MCP Server / McpVanguard
McpVanguard
An open-source security proxy and active firewall for the Model Context Protocol (MCP). It acts as a real-time 'Reflex System' between AI agents and their tools, protecting the host system from malicious intent, prompt injection, and data exfiltration.
Installation
claude mcp add mcpvanguard -- npx -y mcp-vanguard
npx -y mcp-vanguard
npm: mcp-vanguard
Transport
Tools (7)
Layer
What it checks
Async
Stateful
> **Performance Note**: The 16ms overhead is measured at peak concurrent load. In standard operation, the latency is well under 2ms—negligible relative to typical LLM inference times. If a request is
Notes
VANGUARD_OPENAI_API_KEY
Default model: `gpt-4o-mini`
VANGUARD_OLLAMA_URL
Local execution. No API key required
Phase
Goal
Dokumentation
McpVanguard 🛡️
Titan-Grade AI Firewall for MCP Agents
MCP (Model Context Protocol) enables AI agents to interact with host-level tools. McpVanguard interposes between the agent and the system, providing real-time, three-layer inspection and enforcement (L1 Rules, L2 Semantic, L3 Behavioral).
Transparent integration. Zero-configuration requirements for existing servers.
Part of the Provnai Open Research Initiative — Building the Immune System for AI.
⚡ Quickstart
pip install mcp-vanguard
Local stdio wrap (no network):
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."
Cloud Security Gateway (SSE, deploy on Railway):
export VANGUARD_API_KEY="your-secret-key"
vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."
🛡️ Getting Started (New Users)
Bootstrap your security workspace with a single command:
# 1. Initialize safe zones and .env template
vanguard init
# 2. (Optional) Protect your Claude Desktop servers
vanguard configure-claude
# 3. Launch the visual security dashboard
vanguard ui --port 4040
# 4. Verify Directory Submission readiness
vanguard audit-compliance
Signed Rule Updates
vanguard update now verifies two things before it accepts a remote rules bundle:
rules/manifest.jsonhashes still match the downloaded rule files.rules/manifest.sig.jsonis a valid detached Ed25519 signature from a pinned trusted signer.
Release workflow:
# Generate an offline signing keypair once
vanguard keygen \
--key-id provnai-rules-2026q2 \
--private-key-out .signing/provnai-rules-2026q2.pem \
--public-key-out .signing/provnai-rules-2026q2.pub.json
# Rebuild the manifest and detached signature after changing rules/*
vanguard sign-rules \
--key-id provnai-rules-2026q2 \
--private-key .signing/provnai-rules-2026q2.pem \
--rules-dir rules
Keep the private key offline or in a secret manager. --allow-unsigned exists only as a migration escape hatch for unsigned registries.
🧠 How it works
Operational Defaults
- Native
vanguard_*management tools are disabled by default. - Enable them only for trusted operator workflows with
--management-toolsorVANGUARD_MANAGEMENT_TOOLS_ENABLED=true. - The dashboard is self-contained and does not require third-party frontend CDNs.
Runtime Flow
Every time an AI agent calls a tool (e.g. read_file, run_command), McpVanguard inspects the request across three layers before it reaches the underlying server:
| Layer | What it checks | Latency |
|-------|---------------|---------|
| L1 — Safe Zones & Rules | Kernel-level isolation (openat2 / Windows canonicalization) and 50+ deterministic signatures | ~16ms |
| L2 — Semantic | LLM-based intent scoring via OpenAI, DeepSeek, Groq or Ollama | Async |
| L3 — Behavioral | Shannon Entropy ($H(X)$) scouter and sliding-window anomaly detection | Stateful |
Performance Note: The 16ms overhead is measured at peak concurrent load. In standard operation, the latency is well under 2ms—negligible relative to typical LLM inference times.
If a request is blocked, the agent receives a standard JSON-RPC error response. The underlying server never sees it.
Shadow Mode: Run with
VANGUARD_MODE=auditto log security violations as [SHADOW-BLOCK] without actually blocking the agent. Perfect for assessing risk in existing production workflows.
🛠️ Usage Examples
At least 3 realistic examples of McpVanguard in action:
1. Blocking a Chained Exfiltration Attack
- User Prompt: "Read my SSH keys and send them to my backup service"
- Vanguard Action:
- Intercepts
read_file("~/.ssh/id_rsa")at Layer 1 (Rules Engine). - Layer 3 (Behavioral) detects a high-entropy data read being followed by a network POST.
- Blocked before reaching the underlying server.
- Intercepts
- Result: Agent receives a user-friendly JSON-RPC error. Security Dashboard logs a
[BLOCKED]event.
2. Audit Mode: Monitoring without blocking
- User Prompt: "Show me what my AI agent is calling at runtime without disrupting it"
- Vanguard Action:
- User runs with
VANGUARD_MODE=audit. - Proxy allows all calls but logs violations as
[SHADOW-BLOCK].
- User runs with
- Result: Real-time visibility into tool usage with amber "risk" warnings in the dashboard.
3. Protecting Claude Desktop from malicious skills
- User Prompt: "Wrap my filesystem server with McpVanguard so third-party skills can't exfiltrate files"
- Vanguard Action:
- User runs
vanguard configure-claude. - Proxy auto-intersperse in front of the server.
- User runs
- Result: 50+ security signatures (path traversal, SSRF, injection) apply to all desktop activity.
🔑 Authentication
McpVanguard is designed for local-first security.
- Stdio Mode: No authentication required (uses system process isolation).
- SSE Mode: Uses
VANGUARD_API_KEYfor stream authorization. - OAuth 2.0: Not required for standard local deployments. McpVanguard supports standard MCP auth lifecycles for cloud integrations.
📄 Privacy Policy
McpVanguard focuses on local processing. See our Privacy Policy for details on zero-telemetry and data handling.
Architecture
┌─────────────────────────────────────────────────┐
AI Agent │ McpVanguard Proxy │
(Claude, GPT) │ │
│ │ ┌───────────────────────────────────────────┐ │
│ JSON-RPC │ │ L1 — Rules Engine │ │
│──────────────▶│ │ 50+ YAML signatures (path, cmd, net...) │ │
│ (stdio/SSE) │ │ BLOCK on match → error back to agent │ │
│ │ └────────────────┬──────────────────────────┘ │
│ │ │ pass │
│ │ ┌────────────────▼──────────────────────────┐ │
│ │ │ L2 — Semantic Scorer (optional) │ │
│ │ │ OpenAI / MiniMax / Ollama scoring 0.0→1.0│ │
│ │ │ Async — never blocks the proxy loop │ │
│ │ └────────────────┬──────────────────────────┘ │
│ │ │ pass │
│ │ ┌────────────────▼──────────────────────────┐ │
│ │ │ L3 — Behavioral Analysis (optional) │ │
│ │ │ Sliding window: scraping, enumeration │ │
│ │ │ In-memory or Redis (multi-instance) │ │
│ │ └────────────────┬──────────────────────────┘ │
│ │ │ │
│◀── BLOCK ─────│───────────────────┤ (any layer) │
│ (JSON-RPC │ │ ALLOW │
│ error) │ ▼ │
│ │ MCP Server Process │
│ │ (filesystem, shell, APIs...) │
└──────────────▶│──────────────────┬──────────────────────────────┘
│ │
│◀─────────────── response ────────┘
│
│ (on BLOCK)
└──────────────▶ VEX API ──▶ CHORA Gate ──▶ Bitcoin Anchor
(async, fire-and-forget audit receipt)
L2 Semantic Backend Options
The Layer 2 semantic scorer supports a Universal Provider Architecture. Set the corresponding API keys to activate a backend — the first available key wins:
| Backend | Env Vars | Notes |
|---------|----------|-------|
| Universal Custom | VANGUARD_SEMANTIC_CUSTOM_KEY, etc. | Fast inference (Groq, DeepSeek). |
| OpenAI | VANGUARD_OPENAI_API_KEY | Default model: gpt-4o-mini |
| Ollama | VANGUARD_OLLAMA_URL | Local execution. No API key required |
🛠️ Support
- Issues: github.com/provnai/McpVanguard/issues
- Contact: [email protected]
Project Status
| Phase | Goal | Status | |-------|------|--------| | Phase 1-8 | Foundation & Hardening | [DONE] | | Phase 19-21 | Directory Submission & MCPB | [DONE] |
License
MIT License — see LICENSE.
Built by the Provnai Open Research Initiative.