AgentOpsSec
HomeProjectsDocsContribute
GitHub Install stack
~projectsmcp-firewall
control

MCP Firewall

Think of it as: A firewall for MCP tool calls

Let AI agents use tools without giving them your whole machine.

A local policy gateway that sits between AI clients and MCP servers. Applies allow/warn/block rules, asks for approval on risky actions, and records every decision.

betaMITlocal-onlyno telemetry
Install github.com/AgentOpsSec/mcp-firewallDocs
quickstart · mcp-firewall
1# install
2npm install -g @agentopssec/mcp-firewall
3 
4# initialize and register your existing MCP servers
5mcp-firewall init
6mcp-firewall add ./mcp.json
7 
8# run an agent through the firewall
9mcp-firewall run claude
10mcp-firewall run codex
01

Why this exists

MCP servers give agents access to filesystems, shells, browsers, GitHub, databases, cloud APIs, email, and calendars. That power needs a control point.

MCP Firewall is a local proxy between AI clients and MCP servers. It applies your policy, asks for approval on risky calls, and writes an audit log of every decision.

  • Which tool calls should be allowed automatically?
  • Which actions should require human approval?
  • Which paths should agents never read?
  • Which shell commands are safe for this project?
  • Which GitHub or database actions are too broad?
  • What happened the last time a tool call was blocked?
02

Quickstart

One command. No account. No telemetry.

quickstart · mcp-firewall
1# install
2npm install -g @agentopssec/mcp-firewall
3 
4# initialize and register your existing MCP servers
5mcp-firewall init
6mcp-firewall add ./mcp.json
7 
8# run an agent through the firewall
9mcp-firewall run claude
10mcp-firewall run codex
03

Terminal approvals

When a risky call hits, the firewall pauses and asks you in the terminal.

Agent wants to run a shell command.
command
rm -rf ./dist
risk
medium
reason
The command deletes a build directory.
04

Policy file

One JSON file per project. Rules match by tool, scope, and command.

mcp-firewall.policy.json
1{
2  "project": "my-nextjs-app",
3  "defaultAction": "warn",
4  "rules": [
5    { "tool": "filesystem.read", "scope": "./",         "action": "allow" },
6    { "tool": "filesystem.read", "scope": "~/.ssh",    "action": "block" },
7    { "tool": "filesystem.read", "scope": ".env",      "action": "block" },
8    { "tool": "shell.exec",      "command": "npm test", "action": "allow" },
9    { "tool": "shell.exec",                                "action": "warn"  }
10  ]
11}
05

Audit log

Every decision is recorded as JSON, locally.

logs/2026-04-25.jsonl
1{ "timestamp": "2026-04-25T15:30:00Z",
2  "client": "codex", "server": "filesystem",
3  "tool": "filesystem.read",
4  "risk": "high", "action": "block",
5  "policyMatched": "block-env-files",
6  "input": { "path": ".env" } }
06

CLI reference

initSet up the firewall in this project.
add <mcp.json>Register an existing MCP server config.
run <client>Launch an agent client through the proxy.
policy initWrite a starter policy file.
logsShow recent allow/block decisions.
approve latestApprove the most recent pending action.