mastyf-ai
OfficialProvides security enforcement and policy control for GitHub API actions, blocking malicious operations such as unauthorized git pushes, secret exfiltration, and path traversal attempts.
The problem
AI agents can read your files, push code, query databases, execute shell commands, and call external APIs. They do it autonomously, at machine speed.
Traditional security controls weren't built for that.
Mastyf.ai acts as a perimeter security layer for AI. It intercepts every tool call, evaluates it against your security policies using multi-agent swarm analysis, and blocks malicious or unauthorized actions before they execute.
Every decision is enforced, logged, and auditable.
Related MCP server: ZugaShield
What it stops
Threat | What it looks like |
Prompt injection | Malicious instructions embedded in tool arguments to hijack agent behavior |
Path traversal | Attempts to access |
Secret exfiltration | API keys and tokens leaking through tool arguments |
Shell injection | Reverse shells, |
Data exfiltration | Bulk SQL dumps, |
SSRF | Calls to metadata endpoints, localhost, and private IP ranges |
Encoding evasion | Base64 blobs and Unicode homoglyphs used to bypass pattern detection |
Cost abuse | Runaway agent loops burning through token budgets |
Rug-pull attacks | Tool definitions that silently change mid-session |
Quick start
Build from source
Clone the repository and run the setup script.
Requirements:
Git
Linux (the setup script installs Nix automatically if needed)
git clone https://github.com/mastyf-ai/mastyf.ai.git
cd mastyf.ai
chmod +x setup.sh
./setup.shThe setup script automatically:
Installs Nix (if required)
Enables Nix flakes
Creates the development environment
Installs all project dependencies
Rebuilds native packages
Builds the entire project
Adds a convenient
mastyfshell alias
Once installation completes, start the proxy and dashboard:
node dist/cli.js startOr simply use the alias after opening a new terminal:
mastyfThe dashboard will be available at:
Dashboard: http://localhost:4000
Test the installation
If the dashboard is running, verify the HTTP bridge:
curl -X POST http://localhost:4000/mcp -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","id":"1","method":"tools/list","params":{}}'Dashboard
Full visibility into every action your AI takes.
Section | What you see |
Protection | Block rate, top triggered rules, live threat feed |
Activity | Every tool call with full arguments, allow or block status, timestamp |
Policy | Live rule editor with hot-reload from YAML |
Threat Lab | AI-suggested attack tests, reviewed and approved before anything applies |
Cost | Token usage and cost estimates broken down per tool call |
Do not expose port 4000 publicly without enabling dashboard auth. The default local dev config has
DASHBOARD_AUTH_DISABLED=true.
How enforcement works
Every tool call passes through three layers before it reaches your infrastructure.
Layer 1 - Pattern detection Regex-based scanning for injection, dangerous paths, leaked secrets, shell commands, and encoding tricks. Runs in microseconds with no external dependencies.
Layer 2 - Schema validation Rejects malformed payloads, oversized arguments, and JSON-RPC violations before they reach policy evaluation.
Layer 3 - Semantic review An optional local LLM (Ollama) or cloud model evaluates borderline calls that pass pattern checks. Falls back to heuristics if no model is configured.
Anything that fails is blocked. The tool never runs. Everything is logged.
Policy
Your rules live in default-policy.yaml. You own them. mastyf.ai enforces them.
policy:
mode: block
default_action: pass
unicode_strict: true
rules:
- name: block-sensitive-paths
action: block
argPatterns:
- field: path
patterns: ['^/etc/', '/\.ssh', '/\.aws/credentials']
- name: rate-limit-tool-calls
action: block
maxCallsPerMinute: 120
- name: block-shell-injection
action: block
patterns: ['rm\s+-rf', 'curl\s', 'wget\s', '`[^`]+`']Roll out safely with three enforcement modes:
Mode | Behavior | When to use |
| Log everything, block nothing | First week, understand what your AI does |
| Log and flag, still forwards | Tuning phase before enforcement |
| Stops violations before execution | Production |
Pre-built templates for HIPAA, PCI-DSS, GxP, and data residency are in policy-templates/.
Architecture
mastyf.ai runs two coordinated swarms. The CI Swarm attacks your policy before code ships. The Runtime Swarm enforces and learns from every live tool call in production. Four feedback loops connect them so the system gets harder to bypass over time.
flowchart TB
AI["๐ค AI Clients\nCursor ยท Claude Desktop ยท Cline"]
subgraph CI["๐ต CI Swarm (PR + Nightly)"]
direction LR
Scout["๐ Scout Agent\nSAST, deps, config scan"]
Corpus["๐ Corpus Agent\n228 fixtures eval"]
Evasion["โก Evasion Agent\n120+ probes + generate new"]
Parity["๐ Parity Agent\nNode vs Python"]
ProxyA["๐ฅ๏ธ Proxy Agent\nLive stdio MCP tests"]
Report["๐ Report Agent\nsecurity-swarm/latest.json"]
Scout --> Corpus --> Evasion --> Parity --> ProxyA --> Report
end
subgraph Runtime["๐ข Runtime Swarm (Production Proxy)"]
direction LR
BG["๐ก๏ธ BlockGuard\nsync policy"]
IL["๐ InstantLearner\nper-block stats + suggestions"]
SA["๐ง SemanticAuditor\nasync LLM, optional"]
PS["๐ PatternSynthesizer\nbatch suggestions"]
Cal["โ๏ธ Calibrator\nlabels + thresholds"]
BG --> IL --> PS --> Cal
BG --> SA --> PS
end
Tools["๐๏ธ MCP Tools\nfilesystem ยท GitHub ยท databases ยท APIs"]
AI -->|"every tool call"| BG
BG -->|"โ
allowed"| Tools
Report -->|"๐ Loop A: bypasses to corpus"| Corpus
Cal -->|"๐ Loop B: blocks to rules"| BG
Cal -->|"๐ Loop C: labels to LLM"| SA
Report -->|"๐ Loop D: CI metrics weekly"| Cal
style CI fill:#EFF6FF,stroke:#3B82F6,stroke-width:2px,color:#1E3A5F
style Runtime fill:#F0FDF4,stroke:#22C55E,stroke-width:2px,color:#14532D
style Scout fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style Corpus fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style Evasion fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style Parity fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style ProxyA fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style Report fill:#DBEAFE,stroke:#3B82F6,color:#1E40AF
style BG fill:#BBF7D0,stroke:#16A34A,color:#14532D
style IL fill:#BBF7D0,stroke:#16A34A,color:#14532D
style SA fill:#BBF7D0,stroke:#16A34A,color:#14532D
style PS fill:#BBF7D0,stroke:#16A34A,color:#14532D
style Cal fill:#BBF7D0,stroke:#16A34A,color:#14532D
style AI fill:#FEF3C7,stroke:#F59E0B,stroke-width:2px,color:#78350F
style Tools fill:#FEF3C7,stroke:#F59E0B,stroke-width:2px,color:#78350FCanonical gates: 228/228 corpus, 0 bypasses, 100% parity
CI Swarm
Runs on every PR and nightly. Six agents work in sequence, each one hardening what the previous found.
Agent | What it does |
Scout | SAST scan, dependency audit, config review |
Corpus | Evaluates all 228 attack fixtures against current policy |
Evasion | Runs 120+ bypass probes and generates novel ones using an LLM |
Parity | Verifies Node and Python implementations produce identical decisions |
Proxy | Live stdio MCP session tests against a running proxy instance |
Report | Writes |
Runtime Swarm
Runs inside the production proxy on every tool call.
Component | What it does |
BlockGuard | Enforces the active policy synchronously on every call. Fail-closed. |
InstantLearner | Tracks per-block statistics and surfaces rule suggestions in real time |
SemanticAuditor | Optional async LLM review for calls that clear pattern checks but look suspicious |
PatternSynthesizer | Batches suggestions from InstantLearner and SemanticAuditor into candidate rules |
Calibrator | Labels candidates, tunes thresholds, and promotes approved rules back into BlockGuard |
Feedback loops
Loop | Signal | Effect |
A | CI bypass found | Added to corpus, CI now guards against it permanently |
B | Runtime block pattern | Synthesized into a new rule, promoted to BlockGuard |
C | Calibrator label | Used to fine-tune SemanticAuditor thresholds |
D | CI metrics (weekly) | Updates runtime config โ keeps CI and production in sync |
The proxy supports five transports: stdio, HTTP, SSE, streamable HTTP, and WebSocket.
For enterprise deployments with Redis, Postgres, and Kubernetes see docs/ENTERPRISE_DEPLOYMENT.md.
Threat Lab
Threat Lab watches live traffic and uses a local LLM to propose new attack test cases when it detects suspicious patterns. Nothing is applied automatically. You review and approve every suggestion in the dashboard before it becomes a rule.
Approved discoveries feed back into the CI attack corpus for ongoing regression testing.
ollama serve
ollama pull qwen3:8b
export OLLAMA_BASE_URL=http://127.0.0.1:11434
export MASTYF_AI_LLM_PROVIDER=ollama
export MASTYF_AI_LLM_MODEL=qwen3:8b
pnpm dashboard:proxyMCP package trust scores
Before installing any MCP server from npm, check its trust score at https://www.mastyf.ai/certified. Scores cover CVE exposure, typo-squat risk, maintainer signals, and known attack patterns. Free, no account required.
Common commands
Command | What it does |
| Start proxy and dashboard on port 4000 |
| Wrap your MCP config to route through the proxy |
| Health check for DB, policy, and environment |
| Scan MCP configs for CVEs and injection risks |
| Run the full test suite |
| Quick security regression, 5 to 15 minutes |
| Full adversarial analysis |
Troubleshooting
Problem | Fix |
Dashboard shows no data | Proxy and dashboard must share the same |
| Run |
AI still hitting tools directly | Run |
Ollama warnings at startup | Run |
npm install fails | npm publish is not live yet. Use |
Learn more
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/mastyf-ai/mastyf.ai'
If you have feedback or need assistance with the MCP directory API, please join our Discord server