ContextLock
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@ContextLockscan the current repo for secrets and blocked files"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
ContextLock
A local-first MCP safety layer for AI coding agents.
Block sensitive files and redact common secrets before repository context reaches an AI client.
ContextLock1.x is the stable CLI and MCP contract line. Pin a specific
version in shared automation if you need repeatable behavior.
The npm package is intentionally CLI-only; importing contextlock as a library
is not a supported API. See Stability Policy for the stable
contracts, limitations, SemVer policy, and release checklist.
Why ContextLock?
AI coding agents are more useful with repository context, but real projects can
contain .env files, private keys, database URLs, credentials, webhooks, and
client data. ContextLock provides a controlled local boundary between an
MCP-compatible AI client and a project:
AI coding client
|
| local stdio MCP
v
ContextLock
|
| block files + redact values + report risks
v
Local repositoryLocal-first: repository content is processed on your machine.
Blocked by policy: sensitive files never appear in safe file listings or reads.
Redacted before return: supported secret patterns are replaced with clear placeholders.
Inspectable: scan and report commands show what the active policy finds.
Configurable: each project can maintain its own policy file.
Related MCP server: safe-code-mcp
Quick Start
ContextLock requires Node.js 22.13+. The stable npm line is contextlock@1;
pin an exact version, such as contextlock@1.1.0, when automation must be
fully repeatable.
Run it without installing:
npx --yes contextlock@1 --helpInitialize a policy in the repository you want to protect, then scan it:
cd /path/to/your/project
npx --yes contextlock@1 init
npx --yes contextlock@1 scan
npx --yes contextlock@1 report
npx --yes contextlock@1 doctorStart the MCP server from the project being protected:
npx --yes contextlock@1 mcpOr install it globally:
npm install -g contextlock@1
contextlock scanUse a stronger starter policy for common project types:
contextlock init --android
contextlock init --node
contextlock init --python
contextlock init --mobile-aiMCP Client Setup
Configure your coding agent to launch ContextLock from the repository you want
to protect. The examples below use npx --yes contextlock@1 so the published
stable npm package is used.
Coding agent | Setup method | Scope |
Codex |
| User configuration |
Claude Code |
| Current project by default |
Cursor |
| Current workspace |
VS Code with GitHub Copilot |
| Current workspace |
Codex
From the repository you want ContextLock to protect:
codex mcp add contextlock -- \
npx --yes contextlock@1 mcp
codex mcp listRestart Codex or begin a new session in that repository, then ask it to use
repo.scan_risks. See the official Codex MCP documentation
for configuration details.
Claude Code
From the repository you want to protect, add ContextLock with local scope:
claude mcp add --scope local --transport stdio contextlock -- \
npx --yes contextlock@1 mcp
claude mcp get contextlockStart Claude Code in the same repository and run /mcp to check the server.
Use --scope project instead if you intentionally want to share a .mcp.json
configuration with collaborators. See the official Claude Code MCP documentation.
Cursor
Create .cursor/mcp.json in the repository you want to protect:
{
"mcpServers": {
"contextlock": {
"command": "npx",
"args": ["--yes", "contextlock@1", "mcp"]
}
}
}Open that repository in Cursor, then open Settings > Tools & MCP and enable
contextlock. Cursor should discover the five tools after the server starts.
See the official Cursor MCP documentation.
VS Code with GitHub Copilot
Create .vscode/mcp.json in the repository you want to protect. VS Code uses a
top-level servers key rather than mcpServers:
{
"servers": {
"contextlock": {
"type": "stdio",
"command": "npx",
"args": ["--yes", "contextlock@1", "mcp"],
"cwd": "${workspaceFolder}"
}
}
}Run MCP: List Servers from the Command Palette, start contextlock, and
accept the workspace trust prompt after reviewing the command. See the official
VS Code MCP configuration reference.
Verify the Connection
After setup, confirm that the agent discovers these five tools:
repo.list_files
repo.read_file_safe
repo.search_safe
repo.scan_risks
policy.explainAsk the agent to run policy.explain, then repo.scan_risks. If the server
does not start:
Confirm
node --versionis 22.13 or newer.Confirm
npx --yes contextlock@1 --helpworks in a terminal.Confirm the agent was opened in the repository you intend to protect.
Check the agent's MCP server logs for process startup errors.
contextlock mcp-config prints a generic configuration snippet.
Trust Checks
ContextLock includes small diagnostics you can run before trusting an AI agent with a repository:
contextlock doctor
contextlock why .env
contextlock why build/generated/source.ts
contextlock test-policydoctorshows the activecwd, config status, package version, Node version, configured MCP transport, redactors, and a sample blocked-path check. It is a local configuration diagnostic, not a live MCP client handshake.why <path>explains whether a project-relative path is blocked and which pattern matched.test-policyverifies required baseline protections against the active policy, including generated build output,.env,.git, and mobile release artifacts.
Example Workflows
Use ContextLock when you want an AI coding agent to inspect a repository without handing it raw access to sensitive paths or likely secrets. The agent still gets useful context, but through safe MCP tools that block risky files and redact supported secret patterns before returning content.
Start a Safe Repo Inspection
Ask the agent to begin with policy and risk discovery before reading files:
Use ContextLock before inspecting this repository.
First run policy.explain, then repo.scan_risks.
After that, list files with repo.list_files and only read files through
repo.read_file_safe.Typical tool flow:
policy.explainshows which paths and redactors are active.repo.scan_riskssummarizes blocked files and detected secret patterns.repo.list_filesreturns files the active policy allows.repo.read_file_safereads allowed files with supported secrets redacted.
Review a Feature Without Opening Secrets
Use this when you want help understanding a code path, but the repository may
contain .env files, private keys, local databases, or service credentials:
Use ContextLock to inspect the authentication flow.
Search for auth-related code safely, then read only the allowed files needed to
explain the flow.The agent can use repo.search_safe for terms such as auth, token,
session, webhook, or DATABASE_URL. Search results and file reads come back
redacted, and blocked files are denied instead of returned.
Check Before Sharing Context
Run a local scan before asking an agent to work deeply in a project:
npx --yes contextlock@1 scan
npx --yes contextlock@1 report --fail-on highThis gives you a quick view of sensitive paths and detected secret patterns.
For team projects, commit a reviewed contextlock.config.json so contributors
and agents use the same baseline policy.
Handle Denied Access
If the agent asks for a blocked file, keep the boundary intact:
That file is blocked by ContextLock. Use policy.explain and repo.search_safe to
find a safe alternative, or explain what specific non-sensitive detail is needed.Denied access is expected behavior. It means ContextLock is preserving the project policy instead of leaking raw context.
Agent Skill
ContextLock includes an optional Agent Skills
workflow in skills/contextlock. The MCP server enforces
blocking and redaction; the skill teaches an agent when to use the five safe
tools, how to handle denied access, and not to bypass the active policy.
Install the skill in the repository you want to protect. Choose the directory for your coding agent:
Coding agent | Project skill directory |
Codex |
|
Claude Code |
|
Cursor |
|
VS Code with GitHub Copilot |
|
For example, install it for Codex from the protected repository:
mkdir -p .agents/skills/contextlock
cp /absolute/path/to/contextlock/skills/contextlock/SKILL.md \
.agents/skills/contextlock/SKILL.mdUse the corresponding directory from the table for another agent. Restart the
agent or begin a new session after installation, then ask it to "inspect this
repository safely with ContextLock." The agent should start with
policy.explain and repo.scan_risks before reading project files.
The skill complements the MCP setup above; it does not install or start the ContextLock server by itself.
MCP Tools
Tool | Purpose |
| List text files allowed by the active policy. |
| Read an allowed file with supported secrets redacted. |
| Search allowed text content and return redacted snippets. |
| Summarize blocked files and detected secret patterns. |
| Show the active blocking and redaction policy. |
Default Protection
Running contextlock init creates contextlock.config.json. The default policy
blocks common sensitive or generated paths, including:
.envfiles, private keys, credentials, service-account files, and database filesdependency and build output such as
node_modules,dist,.next, and.turboAndroid/mobile local artifacts such as
.gradle,.idea,.kotlin, APK/AAB, keystore/JKS files, screenshots/captures, and common local model filesGit internals under
.git
Path protection is case-insensitive, so case variants such as .ENV, BUILD,
and uppercase protected extensions receive the same treatment. Allowed text
files are scanned for supported API keys, structured secret assignments such as
OPENAI_API_KEY=... and TOKEN=..., JWTs, database URLs, private keys, and
Slack or Discord webhook URLs. Email redaction is available but disabled by
default.
Example configuration:
{
"schemaVersion": 1,
"blockedPatterns": [
".env",
".env.*",
"**/*.pem",
"**/*.key",
"**/credentials.json",
"**/node_modules/**",
"**/.git/**",
"**/dist/**",
"**/build/**",
"**/.gradle/**",
"**/*.apk",
"**/*.aab",
"**/*.keystore",
"**/*.tflite"
],
"redact": {
"apiKeys": true,
"jwt": true,
"databaseUrls": true,
"privateKeys": true,
"webhooks": true,
"emails": false
}
}ContextLock reads contextlock.config.json from the process working directory
(cwd), which is also the root for relative paths and policy matching. It does
not automatically move to the nearest Git root. Set the MCP process cwd to
the repository you intend to protect.
Configuration is additive. blockedPatterns adds unique patterns to the
baseline list, and redact can enable additional redactors; config cannot turn
off baseline protections. schemaVersion: 1 is required when a config file is
present. Unknown fields, unsupported schema versions, invalid values, and
symlinked config files are rejected with an error.
Use contextlock init --preset <name> or the shortcut flags above to bootstrap
project-specific defaults. Available presets are default, android, node,
python, and mobile-ai.
ContextLock reduces accidental exposure; it is not a secret manager, malware scanner, sandbox, or guarantee that every sensitive value will be detected. Keep credentials out of source control and review your project policy before granting an AI client access.
Development
Clone the repository when you want to contribute or test local changes:
git clone git@github.com:LutaElbert/contextlock.git
cd contextlockpnpm install --frozen-lockfile
pnpm testThe aggregate test command covers scanner and policy behavior, CLI and MCP smokes, the bundled skill, type checking, and installation from the generated npm tarball. CI runs it on the minimum Node.js 22.13 release and Node.js 24.
For development against this repository:
pnpm dev -- scan
pnpm dev -- mcp
pnpm dev -- mcp-config --localRoadmap
Expand secret detection and policy test coverage.
Improve audit reports and machine-readable findings.
Add richer project-type policy packs.
Add premium team policy sync, database sanitization, and enterprise audit exports without weakening the local-first core.
Core promise: No cloud required. Your code stays local.
Releases
npm packages and GitHub releases are published through the
Release workflow
after the package version is updated on main.
Update
package.jsonto the next version in a pull request.Merge the pull request into
main.Open the Release workflow and choose Run workflow.
Enter the matching tag, such as
v1.1.0orv1.1.0-rc.1, set the prerelease input consistently, and run it.
The main-only workflow validates the tag and prerelease state before installing
dependencies, runs the complete suite, publishes with provenance, and creates a
GitHub release. Prereleases use npm's next tag. Retrying is safe when the npm
version or GitHub release already exists. The workflow requires an NPM_TOKEN
repository secret with npm package publishing permissions.
Contributing
Contributions are welcome. Read CONTRIBUTING.md before opening a pull request, follow the Code of Conduct, and use only synthetic or redacted test data.
Report vulnerabilities privately according to SECURITY.md.
License
ContextLock is licensed under the Apache License 2.0.
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/LutaElbert/contextlock'
If you have feedback or need assistance with the MCP directory API, please join our Discord server