Skip to main content
Glama

SafeGuard MCP server (@the-safeguard-ai/mcp)

A Model Context Protocol server that exposes SafeGuard AI's DLP engine, Secure AI Gateway, and Shadow AI discovery as tools any MCP client (Claude Desktop, Cursor, Windsurf, Claude Code, …) can call. Speaks MCP over stdio.

The point: give an AI agent a governed way to handle and send data. Before an agent pastes a chunk of text into some external tool, it can dlp_scan it; to sanitize it, dlp_redact; to ask a model with policy + audit enforced, secure_chat.

Tools

Tool

Needs token?

What it does

dlp_scan

no

Detect PII/secrets in text; returns findings, counts by type, and whether it would be blocked. Local — no network, no tokens.

dlp_redact

no

Return a sanitized copy with [REDACTED:LABEL] placeholders. Local.

dlp_detectors

no

List the detector types SafeGuard recognizes (international by default). Local.

secure_chat

yes

Ask an LLM through the gateway — inbound redaction, org policy, routing (cloud/self-hosted), audit log. Returns the reply + redaction count.

shadow_ai_report

yes

Summarize which AI tools the org uses and what data was caught on each. Read-only.

list_policies

yes

List the org's active DLP policies as enforced by the gateway. Read-only.

The three local DLP tools mirror crates/dlp (the Rust source of truth) and run entirely in-process — no backend required.

Related MCP server: @actalumen/mcp-server

Configuration (environment)

Var

Default

Purpose

SAFEGUARD_TOKEN

(unset)

Bearer token: a user JWT (sign in to SafeGuard) or an org API key (sg_…). Required by the gateway/governance tools.

SAFEGUARD_GATEWAY_URL

http://localhost:8080

Secure AI Gateway base URL.

SAFEGUARD_CONTROL_PLANE_URL

http://localhost:8081

Control-plane (governance API) base URL.

SAFEGUARD_MODEL

gpt-4o-mini

Default model id for secure_chat.

SAFEGUARD_DEFAULT_ACTION

redact

Default action for the local DLP tools.

Run

# from the repo root
bun run mcp
# or directly
bun run services/mcp/src/index.ts

stdout is reserved for the MCP protocol; logs go to stderr.

Add to an MCP client

Claude Desktop / Cursor / Windsurf (mcpServers config):

{
  "mcpServers": {
    "safeguard": {
      "command": "bun",
      "args": ["run", "/absolute/path/to/safeguard-ai/services/mcp/src/index.ts"],
      "env": {
        "SAFEGUARD_TOKEN": "<your JWT or sg_… API key>",
        "SAFEGUARD_GATEWAY_URL": "http://localhost:8080",
        "SAFEGUARD_CONTROL_PLANE_URL": "http://localhost:8081"
      }
    }
  }
}

Claude Code:

claude mcp add safeguard --env SAFEGUARD_TOKEN=<token> \
  -- bun run /absolute/path/to/safeguard-ai/services/mcp/src/index.ts

Without SAFEGUARD_TOKEN the local DLP tools still work; the gateway and governance tools return a clear "set SAFEGUARD_TOKEN" message.

Typecheck

bun run typecheck
A
license - permissive license
-
quality - not tested
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/the-safeguard-ai/safeguard-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server