Which integrations are available for this server?

Provides a dedicated configuration pathway and security wrapper for the Docker MCP Toolkit, enabling users to intercept, log, and filter tool calls for containerized MCP servers.

mcpwall

npm version Node.js License: Apache-2.0

iptables for MCP. Blocks dangerous tool calls, scans for secret leakage, logs everything. No AI, no cloud, pure rules.

Sits between your AI coding tool (Claude Code, Cursor, Windsurf) and MCP servers, intercepting every JSON-RPC message and enforcing YAML-defined policies.

Why

MCP servers have full access to your filesystem, shell, databases, and APIs. When an AI agent calls tools/call, the server executes whatever the agent asks — reading SSH keys, running rm -rf, exfiltrating secrets. There's no built-in policy layer.

mcpwall adds one. It's a transparent stdio proxy that:

Blocks sensitive file access — .ssh/, .env, credentials, browser data
Blocks dangerous commands — rm -rf, pipe-to-shell, reverse shells
Scans for secret leakage — API keys, tokens, private keys (regex + entropy)
Scans server responses — redacts leaked secrets, blocks prompt injection patterns, flags suspicious content
Logs everything — JSON Lines audit trail of every tool call and response
Uses zero AI — deterministic rules, no LLM decisions, no cloud calls

Install

npm install -g mcpwall

Or use directly with npx:

npx mcpwall -- npx -y @modelcontextprotocol/server-filesystem /path/to/dir

Quick Start

Option 1: Docker MCP Toolkit

If you use Docker MCP Toolkit (the most common setup), change your MCP config from:

{ "mcpServers": { "MCP_DOCKER": { "command": "docker", "args": ["mcp", "gateway", "run"] } } }

To:

{ "mcpServers": { "MCP_DOCKER": { "command": "npx", "args": ["-y", "mcpwall", "--", "docker", "mcp", "gateway", "run"] } } }

That's it. mcpwall now sits in front of all your Docker MCP servers, logging every tool call and blocking dangerous ones. No config file needed — sensible defaults apply automatically.

Option 2: Interactive setup

npx mcpwall init

This finds your existing MCP servers in Claude Code, Cursor, Windsurf, and VS Code configs and wraps them.

Option 3: Manual wrapping (any MCP server)

Change your MCP config from:

{ "mcpServers": { "filesystem": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/me/projects"] } } }

To:

{ "mcpServers": { "filesystem": { "command": "npx", "args": [ "-y", "mcpwall", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/Users/me/projects" ] } } }

Option 4: Wrap a specific server

npx mcpwall wrap filesystem

How It Works

┌──────────────┐ stdio ┌──────────────┐ stdio ┌──────────────┐ │ Claude Code │ ──────────▶ │ mcpwall │ ──────────▶ │ Real MCP │ │ (MCP Host) │ ◀────────── │ (proxy) │ ◀────────── │ Server │ └──────────────┘ └──────────────┘ └──────────────┘ ▲ Inbound rules │ │ (block dangerous requests) │ │ │ └── Outbound rules ◀───────────┘ (redact secrets, block injection)

Inbound (requests):

Intercepts every JSON-RPC request on stdin
Parses tools/call requests — extracts tool name and arguments
Walks rules top-to-bottom, first match wins
Allow: forward to real server
Deny: return JSON-RPC error to host, log, do not forward

Outbound (responses):

Parses every response from the server before forwarding
Evaluates against outbound_rules (same first-match-wins semantics)
Allow: forward unchanged
Deny: replace response with blocked message
Redact: surgically replace secrets with [REDACTED BY MCPWALL], forward modified response
Log only: forward unchanged, log the match

Configuration

Config is YAML. mcpwall looks for:

~/.mcpwall/config.yml (global)
.mcpwall.yml (project, overrides global)

If neither exists, built-in default rules apply.

Example config

version: 1 settings: log_dir: ~/.mcpwall/logs log_level: info # debug | info | warn | error default_action: allow # allow | deny | ask rules: # Block reading SSH keys - name: block-ssh-keys match: method: tools/call tool: "*" arguments: _any_value: regex: "(\\.ssh/|id_rsa|id_ed25519)" action: deny message: "Blocked: access to SSH keys" # Block dangerous shell commands - name: block-dangerous-commands match: method: tools/call tool: "*" arguments: _any_value: regex: "(rm\\s+-rf|curl.*\\|.*bash)" action: deny message: "Blocked: dangerous command" # Block writes outside project directory - name: block-external-writes match: method: tools/call tool: write_file arguments: path: not_under: "${PROJECT_DIR}" action: deny # Scan all tool calls for leaked secrets - name: block-secret-leakage match: method: tools/call tool: "*" arguments: _any_value: secrets: true action: deny message: "Blocked: detected secret in arguments" secrets: patterns: - name: aws-access-key regex: "AKIA[0-9A-Z]{16}" - name: github-token regex: "(gh[ps]_[A-Za-z0-9_]{36,}|github_pat_[A-Za-z0-9_]{22,})" - name: private-key regex: "-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----" - name: generic-high-entropy regex: "[A-Za-z0-9/+=]{40}" entropy_threshold: 4.5

Rule matchers

Matcher	Description
`regex`	Regular expression test on the value
`pattern`	Glob pattern (uses minimatch)
`not_under`	Matches if path is NOT under the given directory. Supports `${HOME}`, `${PROJECT_DIR}`
`secrets`	When `true`, runs the secret scanner on the value

The special key _any_value applies the matcher to ALL argument values.

Outbound rules (response inspection)

Outbound rules scan server responses before they reach your AI client. Add them to the same config file:

outbound_rules: # Redact secrets leaked in responses - name: redact-secrets-in-responses match: secrets: true action: redact message: "Secret detected in server response" # Block prompt injection patterns - name: block-prompt-injection match: response_contains: - "ignore previous instructions" - "provide contents of ~/.ssh" action: deny message: "Prompt injection detected" # Flag suspiciously large responses - name: flag-large-responses match: response_size_exceeds: 102400 action: log_only

Outbound matchers

Matcher	Description
`tool`	Glob pattern on the tool that produced the response (requires request-response correlation)
`server`	Glob pattern on the server name
`secrets`	When `true`, scans response for secret patterns (uses same `secrets.patterns` config)
`response_contains`	Case-insensitive substring match against response text
`response_contains_regex`	Regex match against response text
`response_size_exceeds`	Byte size threshold for the serialized response

Outbound actions

Action	Behavior
`allow`	Forward response unchanged
`deny`	Replace response with `[BLOCKED BY MCPWALL]` message
`redact`	Surgically replace matched secrets with `[REDACTED BY MCPWALL]`, forward modified response
`log_only`	Forward unchanged, log the match

Built-in rule packs

rules/default.yml — sensible defaults (blocks SSH, .env, credentials, dangerous commands, secrets)
rules/strict.yml — deny-by-default paranoid mode (whitelist only project reads/writes)

Use strict mode:

mcpwall -c /path/to/strict.yml -- npx -y @some/server

CLI

mcpwall [options] -- <command> [args...] # Proxy mode mcpwall init # Interactive setup mcpwall wrap <server-name> # Wrap specific server

Options:

-c, --config <path> — path to config file
--log-level <level> — override log level (debug/info/warn/error)

Audit Logs

All tool calls are logged by default — both allowed and denied. Logs are written as JSON Lines to ~/.mcpwall/logs/YYYY-MM-DD.jsonl:

{"ts":"2026-02-16T14:30:00Z","method":"tools/call","tool":"read_file","action":"allow","rule":null} {"ts":"2026-02-16T14:30:05Z","method":"tools/call","tool":"read_file","args":"[REDACTED]","action":"deny","rule":"block-ssh-keys","message":"Blocked: access to SSH keys"}

Denied entries have args redacted to prevent secrets from leaking into logs.

mcpwall also prints color-coded output to stderr so you can see decisions in real time.

Security Design

Bidirectional scanning: Both inbound requests and outbound responses are evaluated against rules
Fail closed on invalid config: Bad regex in a rule crashes at startup, never silently passes traffic
Fail open on outbound errors: If response parsing fails, the raw response is forwarded (never blocks legitimate traffic)
Args redacted on deny: Blocked tool call arguments are never written to logs
Surgical redaction: Secrets in responses are replaced in-place, preserving the JSON-RPC response structure
Path traversal defense: not_under matcher uses path.resolve() to prevent ../ bypass
Pre-compiled regexes: All patterns compiled once at startup for consistent performance
No network: Zero cloud calls, zero telemetry, runs entirely local
Deterministic: Same input + same rules = same output, every time

License

Apache-2.0

mcpwall is not affiliated with or endorsed by Anthropic or the Model Context Protocol project. MCP is an open protocol maintained by the Agentic AI Foundation under the Linux Foundation.

mcpwall

mcpwall

Why

Install

Quick Start

Option 1: Docker MCP Toolkit

Option 2: Interactive setup

Option 3: Manual wrapping (any MCP server)

Option 4: Wrap a specific server

How It Works

Configuration

Example config

Rule matchers

Outbound rules (response inspection)

Outbound matchers

Outbound actions

Built-in rule packs

CLI

Audit Logs

Security Design

License

Resources

New MCP Servers

Latest Blog Posts

MCP directory API