marmory 0.1.0

Secure local file access gateway for MCP-enabled AI assistants.

Marmory

Real local context for AI. Smaller prompts. Safer file access.

Documentation: local file access | production gates

Setup guides: local daemon | desktop MCP clients | hosted connectors | custom clients | tool plugins | portable MCP routing

Source Code: https://github.com/antonio-amore-akiki/marmory

Marmory is a local-first MCP filesystem gateway. It turns approved folders into scoped trees and targeted file reads.

Works with MCP-capable AI systems across ChatGPT connectors, Claude, custom agents, agent pipelines, and automation workflows.

The key benefits are:

• Context-efficient: up to 62% fewer context-window tokens in the measured workflow.*
• Live: read current files from approved roots, not stale uploads.
• Scoped: expose file trees and targeted reads instead of raw folder dumps.
• Local-first: keep files local; send only requested context.
• Auditable: record read, write, shell, and git operations.
• Controlled: keep writes, shell, and git push behind separate gates.
• Composable: connect one local layer to MCP clients and automation stacks.

Built from 10+ months of real agent-workflow development.

Quick start

git clone https://github.com/antonio-amore-akiki/marmory.git
cd marmory
python -m pip install -e .
marmory init
marmory roots add <project>
marmory doctor --offline
marmory daemon start

The problem

AI tools are powerful. Local context is still broken.

Uploads go stale. Folder dumps flood the context window. Broad filesystem access creates unnecessary exposure. Copy-paste workflows hide what was read, when it was read, and whether the answer came from the current file or an old snapshot.

This is not only a coding problem. It appears in research, operations, documentation, support, automation, data review, and any workflow where local files contain the truth but the AI layer cannot reach them cleanly.

The Marmory fix

Marmory makes local context callable.

MCP client -> Marmory -> approved local roots

The MCP client asks for context. Marmory checks the configured root. It returns only the requested tree or file. Writes, shell, and git stay locked behind separate gates. Every local operation can be audited.

The result is a cleaner AI context pipeline: less dumping, less guessing, less prompt waste, and more control over what enters the model.

What Marmory unlocks

• Live local context without turning every task into a file-upload ritual.
• Smaller prompts by sending scoped trees and exact reads instead of raw folders.
• Safer AI file access because approved roots define the boundary.
• Repeatable pipelines through a stable MCP surface, not throwaway glue.
• Stronger review because read, write, shell, and git operations are auditable.
• One local layer for MCP-capable clients, custom agents, RAG, LLMOps, desktop apps, internal tools, and automation stacks.

Verified implementation surface

• 3 scoped context controls: configured roots, file tree, file read
• 4 denied-by-default safety gates: no roots, writes off, shell off, explicit git push
• 4 audited operation families: read, write, shell, git push
• 13 built-in MCP tools for local access, control, probe proof, and dispatcher routing
• Automatic upstream MCP routing from enabled operator registries
• 40 passing tests covering config, paths, CLI, plugins, upstream MCPs, and HTTP MCP behavior
• 0 uploads needed for approved-root local context

*Measured by the project owner on the current workflow, comparing scoped trees and targeted reads with raw folder dumps.

Keyword map

MCP: Model Context Protocol, MCP, MCP server, MCP client, MCP tools, MCP filesystem, MCP connector, MCP gateway, MCP bridge, MCP registry, MCP dispatcher, FastMCP, stdio transport, streamable HTTP, JSON-RPC, tool calling, resources, prompts.

Agent tooling: AI agents, coding agents, autonomous agents, multi-agent systems, agentic workflows, agentic AI, agentic framework, agent orchestration, workflow orchestration, task orchestration, agent runtime, tool use, tool execution, function calling, context engineering, context assembly, context validation, context window, context bloat, token budget.

Developer workflows: local repository, repository context, codebase context, source code, project docs, implementation notes, log inspection, code review, debugging workflow, developer tools, devtools, IDE workflow, automation pipelines, AI pipelines, workflow automation, LLMOps, observability, audit logging, token optimization.

Search keywords: OpenAI, ChatGPT, GPT-5.5, Anthropic, Claude, Claude Desktop, Claude Code, Claude Opus, Claude Opus 4.6, Windsurf, Cline, Aider, Gemini, Gemini CLI, VS Code, GitHub Copilot.

Frameworks: LangChain, LangGraph, LlamaIndex, CrewAI, AutoGen, OpenAI Agents SDK, Google ADK, Pydantic AI, Agno, smolagents, AG2, DeepAgents, Semantic Kernel, AutoGPT, BabyAGI, n8n, Composio.

RAG and data: LLM, large language models, GenAI, RAG, retrieval augmented generation, agentic RAG, GraphRAG, vector search, embeddings, knowledge base, local files, filesystem access, file tree, file read, local daemon, local-first, secure local context, context retrieval, context pack.

Security: secure file access, scoped access, allowlist, path validation, path traversal protection, symlink escape protection, least privilege, read-only mode, opt-in writes, shell disabled by default, explicit git push, secure gateway, audit trail, private repository safety.

Documentation

• Local file access guide
• Tool plugin guide
• Portable MCP routing guide
• Production readiness gates
• Read-only example
• Read/write example
• Security policy

License

MIT. See LICENSE.