://127.0.0.1:23026/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_API_KEY"
      }
    }
  }
}

Screenshots

General tab -- server status, port, audit logging.

<p align="center"> <img src="assets/settings-general.png" alt="MiYo Kado General settings tab" width="720" /> </p>

Global Security tab -- whitelist of paths and tags that any key may reference. Permissions are set per data type (Notes, Frontmatter, Dataview, Files) for each path.

<p align="center"> <img src="assets/settings-global-security.png" alt="MiYo Kado Global Security settings tab with two whitelisted paths and one tag" width="720" /> </p>

API Key tab -- per-key access. Each key has its own access mode, paths, tags, and permission matrix, all constrained by the global security scope.

<p align="center"> <img src="assets/settings-api-key.png" alt="MiYo Kado API Key settings tab showing key management, permissions, paths and tags" width="720" /> </p>

Security Model

Every request passes through five gates in order. The first denial stops the chain. For the full enforcement logic, see How It Works.

# Gate Purpose
0 authenticate Bearer token must match an enabled API key
1 global-scope Path must be inside the global whitelist (or outside the blacklist)
2 key-scope Path must be inside the key's own scope
3 datatype-permission Key must have the required CRUD flag for the data type
4 path-access Final path-traversal and validation check

Architecture

MCP Client -> [MCP API Handler] -> [Kado Core] -> [Obsidian Interface] -> Vault
  • MCP API Handler -- Express + Streamable HTTP transport, auth, rate limiting
  • Kado Core -- Permission gates, routing, concurrency guard. No MCP or Obsidian imports.
  • Obsidian Interface -- Vault adapters for notes, frontmatter, files, inline fields, search

Part of MiYo

Kado is part of MiYo, a small family of Obsidian-adjacent tools focused on giving you control over what your assistants can see and do. MiYo Kado is the gateway component -- the piece that turns your vault into a properly-scoped MCP server. More tools are in the works.

Open tracking

Live issues and upstream references live in GitHub Issues and docs/ai/memory/troubleshooting.md. No open issues at the time of this release.

Support

If MiYo Kado is useful to you and you want to help me keep building, you can support development via:

Issues and pull requests are also very welcome.

Contributing

Contributions are welcome. The short version:

  1. Open an issue first for anything non-trivial (bugs, features, refactors) so we can align on scope before you invest time.
  2. Fork & branch from master. Use a descriptive branch name (e.g. fix/search-tag-case, feat/granular-scopes).
  3. Keep changes focused -- one feature or one fix per PR. See Development Guide for build, test, and lint commands.
  4. Tests & lint must pass -- run npm run build, npm test, and npm run lint before pushing.
  5. Conventional commits -- e.g. feat:, fix:, docs:, refactor:. Release notes are generated from commit history.
  6. Open a PR against master and reference the issue. Small, reviewable diffs get merged fastest.

For security issues, please do not open a public issue -- email marcus@mmomm.org instead.

License

MIT

推荐服务器

Baidu Map

Baidu Map

百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。

官方
精选
JavaScript
Playwright MCP Server

Playwright MCP Server

一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。

官方
精选
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。

官方
精选
本地
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。

官方
精选
本地
TypeScript
VeyraX

VeyraX

一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。

官方
精选
本地
graphlit-mcp-server

graphlit-mcp-server

模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。

官方
精选
TypeScript
Kagi MCP Server

Kagi MCP Server

一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。

官方
精选
Python
e2b-mcp-server

e2b-mcp-server

使用 MCP 通过 e2b 运行代码。

官方
精选
Neon MCP Server

Neon MCP Server

用于与 Neon 管理 API 和数据库交互的 MCP 服务器

官方
精选
Exa MCP Server

Exa MCP Server

模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。

官方
精选