An open-source security proxy and active firewall for the Model Context Protocol (MCP)
McpVanguard ๐ก๏ธ
Titan-Grade AI Firewall for MCP Agents (v1.7.0)
MCP (Model Context Protocol) enables AI agents to interact with host-level tools. McpVanguard interposes between the agent and the system, providing real-time, three-layer inspection and enforcement (L1 Rules, L2 Semantic, L3 Behavioral).
Transparent integration. Zero-configuration requirements for existing servers.
Tests PyPI version License: Apache 2.0 Python 3.11+
Part of the Provnai Open Research Initiative โ Building the Immune System for AI.
โก Quickstart
pip install mcp-vanguard
Local stdio wrap (no network):
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."
Cloud Security Gateway (SSE, deploy on Railway):
export VANGUARD_API_KEY="your-secret-key"
vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."
Deploy on Railway
๐ Full Railway Deployment Guide
๐ก๏ธ Getting Started (New Users)
Bootstrap your security workspace with a single command:
# 1. Initialize safe zones and .env template
vanguard init
# 2. (Optional) Protect your Claude Desktop servers
vanguard configure-claude
# 3. Launch the visual security dashboard
vanguard ui --port 4040
๐ง How it works
Every time an AI agent calls a tool (e.g. read_file, run_command), McpVanguard inspects the request across three layers before it reaches the underlying server:
Layer What it checks Latency
L1 โ Safe Zones & Rules Kernel-level isolation (openat2 / Windows canonicalization) and 50+ deterministic signatures ~16ms
L2 โ Semantic LLM-based intent scoring via OpenAI, DeepSeek, Groq or Ollama Async
L3 โ Behavioral Shannon Entropy ($H(X)$) scouter and sliding-window anomaly detection Stateful
Performance Note: The 16ms overhead is measured at peak concurrent load. In standard operation, the latency is well under 2msโnegligible relative to typical LLM inference times.
If a request is blocked, the agent receives a standard JSON-RPC error response. The underlying server never sees it.
Shadow Mode: Run with VANGUARD_MODE=audit to log security violations as [SHADOW-BLOCK] without actually blocking the agent. Perfect for assessing risk in existing production workflows.
๐ก๏ธ What gets blocked
Sandbox Escapes: TOCTOU symlink attacks, Windows 8.3 shortnames (PROGRA~1), DOS device namespaces
Data Exfiltration: High-entropy payloads (H > 7.5 cryptographic keys) and velocity-based secret scraping
Filesystem attacks: Path traversal (../../etc/passwd), null bytes, restricted paths (~/.ssh), Unicode homograph evasion
Command injection: Pipe-to-shell, reverse shells, command chaining via ; && \n, expansion bypasses
SSRF & Metadata Protection: Blocks access to cloud metadata endpoints (AWS/GCP/Azure) and hex/octal encoded IPs.
Jailbreak Detection: Actively identifies prompt injection patterns and instruction-ignore sequences.
Continuous Monitoring: Visualize all of the above in real-time with the built-in Security Dashboard.
๐ Security Dashboard
Launch the visual monitor to see your agent's activity and security status in real-time.
vanguard ui --port 4040
The dashboard provides a low-latency, HTMX-powered feed of:
Real-time Blocks: Instantly see which rule or layer triggered a rejection.
Entropy Scores: Pulse-check the
H
(
X
)
levels of your agent's data streams.
Audit History: Contextual log fragments for rapid incident response.
VEX Protocol โ Deterministic Audit Log
When McpVanguard blocks an attack, it creates an OPA/Cerbos-compatible Secure Tool Manifest detailing the Principal, Action, Resource, and environmental snapshot.
This manifest is then sent as a cryptographically-signed report to the VEX Protocol. VEX anchors that report to the Bitcoin blockchain via the CHORA Gate.
This means an auditor can independently verify exactly what was blocked, the entropy score, and why โ without relying on your local logs.
export VANGUARD_VEX_URL="https://api.vexprotocol.com"
export VANGUARD_VEX_KEY="your-agent-jwt"
export VANGUARD_AUDIT_FORMAT="json" # Optional: Route JSON logs directly into SIEM (ELK, Splunk)
vanguard sse --server "..." --behavioral
Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
AI Agent โ McpVanguard Proxy โ
(Claude, GPT) โ โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ JSON-RPC โ โ L1 โ Rules Engine โ โ
โโโโโโโโโโโโโโโโถโ โ 50+ YAML signatures (path, cmd, net...) โ โ
โ (stdio/SSE) โ โ BLOCK on match โ error back to agent โ โ
โ โ โโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ pass โ
โ โ โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ L2 โ Semantic Scorer (optional) โ โ
โ โ โ OpenAI / MiniMax / Ollama scoring 0.0โ1.0โ โ
โ โ โ Async โ never blocks the proxy loop โ โ
โ โ โโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ pass โ
โ โ โโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ L3 โ Behavioral Analysis (optional) โ โ
โ โ โ Sliding window: scraping, enumeration โ โ
โ โ โ In-memory or Redis (multi-instance) โ โ
โ โ โโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ โ โ
โโโโ BLOCK โโโโโโโโโโโโโโโโโโโโโโโโโโค (any layer) โ
โ (JSON-RPC โ โ ALLOW โ
โ error) โ โผ โ
โ โ MCP Server Process โ
โ โ (filesystem, shell, APIs...) โ
โ โโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ โ
โโโโโโโโโโโโโโโโโ response โโโโโโโโโ
โ
โ (on BLOCK)
โโโโโโโโโโโโโโโโถ VEX API โโโถ CHORA Gate โโโถ Bitcoin Anchor
(async, fire-and-forget audit receipt)
L2 Semantic Backend Options
The Layer 2 semantic scorer supports a Universal Provider Architecture. Set the corresponding API keys to activate a backend โ the first available key wins (priority: Custom > OpenAI > MiniMax > Ollama):
Backend Env Vars Notes
Universal Custom (DeepSeek, Groq, Mistral, vLLM) VANGUARD_SEMANTIC_CUSTOM_KEY, VANGUARD_SEMANTIC_CUSTOM_MODEL, VANGUARD_SEMANTIC_CUSTOM_URL Fast, cheap inference. Examples:
Groq: https://api.groq.com/openai/v1
DeepSeek: https://api.deepseek.com/v1
OpenAI VANGUARD_OPENAI_API_KEY, VANGUARD_OPENAI_MODEL Default model: gpt-4o-mini
MiniMax VANGUARD_MINIMAX_API_KEY, VANGUARD_MINIMAX_MODEL, VANGUARD_MINIMAX_BASE_URL Default model: MiniMax-M2.5
Ollama (local) VANGUARD_OLLAMA_URL, VANGUARD_OLLAMA_MODEL Default model: phi4-mini. No API key required
# Example: Use Groq for ultra-fast L2 scoring
export VANGUARD_SEMANTIC_ENABLED=true
export VANGUARD_SEMANTIC_CUSTOM_KEY="your-groq-key"
export VANGUARD_SEMANTIC_CUSTOM_MODEL="llama3-8b-8192"
export VANGUARD_SEMANTIC_CUSTOM_URL="https://api.groq.com/openai/v1"
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."
Overview
An open-source security proxy and active firewall for the Model Context Protocol (MCP). It acts as a real-time 'Reflex System' between AI agents and their tools, protecting the host system from malicious intent, prompt injection, and data exfiltration
โก Quickstart pip install mcp-vanguard Local stdio wrap (no network):
vanguard start --server "npx @modelcontextprotocol/server-filesystem ." Cloud Security Gateway (SSE, deploy on Railway):
export VANGUARD_API_KEY="your-secret-key" vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."
Server Config
{
"mcpServers": {
"mcpvanguard": {
"command": "vanguard",
"args": [
"start",
"--server",
"npx @modelcontextprotocol/server-filesystem ."
],
"env": {
"VANGUARD_MODE": "enforce"
}
}
}
}Recommend Servers
TraeBuild with Free GPT-4.1 & Claude 3.7. Fully MCP-Ready.
Zhipu Web SearchZhipu Web Search MCP Server is a search engine specifically designed for large models. It integrates four search engines, allowing users to flexibly compare and switch between them. Building upon the web crawling and ranking capabilities of traditional search engines, it enhances intent recognition capabilities, returning results more suitable for large model processing (such as webpage titles, URLs, summaries, site names, site icons, etc.). This helps AI applications achieve "dynamic knowledge acquisition" and "precise scenario adaptation" capabilities.
Amap Maps้ซๅพทๅฐๅพๅฎๆน MCP Server
EdgeOne Pages MCPAn MCP service designed for deploying HTML content to EdgeOne Pages and obtaining an accessible public URL.
BlenderBlenderMCP connects Blender to Claude AI through the Model Context Protocol (MCP), allowing Claude to directly interact with and control Blender. This integration enables prompt assisted 3D modeling, scene creation, and manipulation.
Baidu Map็พๅบฆๅฐๅพๆ ธๅฟAPI็ฐๅทฒๅ
จ้ขๅ
ผๅฎนMCPๅ่ฎฎ๏ผๆฏๅฝๅ
้ฆๅฎถๅ
ผๅฎนMCPๅ่ฎฎ็ๅฐๅพๆๅกๅใ
Jina AI MCP ToolsA Model Context Protocol (MCP) server that integrates with Jina AI Search Foundation APIs.
Howtocook McpๅบไบAnduin2017 / HowToCook ๏ผ็จๅบๅๅจๅฎถๅ้ฅญๆๅ๏ผ็mcp server๏ผๅธฎไฝ ๆจ่่่ฐฑใ่งๅ่ณ้ฃ๏ผ่งฃๅณโไปๅคฉๅไปไนโ็ไธ็บช้พ้ข๏ผ
Based on Anduin2017/HowToCook (Programmer's Guide to Cooking at Home), MCP Server helps you recommend recipes, plan meals, and solve the century old problem of "what to eat today"
Tavily Mcp
RedisA Model Context Protocol server that provides access to Redis databases. This server enables LLMs to interact with Redis key-value stores through a set of standardized tools.
DeepChatYour AI Partner on Desktop
MiniMax MCPOfficial MiniMax Model Context Protocol (MCP) server that enables interaction with powerful Text to Speech, image generation and video generation APIs.
WindsurfThe new purpose-built IDE to harness magic
Serper MCP ServerA Serper MCP Server
AiimagemultistyleA Model Context Protocol (MCP) server for image generation and manipulation using fal.ai's Stable Diffusion model.
CursorThe AI Code Editor
Y GuiA web-based graphical interface for AI chat interactions with support for multiple AI models and MCP (Model Context Protocol) servers.
Visual Studio Code - Open Source ("Code - OSS")Visual Studio Code
Playwright McpPlaywright MCP server
MCP AdvisorMCP Advisor & Installation - Use the right MCP server for your needs
ChatWiseThe second fastest AI chatbotโข