mcp-guardian

Implements a transparent proxy layer (mcp-guardian-proxy binary) that sits between LLM applications and MCP servers, intercepting all bidirectional JSON-RPC messages over stdio/WebSocket transports. The proxy maintains complete audit trails by logging every message to persistent storage before forwarding, enabling forensic analysis of LLM-to-tool interactions without modifying the LLM application itself.

Implements a guard profile system that intercepts MCP messages matching configurable rules and routes them to approval queues in the desktop UI or CLI, blocking execution until a human approves or rejects the request. The proxy suspends message forwarding at the JSON-RPC level, maintaining connection state while awaiting approval decisions that are persisted and can be replayed for audit purposes.

Maintains strict JSON-RPC 2.0 protocol compliance throughout the proxy pipeline, preserving message structure, method names, and parameter types without transformation or reinterpretation. The proxy operates as a transparent intermediary that logs and filters messages while maintaining protocol semantics, ensuring compatibility with any MCP server implementation that follows the specification.

Implements proxy support for both stdio-based (local process) and WebSocket-based (remote server) MCP transport mechanisms, enabling the proxy to intercept and manage connections to both local and remote MCP servers. The proxy abstracts transport differences at the JSON-RPC message level, allowing guard profiles and approval workflows to operate uniformly across transport types.

Defines a declarative rule system (stored as JSON in mcp-guardian-core) that matches incoming MCP messages against patterns (tool name, parameter values, server identity) and applies transformations or blocks. Profiles are evaluated by the proxy before message forwarding, enabling automated security policies like blocking dangerous tools, redacting sensitive parameters, or enforcing rate limits without human intervention.

Provides a centralized configuration system (mcp-guardian-core library) that manages multiple MCP server definitions, guard profiles, and server collections using a namespace-based hierarchy stored as JSON files. The system enables grouping related servers into collections, applying guard profiles to collections, and managing configurations via desktop UI, CLI, or programmatic API without manual file editing.

Implements a Tauri-based desktop application with React frontend that provides a graphical interface for viewing live MCP message streams, managing server configurations, and processing approval queues. The UI connects to the proxy via IPC or local API, displaying timestamped message logs with filtering/search, allowing users to approve/reject pending messages and edit guard profiles without CLI knowledge.

Implements a Rust-based CLI tool (mcp-guardian-cli) that enables programmatic management of MCP servers, guard profiles, and server collections via command-line arguments and stdin. The CLI directly uses mcp-guardian-core library, enabling automation workflows like CI/CD pipelines to provision MCP configurations, apply policies, and validate setups without GUI interaction.

Enables MCP Guardian to act as a proxy for Claude Desktop by configuring the LLM application to route MCP server connections through the guardian proxy. The integration is configured via Claude Desktop's config.json file, allowing users to transparently add message logging, approval workflows, and guard profiles to their existing Claude Desktop setup without modifying the LLM application itself.

Stores all approval/rejection decisions made by users in persistent JSON storage alongside the original messages, enabling audit trails that link decisions to specific messages and approvers. The system maintains immutable records of what was approved, when, and by whom, supporting compliance requirements and post-incident analysis without requiring external audit logging systems.

Enables organizing multiple MCP servers into named collections (e.g., 'data-access', 'external-apis') and applying guard profiles to entire collections at once. The system stores collection definitions in JSON and evaluates them at proxy runtime, enabling bulk policy updates without individually configuring each server and supporting environment-specific groupings (dev/staging/prod).

Uses Nix package manager to define reproducible development environments and build configurations that work consistently across Windows, macOS, and Linux. The build system manages Rust toolchain versions, Node.js dependencies, and system libraries, enabling developers to build mcp-guardian components without manual dependency installation and supporting automated CI/CD builds with guaranteed reproducibility.