Submit
tomjwxf

ScopeBlind

Community tomjwxf
Updated

Security gateway for MCP servers. Shadow-mode logs, per-tool policies, optional Ed25519-signed receipts. npx protect-mcp -- node server.js

ScopeBlind

Security gateway for MCP servers. Shadow-mode logs. Per-tool policies. Optional signed receipts.

Website · Docs · npm · Verify a Receipt

protect-mcp — MCP Server Security Gateway

Wrap any stdio MCP server in one line. Start in shadow mode to see every tool call. Add a policy file to enforce per-tool rules. Generate local keys with protect-mcp init if you want signed receipts.

# Shadow mode — log every tool call, enforce nothing
npx protect-mcp -- node your-mcp-server.js

# Generate local signing keys + config template
npx protect-mcp init

# Run with policy + local signing
npx protect-mcp --policy protect-mcp.json -- node your-mcp-server.js

# Try the built-in demo
npx protect-mcp demo

What ships today

  • Shadow mode (default) — logs every tool invocation with structured decision entries. Blocks nothing.
  • Enforce mode — applies per-tool policies: block, rate_limit, min_tier.
  • Optional local signing — when signing is configured, emits Ed25519-signed receipts alongside decision logs.
  • Demo commandnpx protect-mcp demo runs a built-in 5-tool MCP server wrapped with the gateway.
  • Status commandnpx protect-mcp status shows tool call stats from the local decision log.
  • Evidence store — file-based receipt history per agent for trust tier promotion.
  • Verification — receipts verify offline with npx @veritasacta/verify or at scopeblind.com/verify.
  • No account required — local process, local config, local keys.

Current capability boundaries

  • The bare npx protect-mcp -- ... path emits logs, not signed receipts. Run protect-mcp init for signing.
  • Tier-aware policy checks are live, but manifest admission is not wired into the default CLI path. CLI sessions default to unknown unless a host integration sets admission state programmatically.
  • Credential config validates env-backed references and records credential labels in logs/receipts. Generic per-call injection is adapter-specific.
  • External PDP adapters (OPA, Cerbos, generic) and audit bundle helpers are exported as programmatic hooks, not fully wired into the default CLI path.

Example policy

{
  "default_tier": "unknown",
  "tools": {
    "delete_database": { "block": true },
    "write_file": { "min_tier": "signed-known", "rate_limit": "10/minute" },
    "read_file": { "rate_limit": "50/minute" },
    "*": { "rate_limit": "100/hour" }
  },
  "signing": {
    "key_path": "./keys/gateway.json",
    "issuer": "protect-mcp",
    "enabled": true
  }
}

Claude Desktop / Cursor config

{
  "mcpServers": {
    "my-server": {
      "command": "npx",
      "args": ["protect-mcp", "--policy", "protect-mcp.json", "--enforce", "--", "node", "my-server.js"]
    }
  }
}

Works with Claude Desktop, Cursor, VS Code — any client that speaks MCP over stdio.

The Bigger Picture

ScopeBlind produces signed, portable receipts for machine access decisions. Each receipt contains the decision, policy digest, trust tier, and timestamp — signed with Ed25519 and verifiable by anyone without calling ScopeBlind.

protect-mcp is the free, open-source entry point for MCP servers. The ScopeBlind platform adds managed signing, a real-time dashboard, and edge enforcement.

Machines need receipts. Receipts shouldn't require surveillance.

Packages

Package npm Purpose
protect-mcp npm MCP server security gateway
@veritasacta/verify npm Offline receipt/bundle verification CLI
@veritasacta/artifacts npm Ed25519 signing + JCS canonicalization
@scopeblind/passport npm Agent identity, signed manifests

Architecture

MCP Client (Claude, Cursor, VS Code)
  → protect-mcp (stdio proxy)
    → Intercept tools/call JSON-RPC
    → Evaluate policy (allow / block / rate_limit)
    → Log decision to stderr ([PROTECT_MCP] prefix)
    → Sign receipt if signing configured ([PROTECT_MCP_RECEIPT] prefix)
    → Forward allowed calls to wrapped MCP server

License

Source-available under the Functional Source License (FSL-1.1-MIT).You may use, modify, and self-host this freely for your own projects or internal company use.You may not offer ScopeBlind (or a substantially similar service) as a hosted/managed product to third parties.After 2 years, each version automatically converts to the MIT license.

Built by Tom Farley in Sydney, Australia.

MCP Server · Populars

MCP Server · New

    opentabs-dev

    OpenTabs

    Your browser is already logged in. Let your AI use it.

    Community opentabs-dev
    45645678a

    Scholar MCP Server

    Local paper tool MCP server for AI IDEs - search, download (Sci-Hub/arXiv/Unpaywall), AI analysis, code-based recommendation, citation graph

    Community 45645678a
    kastelldev

    Kastell

    Provision, secure, backup, and manage self-hosted servers — full lifecycle, one CLI.

    Community kastelldev
    beelzebub-labs

    Beelzebub

    A secure low code honeypot framework, leveraging AI for System Virtualization.

    Community beelzebub-labs
    onllm-dev

    onUI

    Annotate/Draw any web UI for AI agents and export structured context, no app code changes required.

    Community onllm-dev