File Operations MCP
Your AI can generate a perfect utility function, but if it cannot create the file and place it in the right directory, you are still copying and pasting. The gap between “AI suggests code” and “AI applies changes to your project” is bridged by filesystem access. Getting it right means balancing power with safety — the AI should modify only what you intend.
What You’ll Walk Away With
Section titled “What You’ll Walk Away With”- Configuration for the official Filesystem MCP server with proper directory scoping
- An understanding of when to use Desktop Commander versus the official server
- Security patterns for restricting write access in team environments
- Prompts that leverage filesystem access for real refactoring workflows
Official Filesystem MCP Server
Section titled “Official Filesystem MCP Server”The reference implementation provides structured file operations: read, write, create, delete, move, and search. It enforces an allowed_directories boundary — the AI cannot touch anything outside the paths you specify.
{ "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "@modelcontextprotocol/server-filesystem", "/Users/you/projects/my-app" ] } }}Claude Code has native filesystem access built in. It can read, write, search, and list files without an MCP server. The built-in tools respect the project directory boundary automatically. You do not need this server unless you want to give Claude Code access to directories outside the current project.
[mcp.filesystem]transport = "stdio"command = "npx"args = ["-y", "@modelcontextprotocol/server-filesystem", "/Users/you/projects/my-app"]The server exposes these tools: read_file, write_file, create_directory, list_directory, move_file, search_files, get_file_info, and read_multiple_files. Each tool only operates within the allowed directories.
Desktop Commander: Full Terminal Access
Section titled “Desktop Commander: Full Terminal Access”When you need more than file operations — terminal commands, process management, ripgrep search — Desktop Commander is the power-user alternative. It runs arbitrary shell commands, manages background processes, and provides advanced text search.
{ "mcpServers": { "desktop-commander": { "command": "npx", "args": ["-y", "@wonderwhy-er/desktop-commander"] } }}Claude Code already has terminal access through its native Bash tool. Desktop Commander is redundant unless you need its specific process management features.
[mcp.desktop-commander]transport = "stdio"command = "npx"args = ["-y", "@wonderwhy-er/desktop-commander"]Security Patterns for Teams
Section titled “Security Patterns for Teams”When multiple developers share MCP configurations, enforce these boundaries:
- Scope to project directories only. Never allow home directories,
/tmp, or system paths. - Use read-only mode for shared servers. If you only need the AI to analyze code, restrict write operations.
- Commit
.cursor/mcp.jsonto the repo so the team shares the same scoped configuration. Keep API keys in environment variables, not in the config file. - Prefer Claude Code for filesystem work — its built-in tools already enforce project-level scoping and require explicit approval for destructive operations.
When This Breaks
Section titled “When This Breaks”“Permission denied” errors. The server runs as your user. If a file is owned by root or another user, the MCP server cannot read or write it. Fix file permissions or run in a container.
AI creates files in unexpected locations. This happens when the AI misinterprets a relative path. Always use absolute paths in your allowed_directories configuration.
Large file reads time out. The filesystem server reads entire files into memory. For files larger than a few megabytes, use read_multiple_files with specific line ranges or switch to a search-first approach with search_files.