Canvas MCP Server

This repository contains a Model Context Protocol (MCP) server implementation for interacting with the Canvas Learning Management System API. The server is designed to work with any MCP-compatible client, including Claude Desktop, Cursor, Zed, Windsurf, and Continue.

Note: Recently refactored to a modular architecture for better maintainability. The legacy monolithic implementation has been archived.

For AI Agents

Canvas MCP provides 80+ tools for interacting with Canvas LMS. Tools are organized by user type:

Student Tools (click to expand)

Tool	Purpose	Example Prompt
get_my_upcoming_assignments	Due dates for next N days	"What's due this week?"
get_my_todo_items	Canvas TODO list	"Show my TODO list"
get_my_submission_status	Submitted vs missing	"Have I submitted everything?"
get_my_course_grades	Current grades	"What are my grades?"
get_my_peer_reviews_todo	Pending peer reviews	"What peer reviews do I need to do?"

Educator Tools (click to expand)

Tool	Purpose	Example Prompt
list_assignments	All assignments in course	"Show assignments in BADM 350"
create_assignment	Create new assignment	"Create an assignment due Jan 26 with online text submission"
update_assignment	Update existing assignment	"Change the due date for Assignment 3 to Feb 15"
list_submissions	Student submissions	"Who submitted Assignment 3?"
bulk_grade_submissions	Grade multiple at once	"Grade these 10 students"
get_assignment_analytics	Performance stats	"Show analytics for Quiz 2"
send_conversation	Message students	"Message students who haven't submitted"
create_announcement	Post announcements	"Announce the exam date change"
Module Management
create_module	Create course module	"Create a module for Week 5"
update_module	Update module settings	"Rename the midterm module"
add_module_item	Add content to module	"Add the syllabus page to Week 1"
delete_module	Remove a module	"Delete the empty test module"
Page & Content
create_page	Create course page	"Create a page for office hours"
edit_page_content	Update page content	"Update the syllabus page"
update_page_settings	Publish/unpublish pages	"Publish all Week 3 pages"
bulk_update_pages	Batch page operations	"Unpublish all draft pages"
File Management
upload_course_file	Upload local file to Canvas	"Upload syllabus.pdf to the course"

Shared Tools (click to expand)

Tool	Purpose
list_courses	All enrolled courses
get_course_details	Course info + syllabus
list_pages	Course pages
get_page_content	Read page content
list_modules	List course modules
list_module_items	Items within a module
list_discussion_topics	Discussion forums
list_discussion_entries	Posts in a discussion
post_discussion_entry	Add a discussion post
reply_to_discussion_entry	Reply to a post

Developer Tools (for bulk operations)

Tool	Purpose	When to Use
search_canvas_tools	Discover code API operations	Finding available bulk ops
execute_typescript	Run TypeScript locally	30+ items, custom logic, 99.7% token savings

Decision tree: Simple query → MCP tools. Batch grading (10+) → bulk_grade_submissions. Complex bulk (30+) → execute_typescript.

Quick Reference

Course identifiers: Canvas ID (12345), course code (badm_350_120251_246794), or SIS ID

Cannot do: Create/delete courses, modify course settings, access other users' data, create/update rubrics (use Canvas UI)

Rate limits: ~700 requests/10 min. Use max_concurrent=5 for bulk operations.

Full documentation: AGENTS.md | tools/TOOL_MANIFEST.json | tools/README.md

Overview

The Canvas MCP Server bridges the gap between AI assistants and Canvas Learning Management System, providing both students and educators with an intelligent interface to their Canvas environment. Built on the Model Context Protocol (MCP), it enables natural language interactions with Canvas data through any MCP-compatible client.

🎉 Latest Release: v1.0.8

Released: February 16, 2026 | View Full Release Notes

What's New in v1.0.8

• 🔒 Security Hardening - Four layers of runtime security, all enabled by default
  • PII sanitization in logs (redacts user IDs, emails, names)
  • Token validation on startup with clear error messaging
  • Structured audit logging with rotating file output
  • Secure-by-default code execution sandbox (network blocked, env filtered, resource limits)
• 🧹 Code Quality - Enforced ruff linting with pre-commit hook (464 issues resolved)
• 🧪 Expanded Test Suite - 235+ tests (32 new security tests)

Previous Release (v1.0.7)

• ✏️ Assignment Update Tool - Complete assignment CRUD with update_assignment
  • Modify due dates, points, submission types, and more
  • All update fields optional (only changed fields sent to API)
  • 9 unit tests following TDD pattern

Previous Release (v1.0.6)

• 📦 Module Management Tools - Complete module CRUD operations (7 new tools)
  • create_module, update_module, delete_module - Full module lifecycle
  • add_module_item, update_module_item, delete_module_item - Manage module content
  • Prerequisites, unlock dates, sequential progress support
• 📄 Page Settings Tools - Control page publishing and access (2 new tools)
  • update_page_settings - Publish/unpublish, set front page, editing roles
  • bulk_update_pages - Batch operations on multiple pages
• 🧪 Comprehensive Test Suite - 235+ unit tests covering all major functionality
• 📚 Enhanced Documentation - TDD enforcement and comprehensive tool docs

Previous Release (v1.0.5)

• 🎯 Claude Code Skills - One-command workflows for common tasks
• 🌐 GitHub Pages Website - Documentation site at vishalsachdev.github.io/canvas-mcp

Previous Release (v1.0.4)

• 🚀 Code Execution Environment - Execute custom TypeScript code for token-efficient bulk operations (99.7% token savings)
• 📊 Bulk Operations - bulk_grade_submissions, bulk_grade_discussions, search_canvas_tools
• MCP 2.14 Compliance - Production-ready features and structured logging

For Students 👨‍🎓

Get AI-powered assistance with:

• Tracking upcoming assignments and deadlines
• Monitoring your grades across all courses
• Managing peer review assignments
• Accessing course content and discussions
• Organizing your TODO list

→ Get Started as a Student

For Educators 👨‍🏫

Enhance your teaching with:

• Assignment and grading management
• Student analytics and performance tracking
• Discussion and peer review facilitation
• FERPA-compliant student data handling
• Bulk messaging and communication tools

→ Get Started as an Educator

🎯 Claude Code Skills

Pre-built workflows that combine multiple tools into one-command actions. These skills work with Claude Code (CLI) and Claude Desktop.

Skill	For	What It Does
/canvas-morning-check	Educators	Course health check: submission rates, struggling students, grade distribution, upcoming deadlines
/canvas-week-plan	Students	Weekly planner: all due dates, submission status, grades, peer reviews across courses

Example usage in Claude:

You: /canvas-morning-check CS 101
Claude: [Generates comprehensive course status report]

You: /canvas-week-plan
Claude: [Shows prioritized weekly assignment plan]

Skills are located in .claude/skills/ and can be customized for your workflow.

Note: These skills are currently designed for Claude Desktop and Claude Code. Other MCP clients may support similar custom workflows through their own mechanisms.

Want a custom skill? Submit a request describing your repetitive workflow!

🔒 Privacy & Data Protection

For Educators: FERPA Compliance

Complete FERPA compliance through systematic data anonymization when working with student data:

• Source-level data anonymization converts real names to consistent anonymous IDs (Student_xxxxxxxx)
• Automatic email masking and PII filtering from discussion posts and submissions
• Local-only processing with configurable privacy controls (ENABLE_DATA_ANONYMIZATION=true)
• FERPA-compliant analytics: Ask "Which students need support?" without exposing real identities
• De-anonymization mapping tool for faculty to correlate anonymous IDs with real students locally

All student data is anonymized before it reaches AI systems. See Educator Guide for configuration details.

For Students: Your Data Stays Private

• Your data only: Student tools access only your own Canvas data via Canvas API's "self" endpoints
• Local processing: Everything runs on your machine - no data sent to external servers
• No tracking: Your Canvas usage and AI interactions remain private
• No anonymization needed: Since you're only accessing your own data, there are no privacy concerns

Prerequisites

• Python 3.10+ - Required for modern features and type hints
• Canvas API Access - API token and institution URL
• MCP Client - Any MCP-compatible client (Claude Desktop, Cursor, Zed, Windsurf, Continue, etc.)

Canvas API Compatibility

Canvas MCP is compatible with Canvas LMS API and stays current with Canvas API changes:

Canvas MCP Version	Canvas API Version	Status	Notes
v1.0.4+	2024-2026	✅ Current	Compliant with upcoming 2026 API requirements
v1.0.0-1.0.3	2024-2025	✅ Compatible	Functional but missing User-Agent header (required Jan 2026)

Important Canvas API Changes:

• January 2026: User-Agent header enforcement (✅ implemented in v1.0.4+)
• January 2026: Deprecation of limit parameter in favor of per_page (✅ compliant)
• Modern Canvas REST API: All endpoints use current Canvas API standards

Canvas Instance Requirements:

• Canvas Cloud (canvas.instructure.com) - Fully supported
• Self-hosted Canvas instances - Supported (API v1+)
• Minimum recommended: Canvas LMS 2020+ for full feature compatibility

For Canvas API changes, see Canvas API Change Log

Supported MCP Clients

Canvas MCP works with any application that supports the Model Context Protocol. Popular options include:

Recommended:

• Claude Desktop - Official Anthropic desktop app with full MCP support

AI Coding Assistants:

• Zed - High-performance code editor with built-in MCP support
• Cursor - AI-first code editor
• Windsurf IDE (by Codeium) - AI-powered development environment
• Continue - Open-source AI code assistant

Development Platforms:

• Replit - Cloud-based coding platform with MCP integration
• Sourcegraph Cody - AI coding assistant with MCP support

Enterprise:

• Microsoft Copilot Studio - MCP support in enterprise environments

See the official MCP clients list for more options.

Note: Canvas MCP is designed to work with any MCP-compatible client. The installation guide provides configuration examples for popular clients including Claude Desktop, Cursor, Zed, Windsurf, and Continue.

Installation

1. Install Dependencies

# (Recommended) Use a dedicated virtualenv so the MCP binary is in a stable location
python3 -m venv .venv
. .venv/bin/activate

# Install the package editable
pip install -e .

2. Configure Environment

# Copy environment template
cp env.template .env

# Edit with your Canvas credentials
# Required: CANVAS_API_TOKEN, CANVAS_API_URL

Get your Canvas API token from: Canvas → Account → Settings → New Access Token

Note for Students: Some educational institutions restrict API token creation for students. If you see an error like "There is a limit to the number of access tokens you can create" or cannot find the token creation option, contact your institution's Canvas administrator or IT support department to request API access or assistance in creating a token.

3. MCP Client Configuration

Canvas MCP works with any MCP-compatible client. Below are configuration examples for popular clients:

Claude Desktop (Most Popular)

Configuration file location:

• macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
• Windows: %APPDATA%\Claude\claude_desktop_config.json

Configuration:

{
  "mcpServers": {
    "canvas-api": {
      "command": "/absolute/path/to/canvas-mcp/.venv/bin/canvas-mcp-server"
    }
  }
}

Note: Use the absolute path to your virtualenv binary to avoid issues with shell-specific PATH entries (e.g., pyenv shims).

Cursor

Configuration file location:

• macOS/Linux: ~/.cursor/mcp_config.json
• Windows: %USERPROFILE%\.cursor\mcp_config.json

Configuration:

{
  "mcpServers": {
    "canvas-api": {
      "command": "/absolute/path/to/canvas-mcp/.venv/bin/canvas-mcp-server"
    }
  }
}

Zed

Configuration: Add to Zed's settings.json (accessible via Settings menu)

{
  "context_servers": {
    "canvas-api": {
      "command": {
        "path": "/absolute/path/to/canvas-mcp/.venv/bin/canvas-mcp-server",
        "args": []
      }
    }
  }
}

Windsurf IDE

Configuration file location:

• macOS: ~/Library/Application Support/Windsurf/mcp_config.json
• Windows: %APPDATA%\Windsurf\mcp_config.json

Configuration:

{
  "mcpServers": {
    "canvas-api": {
      "command": "/absolute/path/to/canvas-mcp/.venv/bin/canvas-mcp-server"
    }
  }
}

Continue

Configuration: Add to Continue's config.json (accessible via Continue settings)

{
  "mcpServers": {
    "canvas-api": {
      "command": "/absolute/path/to/canvas-mcp/.venv/bin/canvas-mcp-server"
    }
  }
}

Other MCP Clients

For other MCP-compatible clients, the general pattern is:

1. Locate your client's MCP configuration file
2. Add a server entry with:
   • Server name: canvas-api (or any name you prefer)
   • Command: Full path to canvas-mcp-server binary
   • Optional args: Additional arguments if needed

Consult your client's MCP documentation for specific configuration format and file locations.

Windows users: Replace forward slashes with backslashes in paths (e.g., C:\Users\YourName\canvas-mcp\.venv\Scripts\canvas-mcp-server.exe)

Verification

Test your setup:

# Test Canvas API connection
canvas-mcp-server --test

# View configuration
canvas-mcp-server --config

# Start server (for manual testing)
canvas-mcp-server

Available Tools

The Canvas MCP Server provides a comprehensive set of tools for interacting with the Canvas LMS API. These tools are organized into logical categories for better discoverability and maintainability.

Tool Categories

Student Tools (New!)

• Personal assignment tracking and deadline management
• Grade monitoring across all courses
• TODO list and peer review management
• Submission status tracking

Shared Tools (Both Students & Educators)

1. Course Tools - List and manage courses, get detailed information, generate summaries with syllabus content
2. Discussion & Announcement Tools - Manage discussions, announcements, and replies
3. Page & Content Tools - Access pages, modules, and course content

Educator Tools 4. Assignment Tools - Handle assignments, submissions, and peer reviews with analytics 5. Rubric Tools - List rubrics, associate with assignments, and grade submissions (including bulk_grade_submissions for efficient batch grading). Note: Create/update rubrics via Canvas web UI due to API limitations. 6. User & Enrollment Tools - Manage enrollments, users, and groups 7. Analytics Tools - View student analytics, assignment statistics, and progress tracking 8. Messaging Tools - Send messages and announcements to students

Developer Tools 9. Discovery Tools - Search and explore available code execution API operations with search_canvas_tools and list_code_api_modules 10. Code Execution Tools - Execute TypeScript code with execute_typescript for token-efficient bulk operations (99.7% token savings!)

📖 View Full Tool Documentation for detailed information about all available tools.

🚀 Code Execution API (New!)

The Canvas MCP now supports code execution patterns for maximum token efficiency when performing bulk operations.

When to Use Each Approach

Traditional Tool Calling (for simple queries):

Ask Claude: "Show me my courses"
Ask Claude: "Get assignment details for assignment 123"

✅ Best for: Single queries, small datasets, quick lookups

Bulk Grade Submissions Tool (for batch grading with predefined grades):

Ask Claude: "Grade these 10 students with their specific rubric scores"

✅ Best for: Batch grading when you already have the grades/scores, concurrent processing

Code Execution (for bulk operations with custom logic):

Ask Claude: "Grade all 90 Jupyter notebook submissions by analyzing each notebook"
Ask Claude: "Send reminders to all students who haven't submitted"

✅ Best for: Bulk processing with custom analysis logic, large datasets, complex conditions

Token Savings Example

Scenario: Grading 90 Jupyter notebook submissions

Approach	Token Usage	Efficiency
Traditional	1.35M tokens	Loads all submissions into context
Code Execution	3.5K tokens	99.7% reduction! 🎉

Example: Bulk Grading

import { bulkGrade } from './canvas/grading/bulkGrade';

await bulkGrade({
  courseIdentifier: "60366",
  assignmentId: "123",
  gradingFunction: (submission) => {
    // Analysis happens locally, not in Claude's context!
    const notebook = submission.attachments?.find(f =>
      f.filename.endsWith('.ipynb')
    );

    if (!notebook) return null; // Skip

    const hasErrors = analyzeNotebook(notebook.url);

    return hasErrors ? null : {
      points: 100,
      rubricAssessment: { "_8027": { points: 100 } },
      comment: "Great work! No errors."
    };
  }
});

Example: Bulk Discussion Grading

Grade discussion posts with initial post + peer review requirements:

import { bulkGradeDiscussion } from './canvas/discussions/bulkGradeDiscussion';

// Preview grades first (dry run)
await bulkGradeDiscussion({
  courseIdentifier: "60365",
  topicId: "990001",
  criteria: {
    initialPostPoints: 10,      // Points for initial post
    peerReviewPointsEach: 5,    // Points per peer review
    requiredPeerReviews: 2,     // Must review 2 peers
    maxPeerReviewPoints: 10     // Cap at 10 pts for reviews
  },
  dryRun: true  // Preview first!
});

// Then apply grades
await bulkGradeDiscussion({
  courseIdentifier: "60365",
  topicId: "990001",
  assignmentId: "1234567",  // Required to write grades
  criteria: {
    initialPostPoints: 10,
    peerReviewPointsEach: 5,
    requiredPeerReviews: 2,
    maxPeerReviewPoints: 10
  },
  dryRun: false
});

Features:

• Automatically analyzes initial posts vs peer reviews
• Configurable grading criteria with point allocation
• Optional late penalties with customizable deadline
• Dry run mode to preview grades before applying
• Concurrent processing with rate limiting
• Returns comprehensive participation analytics

Discovering Available Tools

The Canvas MCP Server includes a search_canvas_tools MCP tool that helps you discover and explore available code execution API operations. This tool searches through the TypeScript code API files and returns information about available Canvas operations.

Tool Parameters:

• query (string, optional): Search term to filter tools by keyword (e.g., "grading", "assignment", "discussion"). Empty string returns all available tools.
• detail_level (string, optional): Controls how much information to return. Options:
  • "names": Just file paths (most efficient for quick lookups)
  • "signatures": File paths + function signatures + descriptions (recommended, default)
  • "full": Complete file contents (use sparingly for detailed inspection)

Example Usage:

Ask Claude in natural language:

• "Search for grading tools in the code API"
• "What bulk operations are available?"
• "Show me all code API tools"

Or use directly via MCP:

// Search for grading-related tools with signatures
search_canvas_tools("grading", "signatures")

// List all available tools (names only)
search_canvas_tools("", "names")

// Get full implementation details for bulk operations
search_canvas_tools("bulk", "full")

// Find discussion-related operations
search_canvas_tools("discussion", "signatures")

Returns: JSON response with:

• query: The search term used
• detail_level: The detail level requested
• count: Number of matching tools found
• tools: Array of matching tools with requested detail level

Code API File Structure

src/canvas_mcp/code_api/
├── client.ts              # Base MCP client bridge
├── index.ts               # Main entry point
└── canvas/
    ├── assignments/       # Assignment operations
    │   └── listSubmissions.ts
    ├── grading/          # Grading operations
    │   ├── gradeWithRubric.ts
    │   └── bulkGrade.ts  # ⭐ Bulk grading (99.7% token savings!)
    ├── discussions/      # Discussion operations
    │   ├── listDiscussions.ts
    │   ├── postEntry.ts
    │   └── bulkGradeDiscussion.ts  # ⭐ Bulk discussion grading
    ├── courses/          # Course operations
    └── communications/   # Messaging operations

How It Works

1. Discovery: Use search_canvas_tools to find available operations
2. Execution: Claude reads TypeScript code API files and executes them locally
3. Processing: Data stays in execution environment (no context cost!)
4. Results: Only summaries flow back to Claude's context

📖 View Bulk Grading Example for a detailed walkthrough.

Code Execution Security

The execute_typescript tool runs TypeScript locally with secure-by-default sandboxing. No configuration needed — sandbox protections are enabled out of the box.

Default Security (no configuration required):

• Sandbox enabled — timeout (120s), memory limit (512 MB), CPU limit (30s)
• Network blocked — outbound connections blocked except Canvas API host; intercepts both https.request and fetch() API
• Environment filtered — only system vars (PATH, HOME, etc.) and Canvas credentials passed to subprocess; secrets like AWS_SECRET_ACCESS_KEY, DATABASE_PASSWORD are stripped
• Execution audited — when LOG_EXECUTION_EVENTS=true, structured JSON audit events record code hash, sandbox mode, status, and duration (never raw code or stderr)

Security Modes:

• Local sandbox (default): Node.js subprocess with resource limits, network guard, and environment filtering
• Container sandbox (TS_SANDBOX_MODE=container): If Docker/Podman is available, code runs inside node:20-alpine for full filesystem isolation
• Sandbox disabled (ENABLE_TS_SANDBOX=false): Code runs with your local user permissions and full network access

Best Practices:

• Trusted Environment Required: Only use code execution in environments you control
• Review Generated Code: Always review TypeScript code before execution, especially for bulk operations
• Timeout Configuration: Adjust TS_SANDBOX_TIMEOUT_SEC based on expected operation duration

Limitations:

• Network allowlist is enforced inside Node; external binaries spawned by user code are not blocked
• Container mode is optional; when unavailable, the server falls back to local sandbox with warnings
• File system isolation is only enforced when running inside a container

For technical implementation details, see src/canvas_mcp/tools/code_execution.py.

Usage with MCP Clients

This MCP server works seamlessly with any MCP-compatible client:

1. Automatic Startup: MCP clients start the server when needed
2. Tool Integration: Canvas tools appear in your AI assistant's interface
3. Natural Language: Interact naturally with prompts like:

Students:

• "What assignments do I have due this week?"
• "Show me my current grades"
• "What peer reviews do I need to complete?"
• "Have I submitted everything for BADM 350?"

Educators:

• "Which students haven't submitted the latest assignment?"
• "Create an announcement about tomorrow's exam"
• "Show me peer review completion analytics"

Quick Start Examples

New to Canvas MCP? Check out these practical guides:

• Student Quick Start - Common tasks for students
• Educator Quick Start - Essential workflows for teachers
• Real-World Workflows - Complete scenarios combining multiple features
• Common Issues & Solutions - Troubleshooting guide
• Bulk Grading Example - Token-efficient batch grading

Project Structure

Modern Python package structure following 2025 best practices:

canvas-mcp/
├── pyproject.toml             # Modern Python project config
├── env.template              # Environment configuration template
├── src/
│   └── canvas_mcp/            # Main package
│       ├── __init__.py        # Package initialization
│       ├── server.py          # Main server entry point
│       ├── core/              # Core utilities
│       │   ├── config.py      # Configuration management
│       │   ├── client.py      # HTTP client
│       │   ├── cache.py       # Caching system
│       │   ├── audit.py       # Structured audit logging
│       │   └── validation.py  # Input validation
│       ├── tools/             # MCP tool implementations
│       │   ├── courses.py     # Course management
│       │   ├── assignments.py # Assignment tools
│       │   ├── discussions.py # Discussion tools
│       │   ├── rubrics.py     # Rubric tools
│       │   ├── student_tools.py # Student-specific tools
│       │   ├── messaging.py   # Communication tools
│       │   ├── discovery.py   # Code API tool discovery
│       │   ├── code_execution.py # TypeScript code execution (NEW!)
│       │   └── ...            # Other tool modules
│       ├── code_api/          # Code execution API (NEW!)
│       │   ├── client.ts      # MCP client bridge
│       │   └── canvas/        # Canvas operations
│       │       ├── grading/   # Bulk grading (99.7% token savings!)
│       │       ├── courses/   # Course operations
│       │       └── ...        # Other modules
│       └── resources/         # MCP resources
├── examples/                 # Usage examples (NEW!)
└── docs/                     # Documentation

Documentation

• Tool Documentation - Complete reference for all available tools
• Pages Implementation Guide - Comprehensive Pages feature guide
• Course Documentation Template - Hybrid approach for efficient course documentation
• Development Guide - Architecture details and development reference

Technical Details

Modern Architecture (2025)

Built with current Python ecosystem best practices:

• Package Structure: Modern src/ layout with pyproject.toml
• Dependency Management: Fast uv package manager with locked dependencies
• Configuration: Environment-based config with validation and templates
• Entry Points: Proper CLI commands via pyproject.toml scripts
• Type Safety: Full type hints and runtime validation

Core Components

• FastMCP Framework: Robust MCP server implementation with tool registration
• Async Architecture: httpx client with connection pooling and rate limiting
• Smart Caching: Intelligent request caching with configurable TTL
• Configuration System: Environment-based config with validation and defaults
• Educational Focus: Tools designed for real teaching workflows

Dependencies

Modern Python packages (see pyproject.toml):

• fastmcp: MCP server framework
• httpx: Async HTTP client
• python-dotenv: Environment configuration
• pydantic: Data validation and settings
• python-dateutil: Date/time handling

Performance Features

• Connection Pooling: Reuse HTTP connections for efficiency
• Request Caching: Minimize redundant Canvas API calls
• Async Operations: Non-blocking I/O for concurrent requests
• Smart Pagination: Automatic handling of Canvas API pagination
• Rate Limiting: Respect Canvas API limits with backoff

Development Tools

• Automated Setup: One-command installation script
• Configuration Testing: Built-in connection and config testing
• Type Checking: mypy support for type safety
• Code Quality: ruff and black for formatting and linting

For contributors, see the Development Guide for detailed architecture and development reference.

Troubleshooting

If you encounter issues:

1. Server Won't Start - Verify your Configuration setup: .env file, virtual environment path, and dependencies
2. Authentication Errors - Check your Canvas API token validity and permissions
3. Connection Issues - Verify Canvas API URL correctness and network access
4. Debugging - Check your MCP client's console logs (e.g., Claude Desktop's developer console) or run server manually for error output

Security & Privacy Features

Runtime Security (v1.0.8)

Four layers of security hardening, all enabled by default with zero configuration:

Layer	What It Does	Default
PII Sanitization	Redacts user_id, email, name etc. from log context; truncates IDs to last 4 chars	LOG_REDACT_PII=true
Token Validation	Validates Canvas API token on startup via /users/self; warns but doesn't block if invalid	Always on
Audit Logging	Structured JSON audit trail for data access and code execution events; rotating file at ~/.canvas-mcp/audit.jsonl	Opt-in: LOG_ACCESS_EVENTS, LOG_EXECUTION_EVENTS
Sandbox Hardening	Secure-by-default code execution: sandbox on, network blocked, env filtered, resource limits set	ENABLE_TS_SANDBOX=true

All audit events use sanitized endpoints (/courses/***/users/***) and structured metadata only — no raw error payloads or process output that could leak PII.

API Security

• Your Canvas API token grants access to your Canvas account
• Token validated on startup with clear error messaging for invalid/expired tokens
• Never commit your .env file to version control
• The server runs locally on your machine — no external data transmission
• Environment variable filtering prevents credential leakage to subprocesses

Privacy Controls (Educators Only)

Educators working with student data can enable FERPA-compliant anonymization:

# In your .env file
ENABLE_DATA_ANONYMIZATION=true  # Anonymizes student names/emails before AI processing
LOG_REDACT_PII=true             # Redacts PII from log output (default: true)
LOG_ACCESS_EVENTS=true          # Enable data access audit trail (default: false)
LOG_EXECUTION_EVENTS=true       # Enable code execution audit trail (default: false)

Students don't need anonymization since they only access their own data.

For detailed privacy configuration, see:

• Educator Guide - FERPA compliance and anonymization
• Student Guide - Privacy information for students

Publishing to MCP Registry

This server is published to the Model Context Protocol Registry for easy installation.

Automated Publishing (Recommended)

Publishing is automated via GitHub Actions:

1. Prepare a release:

   # Update version in pyproject.toml and src/canvas_mcp/__init__.py
   # Update CHANGELOG if applicable
   git commit -am "chore: bump version to X.Y.Z"
   git push

2. Create and push a version tag:

   git tag vX.Y.Z
   git push origin vX.Y.Z

3. Automated workflows (triggered by tag push):

   • Publish workflow (publish-mcp.yml):
     • Runs tests
     • Builds Python package
     • Publishes to PyPI
     • Publishes to MCP Registry using GitHub OIDC
   • Release workflow (create-release.yml):
     • Creates GitHub release with changelog
     • Updates README.md with latest release info
     • Commits README changes back to main branch

4. Testing the release workflow (optional):

   • The release workflow can be manually triggered from the Actions tab
   • Go to Actions → "Create Release and Update README" → Run workflow
   • Enter a test tag name (e.g., v1.0.7-test)
   • This allows testing without creating an actual release tag

Prerequisites for Publishing

• PyPI Account: Create account at pypi.org
• Trusted Publisher Setup (recommended, no tokens needed):
  1. Visit PyPI Trusted Publishers
  2. Add a "pending publisher" for your repository:
     • Owner: vishalsachdev
     • Repository: canvas-mcp
     • Workflow: publish-mcp.yml
     • Environment: (leave blank)
  3. This reserves the package name and enables tokenless publishing

Alternative: Use API token (legacy method - not recommended):

• Generate token at PyPI → Account Settings → API tokens
• Add as PYPI_API_TOKEN secret in repository settings
• Update workflow to use password: ${{ secrets.PYPI_API_TOKEN }}

Manual Publishing (Alternative)

For manual publishing:

# Install MCP Publisher
curl -fsSL https://modelcontextprotocol.io/install.sh | sh

# Login using GitHub
mcp-publisher login github

# Publish server
mcp-publisher publish

Registry Validation

The server.json configuration is automatically validated against the MCP schema during CI/CD. To validate locally:

# Download schema
curl -s https://registry.modelcontextprotocol.io/v0/server.schema.json -o /tmp/mcp-schema.json

# Validate (requires jsonschema CLI)
pip install jsonschema
jsonschema -i server.json /tmp/mcp-schema.json

Contributing

Contributions are welcome! Feel free to:

• Submit issues for bugs or feature requests
• Create pull requests with improvements
• Share your use cases and feedback

License

This project is licensed under the MIT License - see the LICENSE file for details.

---

Created by Vishal Sachdev