@deepsweepai/mcp-firewall

v0.1.0

Published

6 days ago

Enterprise-grade MCP firewall for conscious AI stewardship - Zero-trust security layer for Model Context Protocol servers

Downloads

0High
0Medium
0Low

deepsweep

mcp model-context-protocol firewall ai-security memory-protection policy-enforcement audit-logging pii-detection conscious-stewardship deepsweep langchain crewai autogen agent-security

mcp-firewall

Open source infrastructure for conscious AI stewardship

The Movement

DeepSweep.ai is not a security product. It is the technical foundation of conscious AI stewardship.

Every AI agent you deploy operates in a trust vacuum—no verifiable memory integrity, no forensic accountability, no consensus validation. This is architecturally unacceptable.

We are building the infrastructure that makes aligned, accountable AI systems possible:

Verifiable Integrity: Cryptographic proof that agent memory hasn't been tampered with
Forensic Accountability: Complete audit trails showing every decision
Distributed Consensus: Multi-agent validation before high-stakes actions
Graceful Degradation: Flash-freeze compromised sessions, rollback to last-known-good state

Quick Start (60 seconds)

Option 1: Docker (Fastest)

docker run -d \
  -p 8080:8080 \
  -v $(pwd)/policy.yaml:/etc/deepsweep/policy.yaml \
  -e UPSTREAM_MCP_URL=http://your-mcp-server:3000 \
  deepsweep/mcp-firewall:latest

Option 2: npm

npm install -g @deepsweepai/mcp-firewall
mcp-firewall start --upstream http://localhost:3000 --policy ./my-policy.yaml

Option 3: Integrate into your code

import { createFirewall, protectLangChain, protectCrew } from '@deepsweepai/mcp-firewall';

// Standalone firewall
const firewall = createFirewall({
  upstream: { url: 'http://localhost:3000' },
});

// LangChain protection
import { ChatOpenAI } from 'langchain/chat_models/openai';
const model = new ChatOpenAI();
const protectedModel = protectLangChain(model, { policy: 'no-pii' });

// CrewAI with consensus
const protectedCrew = protectCrew(crew, { consensus: 0.67 });

That's it. Your agents are now protected.

Security Challenge: $500 Bounty

Break our firewall. Win $500.

| Severity | Bounty | Criteria | |----------|--------|----------| | Critical | $500 | RCE, complete firewall bypass, data exfiltration despite policies | | High | $200 | Policy evasion, PII detection bypass, unauthorized tool access | | Medium | $100 | Schema validation bypass, rate limit circumvention | | Low | $50 | DoS vectors, edge case crashes, documentation issues |

See SECURITY_CHALLENGE.md for rules.

Features

Core Protection

✅ Zero-trust MCP request filtering
✅ Policy engine with YAML/JSON configuration
✅ Automatic PII detection & redaction
✅ Tool authorization (allowlist/blocklist)
✅ Rate limiting & DoS prevention
✅ Response sanitization
✅ Suspicious pattern detection (prototype pollution, injection attacks)

Stewardship

✅ Cryptographic memory checksums (SHA-256, SHA3-256)
✅ Forensic audit trails with retention policies
✅ Multi-agent consensus validation (CrewAI)
✅ Policy hot-reload (zero downtime)
✅ Constant-time comparison (timing attack prevention)

Integrations

✅ LangChain / LangGraph - One-line wrapper
✅ CrewAI - Consensus-based protection
✅ AutoGen - Group chat and conversation protection
✅ Raw MCP SDK - Direct protocol integration
✅ Any MCP-compliant server

Infrastructure

✅ Docker / Docker Compose
✅ Kubernetes-ready (health/readiness probes)
✅ Prometheus metrics endpoint
✅ WebSocket support
✅ Structured JSON logging

Architecture

┌─────────────────────────────────────────────────────────────┐
│                     MCP FIREWALL                            │
├─────────────────────────────────────────────────────────────┤
│                                                             │
│  ┌─────────────┐   ┌──────────────┐   ┌─────────────────┐  │
│  │   Schema    │   │    Policy    │   │     Memory      │  │
│  │ Validation  │──▶│    Engine    │──▶│   Validation    │  │
│  └─────────────┘   └──────────────┘   └─────────────────┘  │
│         │                 │                    │            │
│         ▼                 ▼                    ▼            │
│  ┌─────────────┐   ┌──────────────┐   ┌─────────────────┐  │
│  │     PII     │   │     Rate     │   │     Audit       │  │
│  │  Detection  │   │   Limiter    │   │     Logger      │  │
│  └─────────────┘   └──────────────┘   └─────────────────┘  │
│                                                             │
└─────────────────────────────────────────────────────────────┘
                            │
                            ▼
                   ┌─────────────────┐
                   │  Upstream MCP   │
                   │     Server      │
                   └─────────────────┘

See docs/ARCHITECTURE.md for detailed design.

Configuration

Environment Variables

| Variable | Default | Description | |----------|---------|-------------| | UPSTREAM_MCP_URL | http://localhost:3000 | Upstream MCP server URL | | PORT | 8080 | Proxy server port | | METRICS_PORT | 9090 | Prometheus metrics port | | POLICY_PATH | ./policy.yaml | Policy file path | | LOG_LEVEL | info | Log level (trace/debug/info/warn/error) | | ENABLE_PII_DETECTION | true | Enable PII scanning | | ENABLE_MEMORY_CHECKSUM | true | Enable memory integrity checks | | RATE_LIMIT_MAX | 100 | Max requests per window | | RATE_LIMIT_WINDOW_MS | 60000 | Rate limit window (ms) |

Policy File Example

version: "1.0"
name: production
description: Production security policy

rules:
  - id: block-sensitive-tools
    name: Block sensitive filesystem operations
    priority: 100
    conditions:
      - field: method
        operator: in
        value: ["fs.delete", "fs.write", "exec.shell"]
    action: DENY

  - id: require-auth
    name: Require authentication header
    priority: 90
    conditions:
      - field: context.clientId
        operator: equals
        value: "anonymous"
    action: DENY

  - id: log-all
    name: Log all requests
    priority: 10
    conditions:
      - field: type
        operator: equals
        value: "request"
    action: LOG

defaults:
  action: ALLOW
  enablePiiDetection: true
  enableMemoryChecksum: true

API Reference

Core Classes

// Create firewall
const firewall = createFirewall({
  upstream: { url: 'http://localhost:3000' },
  security: { enablePiiDetection: true },
});

// Process request
const response = await firewall.proxyRequest(request, context);

// Get metrics
const metrics = firewall.getMetrics(); // Prometheus format
const metricsObj = firewall.getMetricsObject(); // JSON

// Reload policy
await firewall.reloadPolicy();

LangChain Integration

import { protectLangChain } from '@deepsweepai/mcp-firewall';

const protectedChain = protectLangChain(chain, {
  piiDetection: true,
  auditLog: true,
  onViolation: (v) => console.log('Blocked:', v),
});

const result = await protectedChain.invoke(input);

CrewAI Integration

import { protectCrew } from '@deepsweepai/mcp-firewall';

const protectedCrew = protectCrew(crew, {
  consensus: 0.67, // Require 67% agent agreement
  memoryChecksum: true,
  piiDetection: true,
});

const result = await protectedCrew.kickoff({ task: 'analyze data' });

See docs/API.md for complete reference.

Development

# Clone repository
git clone https://github.com/deepsweep-ai/mcp-firewall.git
cd mcp-firewall

# Install dependencies
npm install

# Run in development mode
npm run dev

# Run tests
npm test

# Build
npm run build

# Run benchmarks
npm run benchmark

Community

Discord: Join our community
GitHub Discussions: Ask questions
Security: [email protected]

Contributing

We welcome contributions from security researchers, AI engineers, and conscious stewards.

See CONTRIBUTING.md for guidelines.

Good First Issues: GitHub Issues

License

See LICENSE for details.

Built with consciousness. Deployed with confidence.

Website | Docs | Security