# canvas-mcp - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for canvas-mcp. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **Developers already using host AIs such as Claude/Codex/Cursor/Gemini**: The README or plugin config mentions multiple host AIs. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Users who want to bring professional workflows into a host AI**: The repo contains Skill documents. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md`, `skills/canvas-course-builder/SKILL.md`, `skills/canvas-course-qc/SKILL.md` et al. Claim: `clm_0004` supported 0.86

## What It Can Do

- **AI Skill / Agent Instruction Asset Library** (Previewable before install): The project contains Skill or Agent instruction files that a host AI can read, useful for bringing professional workflows into hosts like Claude, Codex, or Cursor. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md`, `skills/canvas-course-builder/SKILL.md`, `skills/canvas-course-qc/SKILL.md` et al. Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `README.md` Claim: `clm_0002` supported 0.86

## How to Start

- `npx skills add vishalsachdev/canvas-mcp` Evidence: `README.md` Claim: `clm_0005` supported 0.86, `clm_0006` supported 0.86
- `npx skills add vishalsachdev/canvas-mcp -s canvas-week-plan` Evidence: `README.md` Claim: `clm_0006` supported 0.86
- `pip install -e .` Evidence: `README.md` Claim: `clm_0007` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Needs admin / security approval
- **Why**: Continuing may involve secrets, accounts, external services, or sensitive context; get admin or security approval first.

### 30-Second Read

- **What to do now**: Needs admin / security approval
- **Minimum safe next step**: Run Prompt Preview first; if credentials or an enterprise environment are involved, get approval before trialing
- **Do not trust yet**: Tool permission boundaries cannot be trusted before install.
- **Continuing will touch**: Command execution, Host AI configuration, Local environment or project files

### What You Can Trust Now

- **Target-audience signal: Developers already using host AIs such as Claude/Codex/Cursor/Gemini** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Target-audience signal: Users who want to bring professional workflows into a host AI** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md`, `skills/canvas-course-builder/SKILL.md`, `skills/canvas-course-qc/SKILL.md` et al. Claim: `clm_0004` supported 0.86
- **Capability exists: AI Skill / Agent Instruction Asset Library** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md`, `skills/canvas-course-builder/SKILL.md`, `skills/canvas-course-qc/SKILL.md` et al. Claim: `clm_0001` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0005` supported 0.86, `clm_0006` supported 0.86

### What You Cannot Trust Yet

- **Tool permission boundaries cannot be trusted before install.** (unverified): MCP/tool projects usually touch files, the network, the browser, or external APIs, so permissions and logs must be checked for real.
- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior. Evidence: `AGENTS.md`, `CLAUDE.md`, `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md` et al.
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **Do the install commands require network access, permissions, or global writes?** (unverified): This affects install risk in both enterprise and personal environments. Evidence: `README.md`

### What Continuing Will Touch

- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `README.md`
- **Host AI configuration**: The plugin, Skill, or rule-loading config of hosts like Claude/Codex/Cursor/Gemini/OpenCode. Why: Host configuration changes how the AI works afterward and may conflict with the user's existing rules. Evidence: `AGENTS.md`, `CLAUDE.md`, `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md` et al.
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `README.md`
- **Environment variables / API keys**: Project entry docs explicitly showing API key, token, secret, or account credential configuration. Why: If a real install needs credentials, use test credentials first and go through a permission/compliance review. Evidence: `AGENTS.md`, `CLAUDE.md`, `README.md`, `deploy/setup.sh` et al.
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use a pre-install interactive trial to judge whether the way of working fits; it needs no authorization or environment change. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **Back up your host AI configuration first**: Skill, plugin, and rule files may change the default behavior of Claude/Cursor/Codex. (applies when: When there is a plugin manifest, a Skill, or a host rule entrypoint.)
- **Do not use real production credentials**: Once an environment variable / API key enters the host or toolchain, it can create account and compliance risk. (applies when: When environment signals like API, TOKEN, KEY, or SECRET appear.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Be ready to remove the host plugin / Skill / rule entrypoint**: If behavior is off after the trial install, you can restore the host AI to its pre-trial state.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **Be ready to revoke test API keys or tokens**: If test credentials leak or are misused, you can cut losses quickly.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0008` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `README.md` Claim: `clm_0009` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **AI Skill / Agent Instruction Asset Library**: Use role_skill_index / evidence_index to help the user pick a usable role, Skill, or workflow first. Boundary: Can be experienced via a pre-install Prompt. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`, `skills/canvas-bulk-grading/SKILL.md`, `skills/canvas-course-builder/SKILL.md`, `skills/canvas-course-qc/SKILL.md` et al. Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `README.md` Claim: `clm_0002` supported 0.86

### Context Scale

- Total files: 134
- Important-file coverage: 40/134
- Evidence index entries: 77
- Role / Skill entries: 8

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for canvas-mcp, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat canvas-mcp as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for canvas-mcp, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 8 role / Skill / project-doc entries.

- **canvas-accessibility-auditor** (skill): Accessibility audit and remediation for Canvas LMS courses. Scans content for WCAG violations, generates prioritized reports, guides fixes, and verifies remediation. Use when asked to "audit accessibility", "check WCAG compliance", "fix accessibility issues", or "run accessibility review". Activation hint: When the user's task is highly relevant to the workflow described by “canvas-accessibility-auditor”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`
- **canvas-bulk-grading** (skill): Bulk grading workflows for Canvas LMS assignments using rubrics. Covers single grading, batch grading, and code execution strategies with safety-first dry runs. Activation hint: When the user's task is highly relevant to the workflow described by “canvas-bulk-grading”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-bulk-grading/SKILL.md`
- **canvas-course-builder** (skill): Scaffold complete Canvas LMS course structures from specs, templates, or existing courses. Creates modules, pages, assignments, and discussions in bulk. Use when asked to "build a course", "scaffold modules", "create course structure", "set up a new course", or "copy course structure". Activation hint: When the user's task is highly relevant to the workflow described by “canvas-course-builder”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-course-builder/SKILL.md`
- **canvas-course-qc** (skill): Learning designer quality check for Canvas LMS courses. Audits module structure, content completeness, publishing state, date consistency, and rubric coverage. Use when asked to "QC a course", "is this course ready", "pre-semester check", or "quality review". Activation hint: When the user's task is highly relevant to the workflow described by “canvas-course-qc”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-course-qc/SKILL.md`
- **canvas-discussion-facilitator** (skill): Discussion forum facilitator for Canvas LMS. Helps students and educators browse, read, reply to, and create discussion posts. Trigger phrases include "discussion posts", "reply to students", "check discussions", "forum participation", "post a discussion", or any discussion-related Canvas task. Activation hint: When the user's task is highly relevant to the workflow described by “canvas-discussion-facilitator”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-discussion-facilitator/SKILL.md`
- **canvas-morning-check** (skill): Educator morning course health check for Canvas LMS. Shows submission rates, struggling students, grade distribution, and upcoming deadlines. Trigger phrases include "morning check", "course status", "how are my students", or any start-of-day teaching review. Activation hint: When the user's task is highly relevant to the workflow described by “canvas-morning-check”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-morning-check/SKILL.md`
- **canvas-peer-review-manager** (skill): Educator peer review management for Canvas LMS. Tracks completion rates, analyzes comment quality, flags problematic reviews, sends targeted reminders, and generates instructor-ready reports. Trigger phrases include "peer review status", "how are peer reviews going", "who hasn't reviewed", "review quality", or any peer review follow-up task. Activation hint: When the user's task is highly relevant to the workflow described by “canvas-peer-review-manager”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-peer-review-manager/SKILL.md`
- **canvas-week-plan** (skill): Student weekly assignment planner for Canvas LMS. Shows all due dates, submission status, grades, and peer reviews across all courses. Use when a student says "what's due", "plan my week", "weekly check", or wants to organize their coursework. Activation hint: When the user's task is highly relevant to the workflow described by “canvas-week-plan”, use it for a pre-install experience first, then decide whether to install. Evidence: `skills/canvas-week-plan/SKILL.md`

## Evidence Index

- Indexed 77 evidence entries.

- **Canvas MCP Server** (documentation): ! License: MIT https://img.shields.io/badge/License-MIT-yellow.svg https://opensource.org/licenses/MIT ! skills.sh https://img.shields.io/badge/skills.sh-canvas--mcp-blue https://skills.sh Evidence: `README.md`
- **canvas-mcp** (documentation): Setup wizard for Canvas MCP https://github.com/vishalsachdev/canvas-mcp — configure any AI coding client to use Canvas LMS tools in one command. Evidence: `cli/README.md`
- **internal/ — non-published project docs** (documentation): internal/ — non-published project docs Evidence: `internal/README.md`
- **Canvas MCP Tools Documentation** (documentation): This document provides a comprehensive overview of all tools available in the Canvas MCP Server, organized by audience and functionality. Evidence: `tools/README.md`
- **Configuration Overlays Baseline, Public, Enterprise** (documentation): Configuration Overlays Baseline, Public, Enterprise Evidence: `config/overlays/README.md`
- **Canvas Code Execution API** (documentation): This directory contains the TypeScript code execution API for token-efficient bulk operations with Canvas LMS. Evidence: `src/canvas_mcp/code_api/README.md`
- **Package** (package_manifest): { "name": "canvas-mcp", "version": "1.1.0", "description": "Setup wizard for Canvas MCP — configure any AI coding client in one command", "type": "module", "bin": { "canvas-mcp": "bin/cli.js" }, "files": "bin/", "lib/" , "keywords": "canvas", "lms", "mcp", "education", "claude", "codex", "cursor" , "author": "Vishal Sachdev ", "license": "MIT", "repository": { "type": "git", "url": "git+https://github.com/vishalsachdev/canvas-mcp.git", "directory": "cli" }, "dependencies": { "prompts": "^2.4.2", "@iarna/toml": "^2.2.5" }, "engines": { "node": " =18" } } Evidence: `cli/package.json`
- **Package** (package_manifest): { "name": "canvas-mcp-code-api", "version": "1.0.6", "description": "TypeScript code execution API for Canvas MCP", "type": "module", "scripts": { "build": "tsc", "exec": "node --loader ts-node/esm" }, "dependencies": { "node-fetch": "^3.3.2" }, "devDependencies": { "@types/node": "^20.10.0", "ts-node": "^10.9.2", "tsx": "^4.20.6", "typescript": "^5.3.3" } } Evidence: `package.json`
- **Canvas MCP - AI Agent Guide** (documentation): This guide helps AI agents Claude, Cursor, Zed, Windsurf, and other MCP clients effectively use the Canvas MCP server. Evidence: `AGENTS.md`
- **CLAUDE.md** (documentation): This file provides guidance to Claude Code claude.ai/code when working with code in this repository. Evidence: `CLAUDE.md`
- **Canvas Accessibility Auditor** (skill_instruction): Full accessibility audit cycle for Learning Designers: scan course content, generate prioritized report, guide remediation of fixable issues, re-scan to verify fixes, produce compliance summary. Evidence: `skills/canvas-accessibility-auditor/SKILL.md`
- **Canvas Bulk Grading** (skill_instruction): Grade Canvas LMS assignments efficiently using rubric-based workflows. This skill requires the Canvas MCP server to be running and authenticated with an instructor or TA token. Evidence: `skills/canvas-bulk-grading/SKILL.md`
- **Canvas Course Builder** (skill_instruction): Build complete Canvas course structures from a natural language description, a JSON template, or by cloning an existing course. Creates modules with pages, assignments, discussions, and proper organization in one workflow. Evidence: `skills/canvas-course-builder/SKILL.md`
- **Canvas Course QC** (skill_instruction): Automated quality checklist for Learning Designers to verify a Canvas course is ready for students. Runs structure, content, publishing, and completeness checks — then reports issues by priority. Evidence: `skills/canvas-course-qc/SKILL.md`
- **Canvas Discussion Facilitator** (skill_instruction): Facilitate discussion forum activity in Canvas LMS -- browse topics, read posts, reply to students, create new discussions, and monitor participation. Works for both students and educators. Evidence: `skills/canvas-discussion-facilitator/SKILL.md`
- **Canvas Morning Check** (skill_instruction): A comprehensive course health check for educators using Canvas LMS. Run it at the start of a teaching day or week to surface submission gaps, students who need support, and upcoming deadlines -- then take action directly from the results. Evidence: `skills/canvas-morning-check/SKILL.md`
- **Canvas Peer Review Manager** (skill_instruction): A complete peer review management workflow for educators using Canvas LMS. Monitor completion, analyze quality, identify students who need follow-up, send reminders, and export data -- all through MCP tool calls against the Canvas API. Evidence: `skills/canvas-peer-review-manager/SKILL.md`
- **Canvas Week Plan** (skill_instruction): Generate a comprehensive weekly plan for a student, showing all upcoming assignments, current grades, submission status, and pending peer reviews across all enrolled courses. Evidence: `skills/canvas-week-plan/SKILL.md`
- **License** (source_file): Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files the "Software" , to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: Evidence: `LICENSE`
- **Feasibility & Design: Interactive UI for Canvas results via MCP Apps** (documentation): Feasibility & Design: Interactive UI for Canvas results via MCP Apps Evidence: `docs/mcp-apps-feasibility.md`
- **Python files to ignore** (source_file): Python files to ignore Uncomment the following lines if you want to ignore specific Python files some specific file.py temp .py Evidence: `.gitignore`
- **cli/.gitignore** (source_file): node modules/ Evidence: `cli/.gitignore`
- **Pyproject** (source_file): build-system requires = "hatchling" build-backend = "hatchling.build" Evidence: `pyproject.toml`
- **Clients** (source_file): configPath: ⋮---- configPath: = Evidence: `cli/lib/clients.js`
- **Config Writer** (source_file): function backup filePath ⋮---- function ensureDir filePath ⋮---- function readJson filePath ⋮---- function readToml filePath ⋮---- function writeJson filePath, data ⋮---- function writeToml filePath, data ⋮---- function updateConfigFile client, mutate ⋮---- function configureClient client, token, canvasUrl Evidence: `cli/lib/config-writer.js`
- **Wizard** (source_file): async function runWizard ⋮---- validate: v ⋮---- validate: v = ⋮---- onCancel: = Evidence: `cli/lib/wizard.js`
- **Init** (source_file): version = "1.5.0" author = "Vishal Sachdev" email = "vsachde2@illinois.edu" description = "A Model Context Protocol server for Canvas LMS integration" ⋮---- all = "main", " version " Evidence: `src/canvas_mcp/__init__.py`
- **Init** (source_file): all = Evidence: `src/canvas_mcp/core/__init__.py`
- **Build the credential + client ONCE here not per send . Azure imports stay** (source_file): def feature ready config - bool ⋮---- def entity to row entity - dict ⋮---- """Convert an azure-data-tables entity to a plain row, surfacing the ETag. azure-data-tables exposes the ETag via entity.metadata 'etag' rather than as an item, so a bare dict entity silently drops it. The store's consume pending needs row 'etag' for the optimistic-concurrency single-use guard, so copy it onto the row. Pure — no azure import — so it is unit-testable without the optional hosted deps installed. """ row = dict entity meta = getattr entity, "metadata", None or {} etag = meta.get "etag" ⋮---- class AzureTableBackend ⋮---- def init self, table client - None ⋮---- def get self, pk, rk ⋮---- def upsert self… Evidence: `src/canvas_mcp/core/access/factory.py`
- **Notify** (source_file): def build request email req: Requester, approve url: str - dict ⋮---- subject = f"Canvas MCP access request — {req.display name or req.upn}" html = f"""\ plain = f"Canvas MCP access request\n\n{req.display name} \n" ⋮---- """Dedup, mint a token, build the email, and send it. Never raises.""" ⋮---- exp = now + ttl seconds should = store.note request ⋮---- token = mint token oid=requester.oid, jti=jti, exp=exp, secret=secret approve url = f"{approve base url}/admin/access/approve?token={token}" msg = build request email requester, approve url Evidence: `src/canvas_mcp/core/access/notify.py`
- **Validate the token against the live pending request WITHOUT consuming it** (source_file): WRAP = " " ⋮---- def render confirm page req: Requester, token: str - str ⋮---- def render success page req: Requester - str ⋮---- def render invalid page - str ⋮---- def render retry page - str ⋮---- async def send html send, html: str, status: int = 200 - None ⋮---- def requester from pending row: dict None, oid: str - Requester ⋮---- row = row or {} ⋮---- token = parse qs query string.decode .get "token" or "" 0 claims = verify token token, secret=secret, now=now ⋮---- pending = store.get pending claims.oid ⋮---- token = parse qs body.decode .get "token" or "" 0 ⋮---- Validate the token against the live pending request WITHOUT consuming it yet, so a downstream write failure leaves the to… Evidence: `src/canvas_mcp/core/access/routes.py`
- **--- request/dedup + single-use consume ---** (source_file): GRANT PK = "grant" PENDING PK = "pending" ⋮---- class ConcurrencyConflict Exception ⋮---- @dataclass frozen=True class Requester ⋮---- oid: str upn: str display name: str ⋮---- @dataclass frozen=True class Grant ⋮---- granted utc: str ⋮---- class InMemoryBackend ⋮---- def init self - None ⋮---- def bump self - str ⋮---- def get self, pk: str, rk: str - dict None ⋮---- row = self. rows.get pk, rk ⋮---- def upsert self, entity: dict - None ⋮---- entity = dict entity ⋮---- def replace if unmodified self, entity: dict, etag: str - None ⋮---- key = entity "PartitionKey" , entity "RowKey" current = self. rows.get key ⋮---- def query self, pk: str - list dict ⋮---- def delete self, pk: str, rk: st… Evidence: `src/canvas_mcp/core/access/store.py`
- **Without a scheme, urlparse puts the host in path and leaves** (source_file): INVALID INT ENV VARS: dict str, str = {} INVALID FLOAT ENV VARS: dict str, str = {} ⋮---- VALID SANDBOX MODES = frozenset {"auto", "local", "container"} ⋮---- def parse keys raw: str - frozenset str ⋮---- def normalize canvas url raw: str - str ⋮---- url = raw.strip ⋮---- parsed = urlparse url Without a scheme, urlparse puts the host in path and leaves netloc empty — we can't reliably rebuild it, so leave it for the validator to warn about. ⋮---- Preserve an existing /api/v version segment truncating any extra path after it , matching only at a segment boundary so a real version like /api/v2 is kept rather than rewritten. When the path carries no version segment, append the canonical /api/v… Evidence: `src/canvas_mcp/core/config.py`
- **Init** (source_file): all = 'register resources and prompts' Evidence: `src/canvas_mcp/resources/__init__.py`
- **--- Admin access-approval routes intercepted before any token gate ---** (source_file): async def send json error send: Any, status: int, message: str - None ⋮---- body = json.dumps {"error": message} .encode "utf-8" ⋮---- async def read body receive - bytes ⋮---- body = b"" ⋮---- msg = await receive ⋮---- def access key ok presented: str, allowed: frozenset str - bool ⋮---- def client principal id headers: dict bytes, bytes - str None ⋮---- pid = headers.get b"x-ms-client-principal-id", b"" .decode "utf-8", errors="ignore" .strip ⋮---- def client principal claims headers: dict bytes, bytes - dict str, str ⋮---- raw = headers.get b"x-ms-client-principal", b"" ⋮---- payload = json.loads base64.b64decode raw ⋮---- ADMIN APPROVE PATH = "/admin/access/approve" ADMIN CONFIRM PATH =… Evidence: `src/canvas_mcp/server.py`
- **Init** (source_file): all = Evidence: `src/canvas_mcp/tools/__init__.py`
- **Preprocess the string to handle common issues** (source_file): def preprocess criteria string criteria string: str - str ⋮---- cleaned = criteria string.strip ⋮---- cleaned = cleaned 1:-1 .replace '\\"', '"' .replace '\\\\', '\\' ⋮---- def validate rubric criteria criteria json: str - dict str, Any ⋮---- """Validate and parse rubric criteria JSON structure. Args: criteria json: JSON string containing rubric criteria Returns: Parsed criteria dictionary Raises: ValueError: If JSON is invalid or structure is incorrect """ Preprocess the string to handle common issues cleaned json = preprocess criteria string criteria json ⋮---- criteria = json.loads cleaned json ⋮---- Try alternative parsing methods if JSON fails ⋮---- Maybe it's a Python literal string r… Evidence: `src/canvas_mcp/tools/rubrics.py`
- **Changelog** (documentation): All notable changes to this project will be documented in this file. Evidence: `CHANGELOG.md`
- **Security Policy** (documentation): We take the security of Canvas MCP seriously. If you discover a security vulnerability, please follow these guidelines: Evidence: `SECURITY.md`
- **The Moment Your Side Project Stops Being Yours** (documentation): The Moment Your Side Project Stops Being Yours Evidence: `articles/2026-02-23-the-moment-your-side-project-stops-being-yours.md`
- **Example: Bulk Grading Jupyter Notebooks** (documentation): Example: Bulk Grading Jupyter Notebooks Evidence: `examples/bulk_grading_example.md`
- **Common Issues and Solutions** (documentation): Quick fixes for the most common problems with Canvas MCP. Evidence: `examples/common_issues.md`
- **Educator Quick Start Guide** (documentation): This guide shows the most common tasks educators use Canvas MCP for. Evidence: `examples/educator_quickstart.md`
- **Real-World Workflows** (documentation): Practical examples showing how to combine Canvas MCP features for common teaching and learning scenarios. Evidence: `examples/real_world_workflows.md`
- **Student Quick Start Guide** (documentation): This guide shows common tasks students can accomplish with Canvas MCP. Evidence: `examples/student_quickstart.md`
- **Canvas MCP — Architecture Review: MCP Server vs. Direct Canvas API Access** (documentation): Canvas MCP — Architecture Review: MCP Server vs. Direct Canvas API Access Evidence: `internal/architecture-review.md`
- **Architecture & Key Components** (documentation): Design reference extracted from CLAUDE.md. Evidence: `internal/architecture.md`
- **Claude Code Development Best Practices for Canvas MCP** (documentation): Claude Code Development Best Practices for Canvas MCP Evidence: `internal/best-practices.md`
- **Research spec handoff : Does Azure App Service native Entra auth validate the MCP bearer token for us?** (documentation): Research spec handoff : Does Azure App Service native Entra auth validate the MCP bearer token for us? Evidence: `internal/research-appservice-mcp-entra.md`
- **Session History** (documentation): Archived session log entries from canvas-mcp CLAUDE.md. Evidence: `internal/session-history.md`
- **Glama** (structured_config): { "$schema": "https://glama.ai/mcp/schemas/server.json", "maintainers": "vishalsachdev" } Evidence: `glama.json`
- **Manifest** (structured_config): { "manifest version": "0.2", "name": "canvas-mcp", "display name": "Canvas MCP", "version": "1.4.0", "description": "Work with your Canvas LMS courses through an AI assistant — assignments, grading with rubrics, discussions, peer-review analytics, messaging, and more.", "long description": "Canvas MCP gives an MCP client Claude Desktop, etc. ~90 tools for Canvas LMS: list/manage courses, assignments and submissions, grade with rubrics, facilitate discussions, run peer-review and student analytics, send messages, and audit course content for accessibility. It runs locally as a stdio server and calls Canvas with YOUR own Canvas API token — every action runs under your own Canvas role and audi… Evidence: `manifest.json`
- **Server** (structured_config): { "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json", "name": "io.github.vishalsachdev/canvas-mcp", "description": "Canvas LMS integration for students and educators with FERPA-compliant analytics and workflows", "version": "1.5.0", "websiteUrl": "https://canvas-mcp.illinihunt.org/", "repository": { "url": "https://github.com/vishalsachdev/canvas-mcp", "source": "github", "id": "940427833" }, "tags": "education", "lms", "canvas", "teaching", "learning", "api", "student-tools", "educator-tools", "peer-review", "rubrics", "analytics", "ferpa" , "license": "MIT", "transport": { "type": "stdio" }, "packages": { "registryType": "pypi", "identifier": "canvas… Evidence: `server.json`
- **Tool Manifest** (structured_config): { "$schema": "https://json-schema.org/draft/2020-12/schema", "name": "canvas-mcp", "version": "1.5.0", "description": "MCP server for Canvas Learning Management System API", "categories": { "id": "student", "name": "Student Tools", "description": "Personal academic tracking using Canvas 'self' endpoints" }, { "id": "educator", "name": "Educator Tools", "description": "Course management, grading, and analytics for instructors/TAs" }, { "id": "shared", "name": "Shared Tools", "description": "Content access tools for both students and educators" }, { "id": "developer", "name": "Developer Tools", "description": "Bulk operations, code execution, and tool discovery" } , "tools": { "name": "get my… Evidence: `tools/TOOL_MANIFEST.json`
- **Tsconfig** (structured_config): { "compilerOptions": { "target": "ES2022", "module": "ES2022", "lib": "ES2022" , "moduleResolution": "node", "esModuleInterop": true, "allowSyntheticDefaultImports": true, "strict": true, "skipLibCheck": true, "forceConsistentCasingInFileNames": true, "resolveJsonModule": true, "outDir": "./dist", "rootDir": "./src/canvas mcp/code api", "declaration": true, "declarationMap": true, "sourceMap": true }, "include": "src/canvas mcp/code api/ / " , "exclude": "node modules", "dist" , "ts-node": { "esm": true, "experimentalSpecifierResolution": "node" } } Evidence: `tsconfig.json`
- **Impact** (structured_config): { "collected at": "2026-06-29T14:05:01Z", "github": { "stars": 153, "forks": 45, "contributors": 13, "open issues": 5, "views 14d": 866, "views 14d unique": 378, "clones 14d": 1830, "clones 14d unique": 585, "referrers": { "referrer": "Google", "count": 335, "uniques": 194 }, { "referrer": "github.com", "count": 103, "uniques": 60 }, { "referrer": "reddit.com", "count": 26, "uniques": 20 }, { "referrer": "canvas-mcp.illinihunt.org", "count": 22, "uniques": 7 }, { "referrer": "Bing", "count": 17, "uniques": 11 }, { "referrer": "search.brave.com", "count": 17, "uniques": 6 }, { "referrer": "chatgpt.com", "count": 6, "uniques": 2 }, { "referrer": "DuckDuckGo", "count": 3, "uniques": 3 }, { "re… Evidence: `docs/data/impact.json`
- **Git files** (source_file): Python cache pycache .py cod $py.class .so .Python Evidence: `.dockerignore`
- **Allowlist: ignore everything at the repo root, then un-ignore ONLY what the** (source_file): Allowlist: ignore everything at the repo root, then un-ignore ONLY what the Python server needs at runtime. This keeps the bundle minimal and prevents shipping internal/ops files CLAUDE.md, deploy/, docs/, etc. to end users. / !/manifest.json !/pyproject.toml !/uv.lock !/LICENSE !/README.md !/env.template !/src Evidence: `.mcpbignore`
- **Cname** (source_file): canvas-mcp.illinihunt.org Evidence: `CNAME`
- **Use Python 3.12 slim image for smaller size** (source_file): Use Python 3.12 slim image for smaller size FROM python:3.12-slim Evidence: `Dockerfile`
- The remaining 17 evidence entries are in `AI_CONTEXT_PACK.json` or `EVIDENCE_INDEX.json`.

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `README.md`, `cli/README.md`, `internal/README.md`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `README.md`, `cli/README.md`, `internal/README.md`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Overview**: importance `high`
  - source_paths: README.md, cli/README.md, cli/package.json, config/overlays/README.md, internal/README.md
- **Lib**: importance `high`
  - source_paths: cli/lib/clients.js, cli/lib/config-writer.js, cli/lib/wizard.js
- **Cli**: importance `high`
  - source_paths: cli/.gitignore, cli/README.md, cli/bin/cli.js, cli/lib/clients.js, cli/lib/config-writer.js
- **Core**: importance `high`
  - source_paths: src/canvas_mcp/core/__init__.py, src/canvas_mcp/core/access/__init__.py, src/canvas_mcp/core/access/factory.py, src/canvas_mcp/core/access/notify.py, src/canvas_mcp/core/access/routes.py

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `f86a7c30184a0614f707454453e0151a9d58704b`
- inspected_files: `Dockerfile`, `README.md`, `package.json`, `pyproject.toml`, `uv.lock`, `docs/data/impact.json`, `docs/mcp-apps-feasibility.md`, `examples/bulk_grading_example.md`, `examples/common_issues.md`, `examples/educator_quickstart.md`, `examples/real_world_workflows.md`, `examples/student_quickstart.md`, `src/canvas_mcp/__init__.py`, `src/canvas_mcp/code_api/README.md`, `src/canvas_mcp/code_api/canvas/assignments/index.ts`, `src/canvas_mcp/code_api/canvas/assignments/listSubmissions.ts`, `src/canvas_mcp/code_api/canvas/communications/index.ts`, `src/canvas_mcp/code_api/canvas/communications/sendMessage.ts`, `src/canvas_mcp/code_api/canvas/courses/getCourseDetails.ts`, `src/canvas_mcp/code_api/canvas/courses/index.ts`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Security or permission risk requires verification

- Trigger: Developers should check this security_permissions risk before relying on the project: mcp-remote clients re-login hourly — request `offline_access` scope for refresh token
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: mcp-remote clients re-login hourly — request `offline_access` scope for refresh token. Context: Source discussion did not expose a precise runtime context.
- Why it matters: Developers may expose sensitive permissions or credentials: mcp-remote clients re-login hourly — request `offline_access` scope for refresh token
- Evidence: failure_mode_cluster:github_issue | https://github.com/vishalsachdev/canvas-mcp/issues/146
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: v1.0.8
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v1.0.8. Context: Observed during installation or first-run setup.
- Why it matters: Upgrade or migration may change expected behavior: v1.0.8
- Evidence: failure_mode_cluster:github_release | https://github.com/vishalsachdev/canvas-mcp/releases/tag/v1.0.8
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: v1.1.0 — Learning Designer & Token Optimization
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v1.1.0 — Learning Designer & Token Optimization. Context: Observed when using python
- Why it matters: Upgrade or migration may change expected behavior: v1.1.0 — Learning Designer & Token Optimization
- Evidence: failure_mode_cluster:github_release | https://github.com/vishalsachdev/canvas-mcp/releases/tag/v1.1.0
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: v1.2.0
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v1.2.0. Context: Observed when using node, windows
- Why it matters: Upgrade or migration may change expected behavior: v1.2.0
- Evidence: failure_mode_cluster:github_release | https://github.com/vishalsachdev/canvas-mcp/releases/tag/v1.2.0
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: v1.3.0
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v1.3.0. Context: Observed during installation or first-run setup.
- Why it matters: Upgrade or migration may change expected behavior: v1.3.0
- Evidence: failure_mode_cluster:github_release | https://github.com/vishalsachdev/canvas-mcp/releases/tag/v1.3.0
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 6: Installation risk requires verification

- Trigger: Developers should check this installation risk before relying on the project: v1.4.0
- Host AI rule: Before packaging this project, run the relevant install/config/quickstart check for: v1.4.0. Context: Observed when using python
- Why it matters: Upgrade or migration may change expected behavior: v1.4.0
- Evidence: failure_mode_cluster:github_release | https://github.com/vishalsachdev/canvas-mcp/releases/tag/v1.4.0
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
