mcpwall 0.1.1 → 0.2.0

package/README.md

@@ -1,8 +1,20 @@
+<!-- mcp-name: io.github.behrensd/mcpwall -->
 # mcpwall
 
-Deterministic security proxy for [MCP](https://modelcontextprotocol.io) tool calls. Sits between your AI coding tool (Claude Code, Cursor, Windsurf) and MCP servers, intercepting every JSON-RPC message and enforcing YAML-defined policies — no LLM, no cloud, pure rule-based.
+[![npm version](https://img.shields.io/npm/v/mcpwall)](https://www.npmjs.com/package/mcpwall)
+[![CI](https://github.com/behrensd/mcp-firewall/actions/workflows/ci.yml/badge.svg)](https://github.com/behrensd/mcp-firewall/actions/workflows/ci.yml)
+[![Node.js](https://img.shields.io/node/v/mcpwall)](https://nodejs.org)
+[![License: FSL-1.1-ALv2](https://img.shields.io/badge/license-FSL--1.1--ALv2-blue)](./LICENSE)
 
-Think **iptables**, but for MCP tool calls.
+<a href="https://glama.ai/mcp/servers/@behrensd/mcpwall"><img width="380" height="200" src="https://glama.ai/mcp/servers/@behrensd/mcpwall/badge" alt="mcpwall MCP server" /></a>
+
+**iptables for MCP.** Blocks dangerous tool calls, scans for secret leakage, logs everything. No AI, no cloud, pure rules.
+
+Sits between your AI coding tool (Claude Code, Cursor, Windsurf) and MCP servers, intercepting every JSON-RPC message and enforcing YAML-defined policies.
+
+<p align="center">
+  <img src="demo/demo.gif" alt="mcpwall demo — blocking SSH key theft, pipe-to-shell, and secret leakage" width="700">
+</p>
 
 ## Why
 
@@ -13,7 +25,8 @@ mcpwall adds one. It's a transparent stdio proxy that:
 - **Blocks sensitive file access** — `.ssh/`, `.env`, credentials, browser data
 - **Blocks dangerous commands** — `rm -rf`, pipe-to-shell, reverse shells
 - **Scans for secret leakage** — API keys, tokens, private keys (regex + entropy)
-- **Logs everything** — JSON Lines audit trail of every tool call
+- **Scans server responses** — redacts leaked secrets, blocks prompt injection patterns, flags suspicious content
+- **Logs everything** — JSON Lines audit trail of every tool call and response
 - **Uses zero AI** — deterministic rules, no LLM decisions, no cloud calls
 
 ## Install
@@ -66,7 +79,7 @@ That's it. mcpwall now sits in front of all your Docker MCP servers, logging eve
 npx mcpwall init
 ```
 
-This finds your existing MCP servers in `~/.claude.json` or `.mcp.json` and wraps them.
+This finds your existing MCP servers in Claude Code, Cursor, Windsurf, and VS Code configs and wraps them.
 
 ### Option 3: Manual wrapping (any MCP server)
 
@@ -112,14 +125,27 @@ npx mcpwall wrap filesystem
 │  Claude Code │ ──────────▶  │   mcpwall    │ ──────────▶  │  Real MCP    │
 │  (MCP Host)  │ ◀──────────  │   (proxy)    │ ◀──────────  │   Server     │
 └──────────────┘              └──────────────┘              └──────────────┘
+                               ▲ Inbound rules               │
+                               │ (block dangerous requests)   │
+                               │                              │
+                               └── Outbound rules ◀───────────┘
+                                   (redact secrets, block injection)
 ```
 
-1. Intercepts every JSON-RPC message on stdin/stdout
+**Inbound** (requests):
+1. Intercepts every JSON-RPC request on stdin
 2. Parses `tools/call` requests — extracts tool name and arguments
 3. Walks rules top-to-bottom, first match wins
 4. **Allow**: forward to real server
 5. **Deny**: return JSON-RPC error to host, log, do not forward
-6. Responses from server are forwarded back transparently
+
+**Outbound** (responses):
+1. Parses every response from the server before forwarding
+2. Evaluates against `outbound_rules` (same first-match-wins semantics)
+3. **Allow**: forward unchanged
+4. **Deny**: replace response with blocked message
+5. **Redact**: surgically replace secrets with `[REDACTED BY MCPWALL]`, forward modified response
+6. **Log only**: forward unchanged, log the match
 
 ## Configuration
 
@@ -208,6 +234,55 @@ secrets:
 
 The special key `_any_value` applies the matcher to ALL argument values.
 
+### Outbound rules (response inspection)
+
+Outbound rules scan server responses before they reach your AI client. Add them to the same config file:
+
+```yaml
+outbound_rules:
+  # Redact secrets leaked in responses
+  - name: redact-secrets-in-responses
+    match:
+      secrets: true
+    action: redact
+    message: "Secret detected in server response"
+
+  # Block prompt injection patterns
+  - name: block-prompt-injection
+    match:
+      response_contains:
+        - "ignore previous instructions"
+        - "provide contents of ~/.ssh"
+    action: deny
+    message: "Prompt injection detected"
+
+  # Flag suspiciously large responses
+  - name: flag-large-responses
+    match:
+      response_size_exceeds: 102400
+    action: log_only
+```
+
+#### Outbound matchers
+
+| Matcher | Description |
+|---------|-------------|
+| `tool` | Glob pattern on the tool that produced the response (requires request-response correlation) |
+| `server` | Glob pattern on the server name |
+| `secrets` | When `true`, scans response for secret patterns (uses same `secrets.patterns` config) |
+| `response_contains` | Case-insensitive substring match against response text |
+| `response_contains_regex` | Regex match against response text |
+| `response_size_exceeds` | Byte size threshold for the serialized response |
+
+#### Outbound actions
+
+| Action | Behavior |
+|--------|----------|
+| `allow` | Forward response unchanged |
+| `deny` | Replace response with `[BLOCKED BY MCPWALL]` message |
+| `redact` | Surgically replace matched secrets with `[REDACTED BY MCPWALL]`, forward modified response |
+| `log_only` | Forward unchanged, log the match |
+
 ### Built-in rule packs
 
 - `rules/default.yml` — sensible defaults (blocks SSH, .env, credentials, dangerous commands, secrets)
@@ -237,7 +312,7 @@ All tool calls are logged by default — both allowed and denied. Logs are writt
 
 ```json
 {"ts":"2026-02-16T14:30:00Z","method":"tools/call","tool":"read_file","action":"allow","rule":null}
-{"ts":"2026-02-16T14:30:05Z","method":"tools/call","tool":"read_file","action":"deny","rule":"block-ssh-keys","message":"Blocked: access to SSH keys"}
+{"ts":"2026-02-16T14:30:05Z","method":"tools/call","tool":"read_file","args":"[REDACTED]","action":"deny","rule":"block-ssh-keys","message":"Blocked: access to SSH keys"}
 ```
 
 Denied entries have args redacted to prevent secrets from leaking into logs.
@@ -246,8 +321,11 @@ mcpwall also prints color-coded output to stderr so you can see decisions in rea
 
 ## Security Design
 
+- **Bidirectional scanning**: Both inbound requests and outbound responses are evaluated against rules
 - **Fail closed on invalid config**: Bad regex in a rule crashes at startup, never silently passes traffic
+- **Fail open on outbound errors**: If response parsing fails, the raw response is forwarded (never blocks legitimate traffic)
 - **Args redacted on deny**: Blocked tool call arguments are never written to logs
+- **Surgical redaction**: Secrets in responses are replaced in-place, preserving the JSON-RPC response structure
 - **Path traversal defense**: `not_under` matcher uses `path.resolve()` to prevent `../` bypass
 - **Pre-compiled regexes**: All patterns compiled once at startup for consistent performance
 - **No network**: Zero cloud calls, zero telemetry, runs entirely local

package/dist/index.js

@@ -59,15 +59,35 @@ var ruleSchema = z.object({
   action: z.enum(["allow", "deny", "ask"]),
   message: z.string().optional()
 });
+var outboundMatchSchema = z.object({
+  tool: z.string().optional(),
+  server: z.string().optional(),
+  secrets: z.boolean().optional(),
+  response_contains: z.array(z.string()).optional(),
+  response_contains_regex: z.array(validRegex).optional(),
+  response_size_exceeds: z.number().positive().optional()
+}).refine(
+  (match) => Object.values(match).some((v) => v !== void 0),
+  { message: "Outbound rule must have at least one match field" }
+);
+var outboundRuleSchema = z.object({
+  name: z.string(),
+  match: outboundMatchSchema,
+  action: z.enum(["allow", "deny", "redact", "log_only"]),
+  message: z.string().optional()
+});
 var configSchema = z.object({
   version: z.number(),
   settings: z.object({
     log_dir: z.string(),
     log_level: z.enum(["debug", "info", "warn", "error"]),
     default_action: z.enum(["allow", "deny", "ask"]),
-    log_args: z.enum(["full", "none"]).optional()
+    log_args: z.enum(["full", "none"]).optional(),
+    outbound_default_action: z.enum(["allow", "deny", "redact", "log_only"]).optional(),
+    log_redacted: z.enum(["none", "hash", "full"]).optional()
   }),
   rules: z.array(ruleSchema),
+  outbound_rules: z.array(outboundRuleSchema).optional(),
   secrets: z.object({
     patterns: z.array(secretPatternSchema)
   }).optional()
@@ -146,6 +166,20 @@ var DEFAULT_RULES = [
     message: "Blocked: detected secret in arguments"
   }
 ];
+var DEFAULT_OUTBOUND_RULES = [
+  {
+    name: "redact-secrets-in-responses",
+    match: { secrets: true },
+    action: "redact",
+    message: "Secret detected in server response and redacted"
+  },
+  {
+    name: "flag-large-responses",
+    match: { response_size_exceeds: 102400 },
+    action: "log_only",
+    message: "Response exceeds 100KB"
+  }
+];
 var DEFAULT_CONFIG = {
   version: 1,
   settings: {
@@ -154,6 +188,7 @@ var DEFAULT_CONFIG = {
     default_action: "allow"
   },
   rules: DEFAULT_RULES,
+  outbound_rules: DEFAULT_OUTBOUND_RULES,
   secrets: {
     patterns: DEFAULT_SECRET_PATTERNS
   }
@@ -210,6 +245,10 @@ function mergeConfigs(global, project) {
     },
     // Project rules first (higher priority), then global rules
     rules: [...project.rules, ...global.rules],
+    outbound_rules: [
+      ...project.outbound_rules || [],
+      ...global.outbound_rules || []
+    ].length > 0 ? [...project.outbound_rules || [], ...global.outbound_rules || []] : void 0,
     secrets: {
       patterns: [
         ...project.secrets?.patterns || [],
@@ -310,6 +349,52 @@ function deepScanObject(obj, patterns) {
   }
   return null;
 }
+function redactSecrets(obj, patterns, marker = "[REDACTED BY MCPWALL]") {
+  const matchCounts = /* @__PURE__ */ new Map();
+  function redactString(str) {
+    let result = str;
+    for (const pattern of patterns) {
+      pattern.regex.lastIndex = 0;
+      let match;
+      const globalRegex = new RegExp(pattern.regex.source, "g");
+      while ((match = globalRegex.exec(result)) !== null) {
+        if (pattern.entropy_threshold !== void 0) {
+          const entropy = shannonEntropy(match[0]);
+          if (entropy < pattern.entropy_threshold) {
+            continue;
+          }
+        }
+        matchCounts.set(pattern.name, (matchCounts.get(pattern.name) || 0) + 1);
+        result = result.slice(0, match.index) + marker + result.slice(match.index + match[0].length);
+        globalRegex.lastIndex = match.index + marker.length;
+      }
+    }
+    return result;
+  }
+  function walk(node) {
+    if (typeof node === "string") {
+      return redactString(node);
+    }
+    if (Array.isArray(node)) {
+      return node.map(walk);
+    }
+    if (node && typeof node === "object") {
+      const result = {};
+      for (const [key, value] of Object.entries(node)) {
+        result[key] = walk(value);
+      }
+      return result;
+    }
+    return node;
+  }
+  const redacted = walk(obj);
+  const matches = Array.from(matchCounts.entries()).map(([pattern, count]) => ({ pattern, count }));
+  return {
+    redacted,
+    matches,
+    wasRedacted: matches.length > 0
+  };
+}
 function shannonEntropy(str) {
   if (str.length === 0) {
     return 0;
@@ -497,6 +582,128 @@ var PolicyEngine = class {
   }
 };
 
+// src/engine/outbound-policy.ts
+import { minimatch as minimatch2 } from "minimatch";
+var OutboundPolicyEngine = class {
+  rules;
+  defaultAction;
+  compiledSecrets;
+  compiledRegexes = /* @__PURE__ */ new Map();
+  constructor(config) {
+    this.rules = config.outbound_rules || [];
+    this.defaultAction = config.settings.outbound_default_action || "allow";
+    this.compiledSecrets = compileSecretPatterns(config.secrets?.patterns || []);
+    for (const rule of this.rules) {
+      if (rule.match.response_contains_regex) {
+        const compiled = rule.match.response_contains_regex.map((pattern) => ({
+          source: pattern,
+          regex: new RegExp(pattern, "i")
+        }));
+        this.compiledRegexes.set(rule.name, compiled);
+      }
+    }
+  }
+  /**
+   * Evaluate a response message against outbound rules.
+   * Returns the decision (action + matched rule).
+   */
+  evaluate(msg, toolName, serverName) {
+    for (const rule of this.rules) {
+      if (this.matchesRule(msg, rule, toolName, serverName)) {
+        return {
+          action: rule.action,
+          rule: rule.name,
+          message: rule.message
+        };
+      }
+    }
+    return {
+      action: this.defaultAction,
+      rule: null
+    };
+  }
+  /**
+   * Redact secrets from a response message.
+   * Returns the redacted message and match details.
+   */
+  redactResponse(msg) {
+    const redactionResult = redactSecrets(msg.result, this.compiledSecrets);
+    const redactedMsg = {
+      ...msg,
+      result: redactionResult.redacted
+    };
+    return { message: redactedMsg, result: redactionResult };
+  }
+  matchesRule(msg, rule, toolName, serverName) {
+    const match = rule.match;
+    if (match.tool) {
+      if (!toolName || !minimatch2(toolName, match.tool, { dot: true })) {
+        return false;
+      }
+    }
+    if (match.server) {
+      if (!serverName || !minimatch2(serverName, match.server, { dot: true })) {
+        return false;
+      }
+    }
+    if (match.secrets) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const hasSecrets = redactSecrets(msg.result, this.compiledSecrets).wasRedacted;
+      if (!hasSecrets) return false;
+    }
+    if (match.response_contains) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const lower = text.toLowerCase();
+      const found = match.response_contains.some((phrase) => lower.includes(phrase.toLowerCase()));
+      if (!found) return false;
+    }
+    if (match.response_contains_regex) {
+      const text = this.extractResponseText(msg);
+      if (!text) return false;
+      const compiled = this.compiledRegexes.get(rule.name) || [];
+      const found = compiled.some((c) => {
+        c.regex.lastIndex = 0;
+        return c.regex.test(text);
+      });
+      if (!found) return false;
+    }
+    if (match.response_size_exceeds !== void 0) {
+      const serialized = JSON.stringify(msg.result ?? msg.error ?? "");
+      const byteSize = Buffer.byteLength(serialized, "utf-8");
+      if (byteSize <= match.response_size_exceeds) return false;
+    }
+    return true;
+  }
+  /**
+   * Extract text content from an MCP response message.
+   * Handles MCP standard content array format: { content: [{ type: "text", text: "..." }] }
+   * Falls back to JSON.stringify for non-standard formats.
+   */
+  extractResponseText(msg) {
+    if (msg.result === void 0 && msg.error === void 0) {
+      return null;
+    }
+    if (msg.error) {
+      return msg.error.message || JSON.stringify(msg.error);
+    }
+    const result = msg.result;
+    if (result && Array.isArray(result.content)) {
+      const texts = [];
+      for (const block of result.content) {
+        if (block && typeof block === "object" && typeof block.text === "string") {
+          texts.push(block.text);
+        }
+      }
+      if (texts.length > 0) {
+        return texts.join("\n");
+      }
+    }
+    return JSON.stringify(result);
+  }
+};
+
 // src/logger.ts
 import * as fs from "fs";
 import * as path from "path";
@@ -560,11 +767,12 @@ var Logger = class {
   writeToStderr(entry) {
     const timestamp = new Date(entry.ts).toISOString().substring(11, 19);
     const action = this.formatAction(entry.action);
+    const direction = entry.direction === "outbound" ? "outbound " : "";
     const method = entry.method || "unknown";
     const tool = entry.tool ? ` ${entry.tool}` : "";
     const rule = entry.rule ? ` [${entry.rule}]` : "";
     const message = entry.message ? ` - ${entry.message}` : "";
-    const logLine = `[${timestamp}] ${action} ${method}${tool}${rule}${message}
+    const logLine = `[${timestamp}] ${action} ${direction}${method}${tool}${rule}${message}
 `;
     process.stderr.write(logLine);
   }
@@ -575,9 +783,11 @@ var Logger = class {
   getLogLevel(action) {
     switch (action) {
       case "deny":
+      case "redact":
         return "warn";
       case "ask":
       case "allow":
+      case "log_only":
         return "info";
       default:
         return "info";
@@ -594,6 +804,12 @@ var Logger = class {
       case "ask":
         return "\x1B[33mASK\x1B[0m";
       // yellow
+      case "redact":
+        return "\x1B[36mREDACT\x1B[0m";
+      // cyan
+      case "log_only":
+        return "\x1B[34mLOG\x1B[0m";
+      // blue
       default:
         return action.toUpperCase();
     }
@@ -668,7 +884,33 @@ function createLineBuffer(onLine) {
 
 // src/proxy.ts
 function createProxy(options) {
-  const { command, args, policyEngine, logger, logArgs = "none" } = options;
+  const { command, args, policyEngine, logger, logArgs = "none", outboundPolicyEngine, logRedacted = "none", serverName } = options;
+  const pendingRequests = /* @__PURE__ */ new Map();
+  const REQUEST_TTL_MS = 6e4;
+  function trackRequest(msg) {
+    if (msg.id !== void 0 && msg.id !== null && msg.method === "tools/call") {
+      const params = msg.params;
+      pendingRequests.set(msg.id, {
+        tool: params?.name,
+        method: msg.method,
+        ts: Date.now()
+      });
+    }
+  }
+  function resolveRequest(id) {
+    if (id === void 0 || id === null) return void 0;
+    const ctx = pendingRequests.get(id);
+    if (ctx) {
+      pendingRequests.delete(id);
+    }
+    const now = Date.now();
+    for (const [key, val] of pendingRequests) {
+      if (now - val.ts > REQUEST_TTL_MS) {
+        pendingRequests.delete(key);
+      }
+    }
+    return ctx;
+  }
   const child = spawn(command, args, {
     stdio: ["pipe", "pipe", "inherit"]
   });
@@ -737,6 +979,7 @@ function createProxy(options) {
           return;
         }
         evaluateMessage(msg, decision);
+        trackRequest(msg);
         if (child.stdin && !child.stdin.destroyed) {
           child.stdin.write(line + "\n");
         }
@@ -754,6 +997,7 @@ function createProxy(options) {
             }
           } else {
             evaluateMessage(msg, decision);
+            trackRequest(msg);
             forwarded.push(msg);
           }
         }
@@ -789,22 +1033,113 @@ function createProxy(options) {
       child.stdin.end();
     }
   });
+  function evaluateOutbound(msg) {
+    if (!outboundPolicyEngine) {
+      process.stdout.write(JSON.stringify(msg) + "\n");
+      if (msg.result !== void 0 || msg.error !== void 0) {
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: void 0,
+          action: "allow",
+          rule: null,
+          direction: "outbound",
+          message: msg.error ? `Error: ${msg.error.message}` : void 0
+        });
+      }
+      return;
+    }
+    const ctx = resolveRequest(msg.id);
+    const toolName = ctx?.tool;
+    if (msg.result === void 0 && msg.error === void 0) {
+      process.stdout.write(JSON.stringify(msg) + "\n");
+      return;
+    }
+    const decision = outboundPolicyEngine.evaluate(msg, toolName, serverName);
+    switch (decision.action) {
+      case "allow": {
+        process.stdout.write(JSON.stringify(msg) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "allow",
+          rule: decision.rule,
+          direction: "outbound",
+          message: msg.error ? `Error: ${msg.error.message}` : void 0
+        });
+        break;
+      }
+      case "deny": {
+        const blocked = {
+          jsonrpc: "2.0",
+          id: msg.id,
+          result: {
+            content: [{
+              type: "text",
+              text: `[BLOCKED BY MCPWALL] ${decision.message || "Response blocked by outbound policy"}`
+            }]
+          }
+        };
+        process.stdout.write(JSON.stringify(blocked) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "deny",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message
+        });
+        break;
+      }
+      case "redact": {
+        const { message: redactedMsg, result: redactionResult } = outboundPolicyEngine.redactResponse(msg);
+        process.stdout.write(JSON.stringify(redactedMsg) + "\n");
+        const patternNames = redactionResult.matches.map((m) => m.pattern);
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "redact",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message,
+          redacted_patterns: patternNames.length > 0 ? patternNames : void 0
+        });
+        break;
+      }
+      case "log_only": {
+        process.stdout.write(JSON.stringify(msg) + "\n");
+        logger.log({
+          ts: (/* @__PURE__ */ new Date()).toISOString(),
+          method: "response",
+          tool: toolName,
+          action: "log_only",
+          rule: decision.rule,
+          direction: "outbound",
+          message: decision.message
+        });
+        break;
+      }
+    }
+  }
   const outboundBuffer = createLineBuffer((line) => {
     try {
-      process.stdout.write(line + "\n");
       const result = parseJsonRpcLineEx(line);
-      if (result?.type === "single") {
-        const msg = result.message;
-        if (msg.result !== void 0 || msg.error !== void 0) {
-          logger.log({
-            ts: (/* @__PURE__ */ new Date()).toISOString(),
-            method: "response",
-            tool: void 0,
-            action: "allow",
-            rule: null,
-            message: msg.error ? `Error: ${msg.error.message}` : void 0
-          });
+      if (!result) {
+        process.stdout.write(line + "\n");
+        return;
+      }
+      if (result.type === "single") {
+        evaluateOutbound(result.message);
+        return;
+      }
+      if (result.type === "batch") {
+        for (const msg of result.messages) {
+          evaluateOutbound(msg);
         }
+        return;
       }
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);
@@ -878,7 +1213,12 @@ async function runInit() {
   try {
     const configPaths = [
       { path: join3(homedir3(), ".claude.json"), name: "Claude Code global config" },
-      { path: join3(process.cwd(), ".mcp.json"), name: "Claude Code project config" }
+      { path: join3(process.cwd(), ".mcp.json"), name: "Claude Code project config" },
+      { path: join3(homedir3(), ".cursor", "mcp.json"), name: "Cursor global config" },
+      { path: join3(process.cwd(), ".cursor", "mcp.json"), name: "Cursor project config" },
+      { path: join3(homedir3(), ".config", "windsurf", "mcp.json"), name: "Windsurf config" },
+      { path: join3(homedir3(), ".vscode", "mcp.json"), name: "VS Code global config" },
+      { path: join3(process.cwd(), ".vscode", "mcp.json"), name: "VS Code project config" }
     ];
     const foundConfigs = [];
     for (const { path: path2, name } of configPaths) {
@@ -898,8 +1238,11 @@ async function runInit() {
     if (foundConfigs.length === 0) {
       process.stderr.write("No MCP server configurations found.\n");
       process.stderr.write("Looked for:\n");
-      process.stderr.write("  - ~/.claude.json\n");
-      process.stderr.write("  - ./.mcp.json\n\n");
+      for (const { path: path2, name } of configPaths) {
+        process.stderr.write(`  - ${path2} (${name})
+`);
+      }
+      process.stderr.write("\n");
       process.stderr.write("You can manually configure mcpwall by wrapping your MCP server commands:\n");
       process.stderr.write("  Original: npx -y @some/server\n");
       process.stderr.write("  Wrapped:  npx -y mcpwall -- npx -y @some/server\n\n");
@@ -988,7 +1331,12 @@ import { homedir as homedir4 } from "os";
 import { join as join4 } from "path";
 var CONFIG_PATHS = [
   () => join4(homedir4(), ".claude.json"),
-  () => join4(process.cwd(), ".mcp.json")
+  () => join4(process.cwd(), ".mcp.json"),
+  () => join4(homedir4(), ".cursor", "mcp.json"),
+  () => join4(process.cwd(), ".cursor", "mcp.json"),
+  () => join4(homedir4(), ".config", "windsurf", "mcp.json"),
+  () => join4(homedir4(), ".vscode", "mcp.json"),
+  () => join4(process.cwd(), ".vscode", "mcp.json")
 ];
 async function runWrap(serverName) {
   for (const getPath of CONFIG_PATHS) {
@@ -1058,6 +1406,7 @@ if (dashDashIndex !== -1) {
         config.settings.log_level = options.logLevel;
       }
       const policyEngine = new PolicyEngine(config);
+      const outboundPolicyEngine = config.outbound_rules?.length ? new OutboundPolicyEngine(config) : void 0;
       const logger = new Logger({
         logDir: config.settings.log_dir,
         logLevel: config.settings.log_level
@@ -1067,7 +1416,9 @@ if (dashDashIndex !== -1) {
         args,
         policyEngine,
         logger,
-        logArgs: config.settings.log_args
+        logArgs: config.settings.log_args,
+        outboundPolicyEngine,
+        logRedacted: config.settings.log_redacted
       });
     } catch (err) {
       const message = err instanceof Error ? err.message : String(err);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "mcpwall",
-  "version": "0.1.1",
+  "version": "0.2.0",
   "description": "Deterministic security proxy for MCP tool calls — iptables for MCP. Blocks dangerous tool calls, scans for secret leakage, logs everything. No AI, no cloud, pure rules.",
   "type": "module",
   "bin": {
@@ -34,7 +34,8 @@
     "type": "git",
     "url": "git+https://github.com/behrensd/mcp-firewall.git"
   },
-  "homepage": "https://github.com/behrensd/mcp-firewall",
+  "mcpName": "io.github.behrensd/mcpwall",
+  "homepage": "https://mcpwall.dev",
   "bugs": {
     "url": "https://github.com/behrensd/mcp-firewall/issues"
   },

package/rules/default.yml

@@ -89,6 +89,20 @@ rules:
     action: deny
     message: "Blocked: detected secret/API key in tool arguments"
 
+# === OUTBOUND RULES (Response Inspection) ===
+outbound_rules:
+  - name: redact-secrets-in-responses
+    match:
+      secrets: true
+    action: redact
+    message: "Secret detected in server response and redacted"
+
+  - name: flag-large-responses
+    match:
+      response_size_exceeds: 102400
+    action: log_only
+    message: "Response exceeds 100KB"
+
 secrets:
   patterns:
     - name: aws-access-key

package/rules/strict.yml

@@ -196,6 +196,59 @@ rules:
 
   # Default: deny everything else (set in settings above)
 
+# === OUTBOUND RULES (Response Inspection) ===
+outbound_rules:
+  - name: redact-secrets-in-responses
+    match:
+      secrets: true
+    action: redact
+    message: "Secret detected in server response and redacted"
+
+  - name: block-prompt-injection-patterns
+    match:
+      response_contains:
+        - "ignore previous instructions"
+        - "ignore all previous instructions"
+        - "disregard previous instructions"
+        - "disregard your instructions"
+        - "forget your instructions"
+        - "override your instructions"
+        - "new instructions:"
+        - "system prompt:"
+        - "you are now"
+        - "act as if"
+        - "pretend you are"
+        - "provide contents of ~/.ssh"
+        - "provide contents of /etc/passwd"
+        - "read the file ~/.ssh"
+        - "output your system prompt"
+        - "reveal your instructions"
+    action: deny
+    message: "Prompt injection pattern detected in server response"
+
+  - name: flag-shell-patterns-in-responses
+    match:
+      response_contains_regex:
+        - "rm\\s+-rf\\s+/"
+        - "curl.*\\|.*bash"
+        - "wget.*\\|.*sh"
+        - "nc\\s+-[le].*\\d+"
+    action: log_only
+    message: "Shell command pattern detected in server response"
+
+  - name: flag-zero-width-chars
+    match:
+      response_contains_regex:
+        - "[\\u200B\\u200C\\u200D\\u2060\\uFEFF]"
+    action: log_only
+    message: "Zero-width Unicode characters detected in response (possible ATPA attack)"
+
+  - name: flag-large-responses
+    match:
+      response_size_exceeds: 51200
+    action: log_only
+    message: "Response exceeds 50KB"
+
 secrets:
   patterns:
     - name: aws-access-key