Skip to main content

Runtime security proxy for MCP (Model Context Protocol) and A2A (Agent-to-Agent)

Project description

MCPGuard ๐Ÿ›ก๏ธ

CI Coverage Python PyPI License

Runtime security proxy for the Model Context Protocol (MCP) and Agent-to-Agent (A2A) protocols.

MCPGuard sits between MCP clients and servers, inspecting every JSON-RPC message in real time to detect and block security threats. Supports HTTP SSE, stdio, and WebSocket transport modes.


What makes MCPGuard unique

Capability MCPGuard Raw proxy Custom middleware
Prompt injection detection โœ… 14 regex patterns โŒ Manual
Tool poisoning detection โœ… flags suspicious tools/list โŒ โŒ
SSRF protection โœ… redirect blocking + scheme validation โŒ Manual
Rate limiting โœ… per-method + per-IP โŒ โŒ
Live dashboard โœ… HTMX at /_mcpguard/ โŒ โŒ
Prometheus metrics โœ… /metrics โŒ โŒ
All 3 transports โœ… HTTP SSE + stdio + WebSocket Partial Manual
Hot-reload config โœ… โŒ โŒ
Circuit breaker โœ… auto-recovers โŒ โŒ

Features

Category Feature Description
Detection Prompt Injection Scans tools/call arguments for instruction override patterns (14 regexes)
Tool Poisoning Flags suspicious tool definitions in tools/list responses
Resource Scanning Detects sensitive URI access (/etc/passwd, file:///, metadata endpoints)
Suspicious Prompts Flags prompt names like debug, admin, shell
Anomaly Detection Burst, volume, and dominance-based anomaly alerts
Control Rate Limiting Per-method + per-IP rate limits with configurable windows
Allow/Deny Lists Control which tools and methods are permitted
Auth Middleware API key auth with timing-attack resistant comparison (hmac.compare_digest)
Circuit Breaker Auto-opens after 5 upstream failures, recovers after 30s
Body Size Limit Rejects requests >10MB (413) to prevent DoS
Transport HTTP SSE Proxies MCP Streamable HTTP (rewrites endpoint URLs)
Stdio Wraps local MCP server subprocesses with command validation
WebSocket WebSocket transport support for MCP servers
Observability Live Dashboard HTMX-powered dashboard at /_mcpguard/ with JS event filtering
Prometheus Metrics /metrics with counters, gauges (uptime, active SSE)
Audit Logging All events logged to daily JSONL files
Security SSRF Protection follow_redirects=False, target URL scheme validation
Subprocess Validation Command existence + executable check before spawn
Rate Limit Headers Retry-After, X-RateLimit-* on 429 responses
Platform TLS HTTPS support via --tls-cert / --tls-key
Config Validation 10 validation rules on startup (port range, TLS paths, conflicts)
Config File YAML/JSON configuration via --config with auto-split for string commands
Hot-Reload Async config watcher (no blocking threads)
Tool Cache tools/list caching with configurable TTL
Graceful Shutdown 10s timeout for clean connection drain

Installation

pip install mcpguard-proxy

From source:

git clone https://github.com/Carlos-Projects/mcpguard.git
cd mcpguard
pip install -e ".[dev]"

Quick Start

# HTTP mode (intercept an upstream MCP server)
mcpguard proxy --target http://localhost:8000 --port 8080

# Stdio mode (wrap a local MCP server process)
mcpguard proxy --mode stdio --cmd python3 --cmd /path/to/server.py --port 8080

# With auth, TLS, and circuit breaker
mcpguard proxy --target http://localhost:8000 --port 8443 \
  --api-key my-secret --tls-cert cert.pem --tls-key key.pem

# With config file (YAML/JSON)
mcpguard proxy --config mcpguard.yaml --hot-reload

Clients connect to http://localhost:8080 instead of the server directly. Dashboard at /_mcpguard/.

CLI Reference

mcpguard proxy [OPTIONS]
Option Default Description
--target, -t http://localhost:8000 Upstream MCP server URL
--host, -h 127.0.0.1 Proxy listen address
--port, -p 8080 Proxy listen port
--mode, -m http Transport: http or stdio
--cmd, -c [] Stdio command (repeatable)
--sse-path /sse SSE endpoint path
--messages-path /messages/ Messages endpoint path
--log-dir, -l ./mcpguard_logs Log directory
--config, -C โ€” Config file (YAML/JSON)
--allow, -a [] Allowlisted tools (repeatable)
--deny, -d [] Denylisted tools (repeatable)
--rate-limit, -r 100 Max requests per time window
--rate-window, -w 60 Rate limit window in seconds
--api-key, -k โ€” API key for proxy auth
--tls-cert โ€” TLS certificate file
--tls-key โ€” TLS key file
--hot-reload โ€” Watch config file for changes
--request-timeout 30.0 Upstream request timeout in seconds
mcpguard analyze [LOG_DIR]

Analyze logged events with optional --severity, --type, --limit filters.

Architecture

                           โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                      โ”Œโ”€โ”€โ”€โ–ถโ”‚   MCPGuard Proxy  โ”‚โ”€โ”€โ”€โ–ถ  MCP Server (HTTP/SSE)
                      โ”‚    โ”‚  (port 8080)      โ”‚
   MCP Client (Host)โ”€โ”€โ”ค    โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜      โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                      โ”‚           โ”‚                   โ”‚  MCP Server      โ”‚
                      โ”‚           โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ–ถโ”‚  (stdio process) โ”‚
                      โ”‚           โ”‚                   โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                      โ”‚    โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                      โ””โ”€โ”€โ”€โ–ถโ”‚  /_mcpguard/      โ”‚
                           โ”‚  Dashboard        โ”‚
                           โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜
                                      โ”‚
                           โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ดโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
                           โ”‚   /metrics           โ”‚
                           โ”‚   /health            โ”‚
                           โ”‚   /health/ready      โ”‚
                           โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Detection Plugins

Plugin Trigger Action
Prompt Injection tools/call with instruction override keywords Block (403)
Tool Poisoning tools/list with suspicious tool names Block if block_on_poisoning: true
Resource Scanner resources/read with sensitive URIs Log
Suspicious Prompts prompts/get with admin-like names Log
Rate Limiter Per-method + per-IP threshold exceeded Block (429) with Retry-After
Anomaly Detector Burst, dominant-method, high-volume patterns Log
Circuit Breaker 5 consecutive upstream failures Block (503) for 30s recovery

Config File Example

mode: http
target_url: http://localhost:8000
listen_host: 127.0.0.1
listen_port: 8080
rate_limit: 100
rate_window: 60
block_on_injection: true
block_on_poisoning: true
max_sse_connections: 50
request_timeout: 30.0
api_key: your-secret-key
allowlisted_tools:
  - get_weather
  - search
denylisted_tools:
  - execute_bash
  - delete_files
tls_cert_path: /path/to/cert.pem
tls_key_path: /path/to/key.pem

Testing

pip install -e ".[dev]"
python -m pytest tests/ -v --cov=mcpguard --cov-report=term-missing

Ecosystem

MCPGuard is a runtime guard โ€” it complements:

Changelog

v0.4.0 (2025-05-25)

  • Security: Timing-attack resistant auth, body size limit (10MB), subprocess command validation, SSRF protection
  • Reliability: Circuit breaker (5 failures/30s recovery), async config watcher, graceful shutdown (10s)
  • Features: /health/ready endpoint, rate limit headers, configurable timeout, WebSocket transport
  • Dashboard: JS event filtering, CDN fallback, uptime/active connections metrics
  • Config: Validation on startup, auto-split string commands, request_timeout option
  • Tests: 52 โ†’ 104 tests, coverage ~85%, 7 new test files, CI coverage reporting
  • Infra: .dockerignore, stdio integration tests in CI, codecov integration

v0.3.0 (2025-05-24)

  • HTTP SSE + stdio transport modes
  • Prompt injection, tool poisoning, resource scanning, anomaly detection
  • Live HTMX dashboard, Prometheus metrics, JSONL audit logging
  • Auth middleware, TLS support, rate limiting, allow/deny lists
  • Docker support, CI/CD, PyPI publishing

License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

mcpguard_proxy-0.4.1.tar.gz (50.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

mcpguard_proxy-0.4.1-py3-none-any.whl (46.7 kB view details)

Uploaded Python 3

File details

Details for the file mcpguard_proxy-0.4.1.tar.gz.

File metadata

  • Download URL: mcpguard_proxy-0.4.1.tar.gz
  • Upload date:
  • Size: 50.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mcpguard_proxy-0.4.1.tar.gz
Algorithm Hash digest
SHA256 003abda57ade76809e930f7cbfa01006060d3ff4da1dd21166da48f928b469c7
MD5 b788239929a9fd4fb557894c342ec178
BLAKE2b-256 acbd8e8b8f8ef2b9a4d8e020215703d6c918d30b0ca05344244e5c1ae384bd66

See more details on using hashes here.

File details

Details for the file mcpguard_proxy-0.4.1-py3-none-any.whl.

File metadata

  • Download URL: mcpguard_proxy-0.4.1-py3-none-any.whl
  • Upload date:
  • Size: 46.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for mcpguard_proxy-0.4.1-py3-none-any.whl
Algorithm Hash digest
SHA256 c43a94b253b2c548ee56edf5703be345e126e6efa30b468af8a71303923b541a
MD5 8519fc9b7b6b8cc351207abc84e28c79
BLAKE2b-256 3db2c84d39757fd988d89f0d386106a29fe585a644dd06f5dcae4ad2e2d4f4ee

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page