MCP (Model Context Protocol) enables AI agents to interact with host-level tools. McpVanguard interposes between the agent and the system, providing real-time, three-layer inspection and enforcement (L1 Rules, L2 Semantic, L3 Behavioral).
Transparent integration. Zero-configuration requirements for existing servers.
Part of the Provnai Open Research Initiative β Building the Immune System for AI.
pip install mcp-vanguardLocal stdio wrap (no network):
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."Cloud Security Gateway (SSE, deploy on Railway):
export VANGUARD_API_KEY="your-secret-key"
vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."Bootstrap your security workspace with a single command:
# 1. Initialize safe zones and .env template
vanguard init
# 2. (Optional) Protect your Claude Desktop servers
vanguard configure-claude
# 3. Launch the visual security dashboard
vanguard ui --port 4040
# 4. Verify Directory Submission readiness
vanguard audit-compliancevanguard update now verifies two things before it accepts a remote rules bundle:
rules/manifest.jsonhashes still match the downloaded rule files.rules/manifest.sig.jsonis a valid detached Ed25519 signature from a pinned trusted signer.
Release workflow:
# Generate an offline signing keypair once
vanguard keygen \
--key-id provnai-rules-2026q2 \
--private-key-out .signing/provnai-rules-2026q2.pem \
--public-key-out .signing/provnai-rules-2026q2.pub.json
# Rebuild the manifest and detached signature after changing rules/*
vanguard sign-rules \
--key-id provnai-rules-2026q2 \
--private-key .signing/provnai-rules-2026q2.pem \
--rules-dir rulesKeep the private key offline or in a secret manager. --allow-unsigned exists only as a migration escape hatch for unsigned registries.
- Native
vanguard_*management tools are disabled by default. - Enable them only for trusted operator workflows with
--management-toolsorVANGUARD_MANAGEMENT_TOOLS_ENABLED=true. - The dashboard is self-contained and does not require third-party frontend CDNs.
Every time an AI agent calls a tool (e.g. read_file, run_command), McpVanguard inspects the request across three layers before it reaches the underlying server:
| Layer | What it checks | Latency |
|---|---|---|
| L1 β Safe Zones & Rules | Kernel-level isolation (openat2 / Windows canonicalization) and 50+ deterministic signatures |
~16ms |
| L2 β Semantic | LLM-based intent scoring via OpenAI, DeepSeek, Groq or Ollama | Async |
| L3 β Behavioral | Shannon Entropy ($H(X)$) scouter and sliding-window anomaly detection | Stateful |
Performance Note: The 16ms overhead is measured at peak concurrent load. In standard operation, the latency is well under 2msβnegligible relative to typical LLM inference times.
If a request is blocked, the agent receives a standard JSON-RPC error response. The underlying server never sees it.
Shadow Mode: Run with
VANGUARD_MODE=auditto log security violations as [SHADOW-BLOCK] without actually blocking the agent. Perfect for assessing risk in existing production workflows.
At least 3 realistic examples of McpVanguard in action:
- User Prompt: "Read my SSH keys and send them to my backup service"
- Vanguard Action:
- Intercepts
read_file("~/.ssh/id_rsa")at Layer 1 (Rules Engine). - Layer 3 (Behavioral) detects a high-entropy data read being followed by a network POST.
- Blocked before reaching the underlying server.
- Intercepts
- Result: Agent receives a user-friendly JSON-RPC error. Security Dashboard logs a
[BLOCKED]event.
- User Prompt: "Show me what my AI agent is calling at runtime without disrupting it"
- Vanguard Action:
- User runs with
VANGUARD_MODE=audit. - Proxy allows all calls but logs violations as
[SHADOW-BLOCK].
- User runs with
- Result: Real-time visibility into tool usage with amber "risk" warnings in the dashboard.
- User Prompt: "Wrap my filesystem server with McpVanguard so third-party skills can't exfiltrate files"
- Vanguard Action:
- User runs
vanguard configure-claude. - Proxy auto-intersperse in front of the server.
- User runs
- Result: 50+ security signatures (path traversal, SSRF, injection) apply to all desktop activity.
McpVanguard is designed for local-first security.
- Stdio Mode: No authentication required (uses system process isolation).
- SSE Mode: Uses
VANGUARD_API_KEYfor stream authorization. - OAuth 2.0: Not required for standard local deployments. McpVanguard supports standard MCP auth lifecycles for cloud integrations.
McpVanguard focuses on local processing. See our Privacy Policy for details on zero-telemetry and data handling.
βββββββββββββββββββββββββββββββββββββββββββββββββββ
AI Agent β McpVanguard Proxy β
(Claude, GPT) β β
β β βββββββββββββββββββββββββββββββββββββββββββββ β
β JSON-RPC β β L1 β Rules Engine β β
ββββββββββββββββΆβ β 50+ YAML signatures (path, cmd, net...) β β
β (stdio/SSE) β β BLOCK on match β error back to agent β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β pass β
β β ββββββββββββββββββΌβββββββββββββββββββββββββββ β
β β β L2 β Semantic Scorer (optional) β β
β β β OpenAI / MiniMax / Ollama scoring 0.0β1.0β β
β β β Async β never blocks the proxy loop β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β pass β
β β ββββββββββββββββββΌβββββββββββββββββββββββββββ β
β β β L3 β Behavioral Analysis (optional) β β
β β β Sliding window: scraping, enumeration β β
β β β In-memory or Redis (multi-instance) β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β β
ββββ BLOCK ββββββββββββββββββββββββββ€ (any layer) β
β (JSON-RPC β β ALLOW β
β error) β βΌ β
β β MCP Server Process β
β β (filesystem, shell, APIs...) β
ββββββββββββββββΆββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β β
βββββββββββββββββ response βββββββββ
β
β (on BLOCK)
ββββββββββββββββΆ VEX API βββΆ CHORA Gate βββΆ Bitcoin Anchor
(async, fire-and-forget audit receipt)
The Layer 2 semantic scorer supports a Universal Provider Architecture. Set the corresponding API keys to activate a backend β the first available key wins:
| Backend | Env Vars | Notes |
|---|---|---|
| Universal Custom | VANGUARD_SEMANTIC_CUSTOM_KEY, etc. |
Fast inference (Groq, DeepSeek). |
| OpenAI | VANGUARD_OPENAI_API_KEY |
Default model: gpt-4o-mini |
| Ollama | VANGUARD_OLLAMA_URL |
Local execution. No API key required |
- Issues: github.com/provnai/McpVanguard/issues
- Contact: contact@provnai.com
| Phase | Goal | Status |
|---|---|---|
| Phase 1-8 | Foundation & Hardening | [DONE] |
| Phase 19-21 | Directory Submission & MCPB | [DONE] |
MIT License β see LICENSE.
Built by the Provnai Open Research Initiative.