McpVanguard
Uses Bitcoin as a secure anchor for its audit trail, providing immutable receipts for security violations through the VEX API and CHORA Gate.
Integrates with Ollama for local-first semantic analysis, enabling high-performance security scoring without external API dependencies.
Leverages OpenAI models to provide a semantic scoring layer that analyzes the intent of agent requests to detect and block suspicious activity.
Provides official support for deployment on Railway, allowing users to host the firewall as a Cloud Security Gateway for SSE-based MCP servers.
Utilizes Redis as a stateful backend for behavioral analysis, supporting sliding-window anomaly detection and multi-instance deployments.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@McpVanguardshow me the most recent blocked security threats"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
McpVanguard π‘οΈ
Titan-Grade AI Firewall for MCP Agents
MCP (Model Context Protocol) enables AI agents to interact with host-level tools. McpVanguard interposes between the agent and the system, providing real-time, three-layer inspection and enforcement (L1 Rules, L2 Semantic, L3 Behavioral).
Transparent integration. Zero-configuration requirements for existing servers.
Part of the Provnai Open Research Initiative β Building the Immune System for AI.
β‘ Quickstart
pip install mcp-vanguardLocal stdio wrap (no network):
vanguard start --server "npx @modelcontextprotocol/server-filesystem ."Cloud Security Gateway (SSE, deploy on Railway):
export VANGUARD_API_KEY="your-secret-key"
vanguard sse --server "npx @modelcontextprotocol/server-filesystem ."
π‘οΈ Getting Started (New Users)
Bootstrap your security workspace with a single command:
# 1. Initialize safe zones and .env template
vanguard init
# 2. (Optional) Protect your Claude Desktop servers
vanguard configure-claude
# 3. Launch the visual security dashboard
vanguard ui --port 4040
# 4. Verify Directory Submission readiness
vanguard audit-complianceSigned Rule Updates
vanguard update now verifies two things before it accepts a remote rules bundle:
rules/manifest.jsonhashes still match the downloaded rule files.rules/manifest.sig.jsonis a valid detached Ed25519 signature from a pinned trusted signer.
Release workflow:
# Generate an offline signing keypair once
vanguard keygen \
--key-id provnai-rules-2026q2 \
--private-key-out .signing/provnai-rules-2026q2.pem \
--public-key-out .signing/provnai-rules-2026q2.pub.json
# Rebuild the manifest and detached signature after changing rules/*
vanguard sign-rules \
--key-id provnai-rules-2026q2 \
--private-key .signing/provnai-rules-2026q2.pem \
--rules-dir rulesKeep the private key offline or in a secret manager. --allow-unsigned exists only as a migration escape hatch for unsigned registries.
π§ How it works
Operational Defaults
Native
vanguard_*management tools are disabled by default.Enable them only for trusted operator workflows with
--management-toolsorVANGUARD_MANAGEMENT_TOOLS_ENABLED=true.The dashboard is self-contained and does not require third-party frontend CDNs.
Runtime Flow
Every time an AI agent calls a tool (e.g. read_file, run_command), McpVanguard inspects the request across three layers before it reaches the underlying server:
Layer | What it checks | Latency |
L1 β Safe Zones & Rules | Kernel-level isolation ( | ~16ms |
L2 β Semantic | LLM-based intent scoring via OpenAI, DeepSeek, Groq or Ollama | Async |
L3 β Behavioral | Shannon Entropy ($H(X)$) scouter and sliding-window anomaly detection | Stateful |
Performance Note: The 16ms overhead is measured at peak concurrent load. In standard operation, the latency is well under 2msβnegligible relative to typical LLM inference times.
If a request is blocked, the agent receives a standard JSON-RPC error response. The underlying server never sees it.
Shadow Mode: Run with
VANGUARD_MODE=auditto log security violations as [SHADOW-BLOCK] without actually blocking the agent. Perfect for assessing risk in existing production workflows.
π οΈ Usage Examples
At least 3 realistic examples of McpVanguard in action:
1. Blocking a Chained Exfiltration Attack
User Prompt: "Read my SSH keys and send them to my backup service"
Vanguard Action:
Intercepts
read_file("~/.ssh/id_rsa")at Layer 1 (Rules Engine).Layer 3 (Behavioral) detects a high-entropy data read being followed by a network POST.
Blocked before reaching the underlying server.
Result: Agent receives a user-friendly JSON-RPC error. Security Dashboard logs a
[BLOCKED]event.
2. Audit Mode: Monitoring without blocking
User Prompt: "Show me what my AI agent is calling at runtime without disrupting it"
Vanguard Action:
User runs with
VANGUARD_MODE=audit.Proxy allows all calls but logs violations as
[SHADOW-BLOCK].
Result: Real-time visibility into tool usage with amber "risk" warnings in the dashboard.
3. Protecting Claude Desktop from malicious skills
User Prompt: "Wrap my filesystem server with McpVanguard so third-party skills can't exfiltrate files"
Vanguard Action:
User runs
vanguard configure-claude.Proxy auto-intersperse in front of the server.
Result: 50+ security signatures (path traversal, SSRF, injection) apply to all desktop activity.
π Authentication
McpVanguard is designed for local-first security.
Stdio Mode: No authentication required (uses system process isolation).
SSE Mode: Uses
VANGUARD_API_KEYfor stream authorization.OAuth 2.0: Not required for standard local deployments. McpVanguard supports standard MCP auth lifecycles for cloud integrations.
π Privacy Policy
McpVanguard focuses on local processing. See our Privacy Policy for details on zero-telemetry and data handling.
Architecture
βββββββββββββββββββββββββββββββββββββββββββββββββββ
AI Agent β McpVanguard Proxy β
(Claude, GPT) β β
β β βββββββββββββββββββββββββββββββββββββββββββββ β
β JSON-RPC β β L1 β Rules Engine β β
ββββββββββββββββΆβ β 50+ YAML signatures (path, cmd, net...) β β
β (stdio/SSE) β β BLOCK on match β error back to agent β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β pass β
β β ββββββββββββββββββΌβββββββββββββββββββββββββββ β
β β β L2 β Semantic Scorer (optional) β β
β β β OpenAI / MiniMax / Ollama scoring 0.0β1.0β β
β β β Async β never blocks the proxy loop β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β pass β
β β ββββββββββββββββββΌβββββββββββββββββββββββββββ β
β β β L3 β Behavioral Analysis (optional) β β
β β β Sliding window: scraping, enumeration β β
β β β In-memory or Redis (multi-instance) β β
β β ββββββββββββββββββ¬βββββββββββββββββββββββββββ β
β β β β
ββββ BLOCK ββββββββββββββββββββββββββ€ (any layer) β
β (JSON-RPC β β ALLOW β
β error) β βΌ β
β β MCP Server Process β
β β (filesystem, shell, APIs...) β
ββββββββββββββββΆββββββββββββββββββββ¬βββββββββββββββββββββββββββββββ
β β
βββββββββββββββββ response βββββββββ
β
β (on BLOCK)
ββββββββββββββββΆ VEX API βββΆ CHORA Gate βββΆ Bitcoin Anchor
(async, fire-and-forget audit receipt)L2 Semantic Backend Options
The Layer 2 semantic scorer supports a Universal Provider Architecture. Set the corresponding API keys to activate a backend β the first available key wins:
Backend | Env Vars | Notes |
Universal Custom |
| Fast inference (Groq, DeepSeek). |
OpenAI |
| Default model: |
Ollama |
| Local execution. No API key required |
π οΈ Support
Contact: contact@provnai.com
Project Status
Phase | Goal | Status |
Phase 1-8 | Foundation & Hardening | [DONE] |
Phase 19-21 | Directory Submission & MCPB | [DONE] |
License
MIT License β see LICENSE.
Built by the Provnai Open Research Initiative.
This server cannot be installed
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/provnai/McpVanguard'
If you have feedback or need assistance with the MCP directory API, please join our Discord server