@keypost/wrapper
v0.1.0
Published
Lightweight wrapper for local stdio MCP servers with Keypost policy enforcement
Maintainers
kxbnbReadme
@keypost/wrapper
Lightweight Node.js wrapper for local stdio MCP servers with Keypost policy enforcement.
Overview
The Keypost Wrapper enables you to apply Keypost policies to local stdio MCP servers (like filesystem, local databases, system tools) while maintaining low latency and a simple user experience.
How It Works
AI Agent (Claude Desktop, etc.)
↓ (spawns keypost-wrapper)
Keypost Wrapper
↓ (HTTP) → Keypost Cloud (evaluates request policies)
↓ (stdio) → Local MCP Server
↓ (HTTP) → Keypost Cloud (evaluates response policies)
↓ (stdio) → AI AgentThe wrapper:
- Receives MCP requests from AI agents via stdin
- Evaluates request policies via Keypost cloud API
- Forwards allowed requests to local stdio servers
- Evaluates response policies via Keypost cloud API
- Returns modified/allowed responses via stdout
Installation
Using npx (Recommended)
No installation needed - just use npx:
npx @keypost/wrapper --keypost my-fs -- npx @modelcontextprotocol/server-filesystem /tmpGlobal Installation
npm install -g @keypost/wrapperThen use directly:
keypost-wrapper --keypost my-fs -- npx @modelcontextprotocol/server-filesystem /tmpUsage
Basic Usage
Replace your stdio server command with the wrapper:
Before:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["@modelcontextprotocol/server-filesystem", "/Users/me/Documents"]
}
}
}After:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": [
"@keypost/wrapper",
"--keypost", "my-fs",
"--",
"npx", "@modelcontextprotocol/server-filesystem", "/Users/me/Documents"
]
}
}
}CLI Arguments
npx @keypost/wrapper --keypost <SLUG_OR_URL> -- <SERVER_COMMAND>Options:
--keypost <SLUG_OR_URL>(or-k) - Keypost slug or full URL (required).- Slug:
my-fs(defaults tohttps://my-fs.keypost.ai) - Full URL:
http://localhost:5001/my-fs(for local development)
- Slug:
-- <COMMAND>- Local stdio server command and args (everything after--)
Environment Variables:
DEBUG=keypost:*- Enable debug logging
Examples
Filesystem Server (Production):
npx @keypost/wrapper --keypost my-fs -- npx @modelcontextprotocol/server-filesystem /tmpGitHub Server (Production):
npx @keypost/wrapper --keypost my-github -- npx @modelcontextprotocol/server-githubCustom Server (Local Development):
npx @keypost/wrapper --keypost http://localhost:5001/my-server -- python3 my_mcp_server.pyConfiguration
1. Create Keypost in Dashboard
- Go to https://app.keypost.ai
- Click "Add Keypost"
- Select type: Stdio
- Enter name and slug (e.g., "My Filesystem", "my-fs")
- Configure policies
2. Update AI Agent Config
Add the wrapper to your AI agent's MCP server configuration (see Usage above).
3. Use Normally
Your AI agent will now enforce Keypost policies on all tool calls to the local server.
Policy Examples
Block Write Operations
- tool: write_file
access: denyRestrict File Paths
- tool: read_file
param:
path:
must_match: "^/Users/me/Documents/public/"DLP on Responses
- tool: read_file
response:
dlp:
block_patterns:
ssn: "\\d{3}-\\d{2}-\\d{4}"
api_key: "sk-[a-zA-Z0-9]{32}"
action: redactRate Limiting
- tool: query_database
throttle:
max: 100
per: hourRust Alternative
If you prefer a compiled binary with faster startup time, we also provide a Rust version:
cargo install keypost-wrapperSee keypost-wrapper for details.
Troubleshooting
Debug Logging
Enable verbose logging to see what's happening:
DEBUG=keypost:* npx @keypost/wrapper --keypost my-fs -- npx @modelcontextprotocol/server-filesystem /tmpWrapper Not Starting
Check that the server command after -- is correct:
# Test the server command directly first
npx @modelcontextprotocol/server-filesystem /tmpAuthentication Errors
Ensure your Keypost is configured with type "stdio" in the dashboard.
Process Not Cleaning Up
The wrapper handles SIGTERM/SIGINT to ensure stdio servers are terminated when the wrapper exits.
Requirements
- Node.js 18+
- npm or npx
License
MIT