npm - @jacobmolz/mcpguard - Versions diffs - 0.2.1 → 0.3.1 - Mend

@jacobmolz/mcpguard 0.2.1 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/README.md +54 -8
package/package.json +1 -1

package/README.md CHANGED Viewed

@@ -6,6 +6,8 @@
 Security proxy daemon for MCP servers — adds authentication, rate limiting, PII detection, permission scoping, and audit logging without modifying upstream servers.
+![MCP-Guard Architecture](docs/assets/architecture.svg)
 ## What is this?
 MCP (Model Context Protocol) servers give AI coding tools access to files, databases, APIs, and more. But they have no built-in authentication, no audit trail, and no way to restrict which tools an agent can call.
@@ -89,16 +91,43 @@ MCP-Guard uses **terminate, inspect, re-originate** — it fully owns both the c
 Config merge uses **floor-based semantics**: personal configs can restrict but never relax base policies. `allowed_tools` are intersected, `denied_tools` are unioned, rate limits take the stricter value.
-## Benchmark Results
+## Why This Matters
-The benchmark suite tests 7,095 attack scenarios across 10 categories and 10,168 legitimate requests.
+### Without MCP-Guard
-| Metric | Result | Target | Status |
-|--------|--------|--------|--------|
-| Detection rate | 97.0% | >95% | Pass |
-| False positive rate | 0.000% | <0.1% | Pass |
-| Audit integrity | Pass | No raw PII in logs | Pass |
-| p50 latency overhead | 0.17ms | <5ms | Pass |
+```
+Agent asks to read /home/user/.env via filesystem MCP server
+  → Server returns: AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
+  → API key is now in the agent's context window
+  → No authentication. No audit trail. No one knows it happened.
+```
+### With MCP-Guard
+```
+Agent asks to read /home/user/.env via filesystem MCP server
+  → MCP-Guard intercepts the response
+  → PII detector matches AWS key pattern → BLOCK
+  → Audit log records: blocked response, server=filesystem, pii_type=aws_key
+  → Agent receives: "Request blocked by security policy"
+```
+## Scope
+MCP-Guard operates at the **MCP protocol layer** — it inspects JSON-RPC messages between client and server. This is a deliberate architectural boundary.
+**What MCP-Guard does not address:**
+- **LLM prompt injection** — MCP-Guard does not analyze agent intent. Detecting whether an agent was tricked into making a malicious call requires agent-layer defenses.
+- **Model jailbreaking or alignment bypasses** — MCP-Guard does not operate at the model layer. LLM safety is a model-layer concern, not a transport security concern.
+- **Network-layer attacks** (MITM, DNS rebinding, TLS stripping) — MCP-Guard does not replace network security. Use standard network security controls.
+- **Malicious MCP server implementations** — the proxy limits exposure via permissions and PII scanning, but cannot fix a compromised server.
+MCP-Guard is the protocol-layer firewall. It complements agent-layer and network-layer defenses — it doesn't replace them.
+## Benchmark Results
+The benchmark suite is open-source and fully reproducible (`pnpm benchmark`). It tests MCP-Guard's deterministic interceptor pipeline — policy enforcement, pattern matching, and access control — against 7,095 programmatically generated attack scenarios across 10 categories and 10,168 legitimate requests. See [Benchmark Methodology](docs/benchmark-methodology.md) for threat model, statistical interpretation, and known limitations.
 ### Per-Category Detection
@@ -115,6 +144,23 @@ The benchmark suite tests 7,095 attack scenarios across 10 categories and 10,168
 | PII request leak | 93.8% | Pass |
 | Rate limit evasion | 92.4% | Pass |
+### Summary
+| Metric | Result | Target | Status |
+|--------|--------|--------|--------|
+| Detection rate | 97.0% | >95% | Pass |
+| False positive rate | 0 in 10,168 requests (<0.03% at 95% CI) | <0.1% | Pass |
+| Audit integrity | No raw PII in logs | Pass | Pass |
+| p50 latency overhead | 0.17ms (deterministic pipeline, no network hop) | <5ms | Pass |
+### Limitations
+- Tested against own generated scenarios, not an independent corpus — [methodology explains mitigations](docs/benchmark-methodology.md#self-testing-honesty-about-our-own-test-suite)
+- Regex PII detection misses semantic encoding (spelling out digits, splitting across fields)
+- Does not address LLM-level prompt injection — complementary tools like those evaluated by [MCPSecBench](https://arxiv.org/abs/2508.13220) operate at the agent layer
+- No coverage for network-layer attacks (MITM, DNS rebinding)
+- ML-based detection planned but not yet implemented
 > Full-suite results from `pnpm benchmark`. Quick mode (`pnpm benchmark:quick`) uses stratified sampling and typically reports ~89-93% detection. See [latest report](benchmarks/results/REPORT.md) for charts.
 ## CLI Reference

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@jacobmolz/mcpguard",
-  "version": "0.2.1",
+  "version": "0.3.1",
   "description": "Security proxy daemon for MCP servers — adds auth, rate limiting, PII detection, and audit logging",
   "author": "Jacob Molz",
   "license": "MIT",