Security middleware for Model Context Protocol (MCP) that detects and blocks malicious tool calls

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shivamnamdeo0101 from gravatar.com shivamnamdeo0101

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shivam Namdeo
  • Tags mcp , security , middleware , detection
  • Requires: Python >=3.7
Classifiers
Report project as malware

Project description

Kavach - MCP Security Middleware

Security middleware for Model Context Protocol (MCP) that detects and blocks malicious tool calls using pattern-based rule scanning.

Built by Shivam Namdeo | PyPI Package | Use Cases

Quick Start

# Create and activate virtual environment
python3 -m venv venv
source venv/bin/activate

# Run the example
cd example
python3 app.py

Architecture

Core Components:

  • middleware.py - KavachMiddleware: Main entry point. Processes tool calls and returns allow/block decisions.
  • engine.py - DetectionEngine: Scans text against rules and collects violations.
  • rules.py - KAVACH_RULES: Rule definitions for detecting prompt injection, PII, API keys, etc.
  • types.py - Rule: Data class defining rule structure (id, name, severity, patterns).

How It Works

Sync: Content-based Blocking

from kavach import KavachMiddleware

middleware = KavachMiddleware()

# Process any tool call
result = middleware.process({
    "tool": "aws.s3",
    "access_key": "AKIAIOSFODNN7EXAMPLE"
})

# Returns: {"allowed": False, "violations": [...]}

Async: FastMCP Middleware Integration

from fastmcp import FastMCP
from kavach import KavachMiddleware

mcp = FastMCP("my-server")
mcp.add_middleware(
    KavachMiddleware(
        sensitive_tools=[
            "filesystem.delete",
            "aws.*",           # wildcard patterns
            "database.execute"
        ]
    )
)

Flow:

  1. Tool call intercepted by on_call_tool() middleware hook
  2. Tool name matched against sensitive_tools patterns
  3. If matched, DetectionEngine scans arguments against rules
  4. If violations found and strict mode enabled → raises SecurityException
  5. Otherwise → chain to next middleware

Rules

Detects:

Current Default Rule

  • Prompt Injection - "ignore previous instructions", "override instructions"
  • Secret Leakage - AWS keys (AKIA...), OpenAI keys (sk-...)
  • PII - 10/16 digit sequences

Add custom rules in rules.py:

Rule(
    id="custom-rule",
    name="Rule Name",
    severity="high",
    patterns=[re.compile(r"pattern")]
)

Usage

Option 1: Default Rules Only

middleware = KavachMiddleware()

Option 2: Extend Defaults with Custom Rules

from kavach.types import Rule
import re

custom_rules = [
    Rule(
        id="custom-ban",
        name="Custom Ban",
        severity="high",
        description="Ban specific phrases",
        patterns=[re.compile(r"dangerous\s+action", re.I)]
    )
]

middleware = KavachMiddleware(
    rules=custom_rules,
    extend_rules=True  # Merge with KAVACH_RULES (default)
)

Option 3: Replace Defaults with Custom Rules

middleware = KavachMiddleware(
    rules=custom_rules,
    extend_rules=False  # Use ONLY custom rules
)

Option 4: Control Tool Access

# Allow violations in non-sensitive tools
middleware = KavachMiddleware(strict=False)

# Protect specific tools
middleware = KavachMiddleware(
    sensitive_tools=["filesystem.delete", "aws.s3.delete_bucket"]
)

Project Structure

kavach-mcp-middleware/
├── kavach/
│   ├── __init__.py       # Package exports
│   ├── middleware.py     # Main middleware class
│   ├── engine.py         # Detection logic
│   ├── rules.py          # Security rules
│   └── types.py          # Data classes
└── example/
    └── app.py            # Example usage

API Reference

KavachMiddleware.__init__()

Parameter Type Default Description
rules List[Rule] KAVACH_RULES Custom detection rules
strict bool True Raise exception (True) or return blocked result (False)
sensitive_tools List[str] [] Tools to protect (exact match or wildcard patterns)
extend_rules bool True Merge custom rules with defaults (True) or replace (False)

Methods

  • process(tool_call: dict) - Sync content scanning. Returns {"allowed": bool, ...}
  • async on_call_tool(context, call_next) - FastMCP async middleware hook
  • register_tool(tool_name: str) - Add tool to sensitive_tools at runtime

Contributing

We'd love to get more features and improvements! Please feel free to:

  • Add new detection rules in kavach/rules.py
  • Improve the detection engine in kavach/engine.py
  • Submit bug fixes and enhancements via pull requests
  • Suggest new security patterns to detect

All contributions are welcome! 🚀

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shivamnamdeo0101 from gravatar.com shivamnamdeo0101

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shivam Namdeo
  • Tags mcp , security , middleware , detection
  • Requires: Python >=3.7
Classifiers

Release history Release notifications | RSS feed

This version

0.1.9

0.1.8

0.1.7

0.1.6

0.1.5

0.1.4

0.1.3

0.1.2

0.1.1

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kavach_mcp-0.1.9.tar.gz (6.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kavach_mcp-0.1.9-py3-none-any.whl (7.0 kB view details)

Uploaded Python 3

File details

Details for the file kavach_mcp-0.1.9.tar.gz.

File metadata

  • Download URL: kavach_mcp-0.1.9.tar.gz
  • Upload date:
  • Size: 6.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kavach_mcp-0.1.9.tar.gz
Algorithm Hash digest
SHA256 abccae80e07c914c13adad5ca491c1d024033f443e2bf6916d176a22d8dbabf4
MD5 c5c3e12474f04ecc1b7b2e0a7aa32020
BLAKE2b-256 44c2516ed91fba12069d27214bc966b64afe9e58231fbf7dad54b58bb7fd10c3

See more details on using hashes here.

Provenance

The following attestation bundles were made for kavach_mcp-0.1.9.tar.gz:

Publisher: python-publish.yml on shivamnamdeo0101/kavach-mcp-middleware

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file kavach_mcp-0.1.9-py3-none-any.whl.

File metadata

  • Download URL: kavach_mcp-0.1.9-py3-none-any.whl
  • Upload date:
  • Size: 7.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kavach_mcp-0.1.9-py3-none-any.whl
Algorithm Hash digest
SHA256 144136a7ca8d02636eef73c8e597c8c32fa2eab640ee4de619b5874e316c2c66
MD5 b83251b98ac642dbc6ccecca6e7f461e
BLAKE2b-256 d9d122afa092a672afd35ea827e740a864d894d5603c5bebb3873fee6f259c96

See more details on using hashes here.

Provenance

The following attestation bundles were made for kavach_mcp-0.1.9-py3-none-any.whl:

Publisher: python-publish.yml on shivamnamdeo0101/kavach-mcp-middleware

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page