Security proxy and verification layer for the Model Context Protocol (MCP)
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
๐ก๏ธ McpVanguard
The Interception & Verification Layer for MCP Agents
McpVanguard is an open-source security proxy and active firewall for the Model Context Protocol (MCP). It acts as a real-time "Reflex System" between AI agents and their tools, protecting the host system from malicious intent, prompt injection, and data exfiltration.
Part of the Provnai Open Research Initiative โ Building the Immune System for AI.
No changes to your agent. No changes to your server. Just wrap it.
โก Quickstart
# 1. Install
pip install mcp-vanguard
# 2. Start as a Cloud Security Gateway (SSE)
# Set an API key to protect your endpoint
export VANGUARD_API_KEY="your-secret-key"
vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."
# 3. Traditional Stdio Wrap (no network, no auth needed)
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."
# 4. Enable VEX Flight Recorder (Immutable Audit)
export VANGUARD_VEX_URL="https://api.vexprotocol.com"
export VANGUARD_VEX_KEY="your-agent-jwt"
vanguard sse --server "..." --behavioral
# 5. Sync latest threat signatures from GitHub
vanguard update
๐ง The Interception Layer
McpVanguard sits at the Interception Layer of the Provnai stack. It prevents the gap between Cognitive Intent (what the agent thinks) and Environmental Execution (what actually happens to your PC).
3-Layer Defense-in-Depth
| Layer | Component | Defense Mechanism | Performance |
|---|---|---|---|
| L0 | Cloud Gateway | SSE/Network Bridge with optional API key auth | <5ms |
| L1 | Static Rules | 80+ security signatures across 5 categories | <1ms |
| L2 | Semantic Intelligence | Local Ollama LLM intent classification | Async |
| L3 | Behavioral Analysis | Sliding-window anomaly detection (Scraping/Enum) | Stateful |
Rule Categories (Layer 1)
- Filesystem: Path traversal, null bytes, restricted roots (
/etc/,~/.ssh/), Cyrillic homograph detection. - Command: Pipe-to-shell, reverse shells, semicolon/
&&/newline command chaining, expansion bypasses. - Network: SSRF, cloud metadata endpoints (AWS/GCP/Azure), IPv6 and hex/octal encoded IPs.
- Jailbreak: Prompt extraction, instruction-ignore patterns, unicode hidden characters.
- Privilege: SUID binary creation,
LD_PRELOADinjection, crontab manipulation.
๐ก๏ธ VEX Protocol Integration (Flight Recorder)
McpVanguard integrates natively with the VEX Protocol. Whenever the proxy blocks a malicious action (L1/L2/L3), it instantly processes a "fire-and-forget" payload directly to the VEX API.
The VEX Server cryptographically hashes the blocked intent, runs it through the CHORA Gate, and anchors an immutable receipt (PoE) to the Bitcoin blockchain.
Enterprise auditors can mathematically prove exactly why an agent was blocked without relying entirely on local log trust.
๐๏ธ How It Works
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
AI Agent โ McpVanguard Proxy โ โ VEX API โ
(Claude, GPT) โ โโโAsyncโโถโ (CHORA Gate) โ
โ โ โโโโโโโโโโโโโโโโโโโโโโโโ โ โโโโโโโโโโโโโโโโ
โโโJSON-RPCโถโ โ L1: Rules Engine โ โ โ
โ โ โ L2: Semantic Scorer โ โ โผ
โ โ โ L3: Behavioral Logic โ โ [Bitcoin Anchor]
โ โ โโโโโโโโโโโโโโโโโโโโโโโโ โ
โโโ BLOCK โโโ or ALLOW โโโโโโโโโโโโถโ MCP Server
โ (Status โ โ (filesystem, shell...)
โ Code) โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Traffic is inspected on every message, in both directions. Blocked messages return a standard JSON-RPC error response โ the server never sees the attack.
๐บ๏ธ Project Status
| Phase | Goal | Status |
|---|---|---|
| Phase 1 | Foundation (Proxy, CLI, Defensive Rules) | โ DONE |
| Phase 2 | Intelligence (L2 Semantic OpenAI, L3 Behavioral Redis Scaling) | โ DONE |
| Phase 3 | Flight Recorder (VEX & CHORA Integration) | โ DONE |
| Phase 4 | Distribution (v1.0.0 Stable, PyPI, WSL Verified) | โ DONE |
| Phase 5 | Enterprise Integration (Railway, 100% Finality) | โ DONE |
๐ Resources
๐ License
Apache License 2.0 โ see LICENSE.
Built by the Provnai Open Research Initiative. "Verifying the thoughts and actions of autonomous agents."
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcp_vanguard-1.1.2.tar.gz.
File metadata
- Download URL: mcp_vanguard-1.1.2.tar.gz
- Upload date:
- Size: 1.1 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9612389376003e75c3faef6eebd883a420b072d13d656eb0eee1d2d60a9e0040
|
|
| MD5 |
969db9bcbaae306545199ed48a9b6b8f
|
|
| BLAKE2b-256 |
97128e43d45a13edfe36630421d4cb115f404b30eae42b21fbc87e184cddb3a6
|
Provenance
The following attestation bundles were made for mcp_vanguard-1.1.2.tar.gz:
Publisher:
publish.yml on provnai/McpVanguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_vanguard-1.1.2.tar.gz -
Subject digest:
9612389376003e75c3faef6eebd883a420b072d13d656eb0eee1d2d60a9e0040 - Sigstore transparency entry: 1070640011
- Sigstore integration time:
-
Permalink:
provnai/McpVanguard@0c3057516aca1b52d9c7a751426ca14f8ec0d3a9 -
Branch / Tag:
refs/tags/v1.1.2 - Owner: https://github.com/provnai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0c3057516aca1b52d9c7a751426ca14f8ec0d3a9 -
Trigger Event:
push
-
Statement type:
File details
Details for the file mcp_vanguard-1.1.2-py3-none-any.whl.
File metadata
- Download URL: mcp_vanguard-1.1.2-py3-none-any.whl
- Upload date:
- Size: 40.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
44951ccc0a2eebd237c57d2c7cd4bcf18eded12b4e5410c4c0d31cbf38ba2ea4
|
|
| MD5 |
abb69f831219d158bad5263fdc1a0467
|
|
| BLAKE2b-256 |
c22bbf02ddf2622e94800e85e57d1b88ab8ba14c2797883ab0cda4d6cdee8e65
|
Provenance
The following attestation bundles were made for mcp_vanguard-1.1.2-py3-none-any.whl:
Publisher:
publish.yml on provnai/McpVanguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
mcp_vanguard-1.1.2-py3-none-any.whl -
Subject digest:
44951ccc0a2eebd237c57d2c7cd4bcf18eded12b4e5410c4c0d31cbf38ba2ea4 - Sigstore transparency entry: 1070640031
- Sigstore integration time:
-
Permalink:
provnai/McpVanguard@0c3057516aca1b52d9c7a751426ca14f8ec0d3a9 -
Branch / Tag:
refs/tags/v1.1.2 - Owner: https://github.com/provnai
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@0c3057516aca1b52d9c7a751426ca14f8ec0d3a9 -
Trigger Event:
push
-
Statement type:
