cf-webmcp

A Cloudflare Worker that sits in front of a website and equips it with WebMCP. One TOML file in, every WebMCP-aware browser sees the site's tools out.

Not affiliated with Cloudflare. The cf- prefix only reflects that the project runs exclusively on Cloudflare primitives - this is not an official Cloudflare product.

What it does

For each request, the Worker does one of two things:

1. Handle a Worker-owned path directly.

2. Otherwise, proxy to origin and modify the response on the way back.

• HTTP Link header added to every proxied response (HTML, PDF, image, JSON, anything). One entry per discovery surface: rel="webmcp" to the manifest, rel="api-catalog" to the catalog, rel="agent-skills" to the SKILL.md. An agent doing a HEAD request finds all three without parsing a body.
• On HTML responses only (status 200, text/html, UTF-8, path not in [injection].exclude_paths), HTMLRewriter injects:
  • matching <link> tags into <head> (rel="webmcp", rel="api-catalog", rel="agent-skills"),
  • one <script src="/_webmcp/bootstrap.<hash>.js" defer> before </body> that auto-registers the tools via navigator.modelContext,
  • W3C declarative form attributes (toolname, tooldescription, toolparamdescription, toolautosubmit) stamped onto matching <form> elements when a [[forms]] block matches the current path.

Non-HTML responses (PDFs, images, JSON, CSS, JS, etc.) pass through with their body unchanged but with the Link header added.

The tool catalogue lives in one TOML file. Five server-side executor types (sitemap_filter, rss_feed, dom_extract, http_json, http_get) cover the imperative tool path; [[forms]] blocks cover the declarative-form path. Three deploy templates ship: default, wordpress, woocommerce (Store API).

Discovery surfaces

cf-webmcp publishes the same tool catalogue through multiple complementary surfaces, all driven from the single TOML:

• /.well-known/webmcp.json (manifest, machine-readable)
• <link rel="webmcp"> injected into every HTML page
• Link: rel="webmcp" HTTP header on every response
• /llms.txt augmented with a WebMCP block (idempotent merge with origin's file). Also advertised in the Link header and as <link rel="describedby" type="text/markdown"> via the IANA-registered RFC 8288 relation, so generic agent-aware scanners that only recognise standard rels find a description of the site.
• /robots.txt augmented with Disallow: /_webmcp/ (idempotent merge)
• /.well-known/agents.md for acting agents, with /AGENTS.md and /agents.md 301-redirecting to it
• /.well-known/api-catalog (RFC 9727) Linkset entry pointing at the WebMCP manifest. Also advertised in the Link header and as <link rel="api-catalog"> on every response.
• /.well-known/agent-skills/<slug>/SKILL.md Anthropic-format Agent Skill with auto-generated tool list + publisher-written hints. Also advertised via rel="agent-skills" in the Link header and as a <link> tag.
• /.well-known/agent-skills/index.json (Cloudflare Agent Skills Discovery RFC v0.2.0) wraps the SKILL.md in a spec-compliant index with a build-time SHA-256 digest for integrity verification. links.agent_skills_index field added to the manifest.
• /mcp landing page that branches at runtime between native, pair, and disabled states

Plus five executor types (sitemap_filter, rss_feed, dom_extract, http_json, http_get) for the imperative tool path, and a [[forms]] block for the declarative form path.

[!NOTE]
Every surface above is opt-in. Each one maps to a single boolean in your [features] block. If you disagree with a convention or do not want to publish it, flip the flag off and the route disappears, the link advertisement drops out, and no fingerprint is left. llms.txt is the most widely-debated example: set llms_txt = false and cf-webmcp stops claiming the path entirely. Same applies to agents.md, api-catalog, agent-skills, fallback_widget, form-attribute injection, and the in-page <script> bootstrap. Defaults are "on" because cf-webmcp's value is publishing discovery surfaces; opting out is one TOML edit away. See docs/scope.md for what is in and out of scope at the project level.

Quick start

git clone https://github.com/basgr/cf-webmcp
cd cf-webmcp
cp templates/default.toml webmcp.toml
cp wrangler.example.toml wrangler.toml
# edit webmcp.toml: set [site], [origin], and tool URLs
# edit wrangler.toml: set the route for your domain
npm install
npm run build
wrangler deploy

Documentation

Full reference docs live in docs/:

Getting started

• Deployment - full-proxy vs route-only modes, wrangler config, Bot Management bypass.
• Local testing - wrangler dev against the bundled templates/example-site/ fixture.
• Browser support - enabling the WebMCP flag in Chrome and verifying it.

Configuration

• Customisation - overriding the /mcp landing template, placeholders, runtime state branching.
• Form injection - the [[forms]] block, declarative toolname / tooldescription / toolparamdescription / toolautosubmit attribute stamping.
• AGENTS.md - /.well-known/agents.md publication + 301 aliases.
• API catalog (RFC 9727) - the /.well-known/api-catalog Linkset.
• Agent Skills - the /.well-known/agent-skills/<slug>/SKILL.md publication.

Operations

• Costs - Workers, R2, and cache pricing under typical traffic.
• Privacy - what's logged, what's stripped from origin fetches, GDPR posture.
• Upgrade - schema_version policy, tool-name immutability, breaking-change procedure.
• Limitations - SPA story, multi-language sites, service workers, other known edges.

Project

• Scope - what cf-webmcp is and is not. Read this before opening a feature request.
• Security model - tool descriptions are not a security boundary; what cf-webmcp does and does not defend against.

Acknowledgements

• Suganthan Mohanadasan, "WebMCP: I Made My Website AI Agent Ready" - the implementation guide that informed the publisher-side discovery patterns.
• jasonjmcghee/WebMCP - the fallback widget that bridges desktop MCP clients to WebMCP sites.
• webmachinelearning/webmcp - the W3C draft.

License

MIT. See LICENSE.