@jacobmolz/mcpguard 0.3.0 → 0.3.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +36 -0
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -6,6 +6,8 @@
|
|
|
6
6
|
|
|
7
7
|
Security proxy daemon for MCP servers — adds authentication, rate limiting, PII detection, permission scoping, and audit logging without modifying upstream servers.
|
|
8
8
|
|
|
9
|
+
|
|
10
|
+
|
|
9
11
|
## What is this?
|
|
10
12
|
|
|
11
13
|
MCP (Model Context Protocol) servers give AI coding tools access to files, databases, APIs, and more. But they have no built-in authentication, no audit trail, and no way to restrict which tools an agent can call.
|
|
@@ -89,6 +91,40 @@ MCP-Guard uses **terminate, inspect, re-originate** — it fully owns both the c
|
|
|
89
91
|
|
|
90
92
|
Config merge uses **floor-based semantics**: personal configs can restrict but never relax base policies. `allowed_tools` are intersected, `denied_tools` are unioned, rate limits take the stricter value.
|
|
91
93
|
|
|
94
|
+
## Why This Matters
|
|
95
|
+
|
|
96
|
+
### Without MCP-Guard
|
|
97
|
+
|
|
98
|
+
```
|
|
99
|
+
Agent asks to read /home/user/.env via filesystem MCP server
|
|
100
|
+
→ Server returns: AWS_SECRET_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
|
|
101
|
+
→ API key is now in the agent's context window
|
|
102
|
+
→ No authentication. No audit trail. No one knows it happened.
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
### With MCP-Guard
|
|
106
|
+
|
|
107
|
+
```
|
|
108
|
+
Agent asks to read /home/user/.env via filesystem MCP server
|
|
109
|
+
→ MCP-Guard intercepts the response
|
|
110
|
+
→ PII detector matches AWS key pattern → BLOCK
|
|
111
|
+
→ Audit log records: blocked response, server=filesystem, pii_type=aws_key
|
|
112
|
+
→ Agent receives: "Request blocked by security policy"
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
## Scope
|
|
116
|
+
|
|
117
|
+
MCP-Guard operates at the **MCP protocol layer** — it inspects JSON-RPC messages between client and server. This is a deliberate architectural boundary.
|
|
118
|
+
|
|
119
|
+
**What MCP-Guard does not address:**
|
|
120
|
+
|
|
121
|
+
- **LLM prompt injection** — MCP-Guard does not analyze agent intent. Detecting whether an agent was tricked into making a malicious call requires agent-layer defenses.
|
|
122
|
+
- **Model jailbreaking or alignment bypasses** — MCP-Guard does not operate at the model layer. LLM safety is a model-layer concern, not a transport security concern.
|
|
123
|
+
- **Network-layer attacks** (MITM, DNS rebinding, TLS stripping) — MCP-Guard does not replace network security. Use standard network security controls.
|
|
124
|
+
- **Malicious MCP server implementations** — the proxy limits exposure via permissions and PII scanning, but cannot fix a compromised server.
|
|
125
|
+
|
|
126
|
+
MCP-Guard is the protocol-layer firewall. It complements agent-layer and network-layer defenses — it doesn't replace them.
|
|
127
|
+
|
|
92
128
|
## Benchmark Results
|
|
93
129
|
|
|
94
130
|
The benchmark suite is open-source and fully reproducible (`pnpm benchmark`). It tests MCP-Guard's deterministic interceptor pipeline — policy enforcement, pattern matching, and access control — against 7,095 programmatically generated attack scenarios across 10 categories and 10,168 legitimate requests. See [Benchmark Methodology](docs/benchmark-methodology.md) for threat model, statistical interpretation, and known limitations.
|
package/package.json
CHANGED