Skip to main content

Source-available MCP route for approval and local evidence on routed MCP tool calls

Project description

agentveil-mcp-proxy

agentveil-mcp-proxy is the public AgentVeil route for MCP tool calls today. It wraps a downstream MCP server and applies AgentVeil policy to calls that pass through the proxy: allow, approval-required, or block, with bounded local evidence.

This package is source-available under the Business Source License 1.1. See LICENSE.

Scope

MCP Proxy controls only MCP tool calls that are explicitly routed through agentveil-mcp-proxy.

  • It does not control host shell commands.
  • It does not control IDE-native file edits.
  • It does not control direct git, pip, deploy, or package-manager commands.
  • It does not create a Cursor, Codex, Claude, or desktop host lock.
  • Actions not routed through the proxy are not classified or logged.

Use credential custody, egress boundaries, or API gates when an action must be controlled below the agent process. Those boundary patterns are preview and design-partner work, not general public release paths in this package.

Install

pip install agentveil-mcp-proxy

This installs the agentveil-mcp-proxy console script. The core agentveil SDK is installed as a dependency.

Quick Start

Create a local proxy identity, config, and control grant:

agentveil-mcp-proxy init

By default init creates an encrypted identity. Provide a passphrase interactively, via --passphrase-file, or via the AVP_PROXY_PASSPHRASE environment variable. See Operations: Security trade-offs by passphrase source.

Validate the local setup:

agentveil-mcp-proxy doctor

For a local first run without installing another MCP server, configure the built-in sandboxed filesystem downstream:

agentveil-mcp-proxy init --quickstart-filesystem ./sandbox
agentveil-mcp-proxy doctor --full
agentveil-mcp-proxy smoke

Then run the proxy:

agentveil-mcp-proxy run

For a real downstream server, write downstream.command and downstream.args with the helper:

agentveil-mcp-proxy downstream set \
  --name filesystem \
  --command npx \
  --arg -y \
  --arg @modelcontextprotocol/server-filesystem \
  --arg /Users/me/work

Configure An MCP Client

Point your MCP client at agentveil-mcp-proxy run instead of directly at the downstream MCP server. The proxy reads downstream server config from ~/.avp/mcp-proxy/config.json.

If you installed into a virtual environment, point command at the full path of agentveil-mcp-proxy inside that environment.

To print copy-pasteable client config without editing application files:

agentveil-mcp-proxy client-config print
agentveil-mcp-proxy client-config print --client cursor --proxy-command "$(which agentveil-mcp-proxy)"
agentveil-mcp-proxy client-config print --json

This is dry-run only: it writes to stdout, not ~/.cursor, Claude Desktop, or other application config directories.

Generic stdio configuration

{
  "mcpServers": {
    "agentveil-mcp-proxy": {
      "command": "agentveil-mcp-proxy",
      "args": ["run"]
    }
  }
}

Local Evidence

Approval-gated routed tool calls write durable local records to the MCP Proxy evidence store under the configured AVP home directory. Export an evidence bundle for offline checks:

agentveil-mcp-proxy export-evidence ./bundle.json
agentveil-mcp-proxy verify ./bundle.json --trusted-signer-did did:key:...

Raw MCP arguments, prompts, outputs, tokens, source code, secrets, and private logs remain local by default. Runtime decisions should use bounded metadata and hashes. See Data Handling.

Built-In Policy Packs

init --policy-pack <name> selects a starter pack:

Pack Default behavior
default Tool calls are forwarded to the Runtime Gate path.
github Reads allowed; writes forwarded to Runtime Gate; destructive verbs require approval.
filesystem Reads allowed; writes require approval; destructive verbs are denied.
shell Shell tool calls require approval when routed through the proxy.

Built-in packs are starter templates, not exhaustive policies. Review patterns for your specific downstream server.

CLI Commands

Command Purpose
init Create encrypted identity, config, and control grant.
init --quickstart-filesystem <path> Configure the built-in filesystem downstream for local first run.
doctor Validate local files and control grant.
doctor --full Launch downstream and verify MCP initialize / tools/list.
downstream set Write downstream MCP server config without hand-editing JSON.
client-config print Print MCP client config snippets.
smoke Launch downstream and run a local MCP smoke check.
run Run stdio passthrough for MCP clients.
export-evidence <path> Export a local evidence bundle.
verify <bundle.json> Verify a previously exported bundle.
events list --limit 20 Print recent privacy-bounded evidence records.
evidence-summary Print local evidence counts.

Relationship To AgentVeil

agentveil-mcp-proxy is one routed action path for AgentVeil. The root agentveil SDK contains identity, delegation, Runtime Gate client helpers, receipt helpers, and framework adapters. This package is the MCP route only.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentveil_mcp_proxy-0.7.22.tar.gz (408.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentveil_mcp_proxy-0.7.22-py3-none-any.whl (249.1 kB view details)

Uploaded Python 3

File details

Details for the file agentveil_mcp_proxy-0.7.22.tar.gz.

File metadata

  • Download URL: agentveil_mcp_proxy-0.7.22.tar.gz
  • Upload date:
  • Size: 408.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.3

File hashes

Hashes for agentveil_mcp_proxy-0.7.22.tar.gz
Algorithm Hash digest
SHA256 fea3929856e013862ebdda4f04f6134f102eb8be5325dc1044c01f5e751f4f6f
MD5 0621a31fda0cabe9e81b3a20a55b849e
BLAKE2b-256 92aaa61ff8bf9f002113837ecf9c9812b1709aa5a431aecdb2832887cfeed50a

See more details on using hashes here.

File details

Details for the file agentveil_mcp_proxy-0.7.22-py3-none-any.whl.

File metadata

File hashes

Hashes for agentveil_mcp_proxy-0.7.22-py3-none-any.whl
Algorithm Hash digest
SHA256 533a4b527a3390ca6770f5730e9867a846aca49e142da7fca222a58045a95bc6
MD5 0c2b343a1521cfbdfaba0a9748e27f24
BLAKE2b-256 d3fa7a75c0dd281b75bb8abcd47fb7f2be5f7d7814986c4c52c46e8aeb3269e1

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page