mcpindex pre-flight drift gate — the in-path, zero-egress-by-default trust-to-act client for MCP tool calls (open core).
Project description
mcpindex-preflight
The in-path drift gate for agent tool calls — the open-core client of mcpindex.ai. It runs on your host with zero egress and checks every MCP tool definition against your own pinned baseline before a call goes out.
What it does
mcpindex-preflight produces a drift decision — PROCEED / HOLD /
INCONCLUSIVE — by diffing the live tool contract against the contract you pinned.
If a server silently changes a tool's schema, description, or surface, the gate can
HOLD the call and surface why.
from mcpindex_preflight import wrap, PreflightPin, PreflightHold
session = wrap(your_mcp_client_session, pin=PreflightPin(path="~/.mcpindex/pin.json"))
try:
result = await session.call_tool("transfer_funds", {...})
except PreflightHold as hold:
# The tool contract drifted from your pin — inspect `hold` and decide.
print(hold)
wrap() accepts any duck-typed client session; this package does not depend on
the mcp SDK.
What it is — and is not
- It is a contract diff, not a safety oracle. It detects that a tool changed; it does not judge whether the change is malicious.
- A
HOLDmeans "this drifted from your pin — look before you act." It is advisory. It does not block attacks, guarantee safety, or make a server tamper-proof. - It mints no clearance verdict. The offline client can detect drift and HOLD; it can never publish a "SAFE" verdict.
Install
uv tool install mcpindex-preflight
One-click host wiring + a resident auto-onboard watcher are available via the installer at https://mcpindex.ai/install.sh.
Drift telemetry (opt-in, OFF by default)
preflight can report that a tool's contract drifted — so mcpindex can track drift on servers it can't crawl itself (private / auth-gated). It is off by default and sends nothing unless you turn it on:
export MCPINDEX_DRIFT_TELEMETRY=detection # off (default) | detection | contribute
When enabled, each tool you pin and each contract drift sends one one-way signal:
- What it sends: salted (HMAC) fingerprints of the server/tool id, the contract hashes, the change type (a fixed vocabulary), a safety flag, an hour-rounded timestamp, and a random install id (links one machine's signals so distinct installs can be counted — not derived from you).
- What it NEVER sends: tool schemas, arguments, descriptions, URLs, server/tool names, or any of your data. The payload has no free-text field by construction, and the ingest rejects anything that isn't the closed shape.
- Fail-open: telemetry never blocks, slows, or changes a tool call.
detection enables the closed signal; contribute is reserved for a future, separately
opt-in richer tier (identical today). Unset the variable any time to stop.
License
MIT.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mcpindex_preflight-0.4.0-py3-none-any.whl.
File metadata
- Download URL: mcpindex_preflight-0.4.0-py3-none-any.whl
- Upload date:
- Size: 381.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4517b9b2b701e016cf8f76b8b7e300875904712b9decdeb31a9a46b83d818e0c
|
|
| MD5 |
706d65890dab8475baf91e9779923ddd
|
|
| BLAKE2b-256 |
167c4f6cbe25727501d9e2066fb44ae7ccb5ba13238e2ba56d866415a4d41069
|
