MCP servers that expose third-party tools to any MCP-compatible client or
agent framework, each call gated by
permit0.
The servers do no policy evaluation themselves — enforcement happens at the
permit0 PreToolUse hook / daemon. These are plain MCP wrappers whose tool
names normalize cleanly into the permit0 email.* action vocabulary.
| Server | Package | Tools |
|---|---|---|
gmail-mcp/ |
permit0-gmail-mcp |
13 gmail_* tools (Gmail API v1) |
outlook-mcp/ |
permit0-outlook-mcp |
13 outlook_* tools (Microsoft Graph) |
Both lower to the same email.* norm actions, so one permit0 risk rule
covers every backend. For the full list of supported functions and their
parameters, see docs/GMAIL.md and
docs/OUTLOOK.md.
The two servers install independently. See docs/GMAIL.md
and docs/OUTLOOK.md for each server's install steps
(from source or Docker), first-time OAuth login, and supported functions.
Both servers ship a Dockerfile. The image supports two transports, selected
by the MCP_TRANSPORT env var:
- stdio (default) — the container runs as a subprocess of your MCP client, one container per server.
- http — a long-lived streamable-HTTP service.
Build both images:
docker build -t permit0-gmail-mcp gmail-mcp
docker build -t permit0-outlook-mcp outlook-mcpWire them into your MCP client's config under mcpServers. Your client then
starts a fresh container per session:
Each args array is a complete docker run command — run it directly in a
terminal to smoke-test a server before wiring it in.
docker compose builds and runs both servers at once:
cp .env.example .env # optional — adjust PERMIT0_URL / MSGRAPH_CLIENT_ID
docker compose up --build| Server | Endpoint (MCP streamable-http) |
|---|---|
| gmail | http://localhost:8000/mcp |
| outlook | http://localhost:8001/mcp |
docker compose auto-loads .env from this directory; it is gitignored, so
keep machine-specific overrides there and leave .env.example as the template.
| Variable | Default | Purpose |
|---|---|---|
MCP_TRANSPORT |
stdio |
stdio, http (streamable-http), or sse |
MCP_HOST |
0.0.0.0 (in image) |
bind address for http/sse |
MCP_PORT |
8000 |
bind port for http/sse |
PERMIT0_URL |
http://host.docker.internal:9090 |
permit0 daemon URL |
MSGRAPH_CLIENT_ID |
(built-in public client) | Outlook only — Azure app override |
OAuth state — Gmail's gmail_credentials.json / gmail_token.json and
Outlook's MSAL token cache — lives under /home/app/.permit0 in the
container. Mount a volume there (as shown above, or the named volumes in
docker-compose.yml) so it survives restarts.
Do the first interactive login once per server:
- Gmail — opens a browser for Google consent.
- Outlook — device-code flow; run
docker compose logs -f outlook(or watch the container logs) for the sign-in URL and code.
See each server's README.md for the full OAuth walkthrough.
{ "mcpServers": { "permit0-gmail": { "command": "docker", "args": ["run", "--rm", "-i", "-e", "PERMIT0_URL=http://host.docker.internal:9090", "-v", "permit0-gmail-state:/home/app/.permit0", "permit0-gmail-mcp"] }, "permit0-outlook": { "command": "docker", "args": ["run", "--rm", "-i", "-e", "PERMIT0_URL=http://host.docker.internal:9090", "-v", "permit0-outlook-state:/home/app/.permit0", "permit0-outlook-mcp"] } } }