This is very exciting. I have also started down this road as part of a larger project. The idea is to make the user interface to DT more capable of being used by my kids and wife for document filing and information retrieval. I’d like them to be able to ask questions of the underlying documents and be able to get information all the way from passport expiry dates to the date that our daughter wrote her first poetry. Will take a closer look at your work. Thank you!
Welcome @panzerbjorne
I hope you’re maintaining an awareness of the privacy of your data.
1 Like
Yes it’s not going to be a public server. I’m assuming that’s possible.
In fact that’s the main reason I’m going the way of an MCP server instead of just having the DT feature of giving the AI service access to my documents.
Can you clarify why you think MCP is more secure?
Yes. I use GitHub - ruvnet/claude-flow: Claude-Flow v2.0.0 Alpha represents a revolutionary leap in AI-powered development orchestration. Built from the ground up with enterprise-grade architecture, advanced swarm intelligence, and seamless Claude Code integration.. I asked it to analyze how I use tags, reverse engineer my tagging strategy, add it to a file TAGGING.md in the Inbox of my main research database, and then implement that tagging strategy consistently across the database, removing nonsensical tags, merging similar tags under a tag that follows the strategy, renaming poorly named tags, etc. That worked, so then I went further and asked it to explore whether there were cases where a nested tagging strategy would make more sense, it had some great suggestions there, so I asked it to implement that as well. There were a couple of weird things that happened as a result, but tagging is benign and I don’t really use it. Amazing to see an agent swarm in action on tasks like this. This really is a game changer for me – DEVONthink is a workhorse but having it outside my use of AI has made it far less useful than it could be. Thanks for fixing that bug I filed (might be nice to have clear install instructions in your README at some point … I’ll share a pull request if I have a few minutes)
1 Like
Based on my (very non technical) understanding, the MCP server is a tokenised representation of my data on which I can layer very granular permissions. So I can make sure that cloud based AI tools can’t access the most sensitive information.
On the other hand giving cloud based AI access to my documents exposes the underlying information like identity information to the AI server.
I am not at all a coder/programmer. And I’m learning as I go from the AI tools themselves. So very happy to be corrected.
That is a misunderstanding. Did you read the Getting Started > AI Explained section of the built-in Help and manual?
In simplest form - I believe you have it backwards.
Plus the behavior of DT has been very deliberately and consistently coded to protect your security. But an MCP integrated with an LLM is non-deterministic by definition - so you have no clue how the LLM may misunderstand your intent and access/upload documents you never intended for such purposes.
Granted I think MCP is great. I developed an MCP integration with Keyboard Maestro which can operate any KM macro - including those that access DT. It’s great fun - but for now I am restricting its use to a “play” database and not for sensitive documents.
2 Likes
Thank you!
Yes I did. From what I understood, there is granular control on what documents you want the AI tool to access and no access, but beyond that, the tool reads your files (to me that sounds like it uploads the documents to the server). Am I reading it wrong?
Ok thank you. Ive already asked about the Dt side of thigs so will ask you about the MCP side. My understanding was that an MCP server( which has been built on top of my DT content as well as other data sources (for example my emails/calendar etc.) will allow me to interact with AI agents without the agents reading the entire documents which are sitting in DT or those other sources. Is that not the case? Can you point me to a source that explains this process clearly?
Yes I saw that and I should have been more detailed in my earlier response. What matters is the content though. Taking an example of a passport scan with OCR. Im assuming that DT will still allow the agent to upload the entire textual content (passport number, date of birth, expiry, etc. available). How can i make sure that, for example, only names and expiry dates for all identity documents are made available?
Development would have to comment on deeper details, especially as this is an evolving aspect of the application.
Taking your example, why would a passport doc or similar with such personal data ever be uploaded to a third party AI? Or any doc with sensitive like this data be released into the wild even when masked? Just curious.
1 Like
I know that asking AI about AI stuff is a bit recursive but this is from Claude. Is it wrong? My intent would be to have a specific set of instructions prohibiting the transfer of documents without explicit instructions and then too with a short summary of the potential risk of sharing that specific document. Further, I would like to build the MCP server so that it doesn’t index (or redacts) sensitive information like passport numbers and addresses (for example).
Data Flow Process:
- Your Documents → Stay in DEVONthink on your local machine
- MCP Server → Reads documents locally via AppleScript/API calls
- AI Agent (Claude) → Sends requests to MCP server
- MCP Server → Processes requests and sends responses back
When AI Gets Document Contents:
YES, the AI agent gets document contents when:
- You ask for document content: “Show me the contents of this file”
- You request summaries: “Summarize this document”
- You ask for analysis: “What are the key points in this report?”
- Search results include content snippets: “Find documents about taxes” (returns excerpts)
- You request quotes/citations: “Find the section about insurance policies”
The AI agent does NOT get document contents when:
- You ask for metadata only: “List all PDFs from 2024”
- You request file organization: “What folders do I have?”
- You search for document titles/names only
Critical Security Point: The MCP server controls exactly what gets sent. You could implement:
- Content filtering to redact sensitive info before sending
- Summary-only responses where local AI summarizes first
- Snippet limits to send only relevant excerpts, not full documents
- Sensitive document exclusion to never share certain files
This is completely controlled by your prompt and the used tools of this MCP server and its implementation but it’s not controlled by DEVONthink in any way.
1 Like
“Find all identity/incorporation documents i need to get renewed this year”. “Give me the dates i filed tax returns or interacted with my tax accountant in the last 5 years”. “What was the last version of my CV that I used for job applications”. “Based on her age and pattern of changes in her vision prescription, when should my daughter schedule her next vison appointment” I could go on but I’m sure you get the idea.
And by the design of the MCP server?
If so, thats exactly the reason why I’m doing what I’m doing.