mcp-airlock
v0.10.1
Published
Deterministic trust layer for AI agents — a governance gateway for MCP tool calls (allow/block/review + tamper-evident hash-chained audit ledger). OWASP Agentic (ASI) Top 10 mapped coverage. No LLM, zero-dep.
Downloads
2,694
Maintainers
Readme
AI agents now act: MCP tools went from 5,000 → 177,000 in 15 months (97M monthly SDK downloads, backed by every major vendor), and they've shifted from reading data to executing code and transactions. But the safety hasn't kept up: 41% of MCP servers have no auth, 30+ CVEs landed in early 2026, 88% of agent deployments hit a security incident, and — in the words of Fortune — "there's no way to let an agent work freely and verify before accepting; the trust infrastructure simply doesn't exist."
airlock is that infrastructure. It sits between the agent and its tools and governs
every call (= every action) against a policy you set: allow / block / require-approval —
and logs every decision to an audit ledger. Governs both MCP (agent↔tools) and A2A
(agent↔agent — message/send, tasks/send), over stdio and HTTP. No LLM (you can't
catch hallucinations with hallucinations), deterministic, zero per-call cost, zero-dep.
agent ──tools/call──▶ airlock ──(allow)──▶ real MCP server
│
├─(block/review)─▶ ⛔ denied, agent gets an error
└──────────────────▶ audit ledger (every decision)Why this, why now
- judge ≠ player: the agent proposes an action; a deterministic governor disposes. The agent is built to complete tasks, not to question them — so the governor must be separate.
- Rides the MCP standard's distribution: install it wherever MCP is used.
- Compliance is a byproduct: the audit ledger is the EU AI Act Article 12 record (hard-gate/soft-gate interventions) — no extra work.
Verify, don't trust
The ledger is recomputable: every entry is hash-chained and the file carries the proof
needed to verify itself. mcp-airlock verify re-checks the whole chain without trusting the
issuer — a regulator, an auditor, or a counterparty agent can independently confirm what was
governed, offline, from the artifact alone.
That's the primitive the emerging agent-trust standards are converging on — recomputable
attestation of agent behavior (cf. NIST's AI Agent Standards Initiative,
which names agent identity & authorization as the priority gap; the recomputable trust
protocol line of work, arXiv:2605.06738). Most of that is
still spec and concept. airlock is a running, installable implementation of it today —
one line in front of any MCP server.
Quickstart
Put airlock -- in front of any MCP server in your client config. Example (Claude Desktop /
Claude Code mcpServers) — wrap the real filesystem server:
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["mcp-airlock", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/path"]
}
}
}The agent now talks to airlock; airlock spawns the real server and mediates every tool call.
Dangerous calls (rm -rf, curl | sh, reading ~/.ssh/id_rsa, DROP TABLE, hardcoded secrets,
git push --force, data exfil…) are blocked or held for approval; everything else passes;
all logged.
Verified end-to-end against real MCP servers (@modelcontextprotocol/server-everything and
server-filesystem). Example with the filesystem server — an agent reading a normal file passes
through and returns the real content, but reading .ssh/id_rsa is held for your approval:
read_text_file notes.txt → ✅ "hello from a normal file" (reaches the real server)
read_text_file .ssh/id_rsa → ⛔ airlock: Human approval required (secret-file-access)Commands
mcp-airlock demo 5-second live demo (no server of your own needed)
mcp-airlock -- <mcp-server-cmd> [args...] proxy a local (stdio) MCP server
mcp-airlock http --upstream <url> [--port] proxy a remote (HTTP) MCP server
mcp-airlock policy [--json] show the active policy (what gets blocked/held)
mcp-airlock pending list actions waiting for your approval
mcp-airlock approve <sig> approve one held action (approve-once)
mcp-airlock report [--json] EU AI Act Art.12 governance record from the ledger
mcp-airlock verify re-check the hash-chain (trust no issuer, offline)block = hard-forbidden (never approvable). review = held until you approve its signature.
Customize the policy
- Your rules:
AIRLOCK_POLICY=rules.json— a JSON array of{id, pattern, action, reason}(action:block|review). Your rules take priority. - Ecosystem sync: install
@portunus/kerneland airlock uses itsDANGERset as the single source for security patterns (no drift); otherwise the built-in policy stands alone (zero-dep). - Ledger path:
AIRLOCK_LEDGER(defaultairlock-ledger.jsonl), approvals:AIRLOCK_APPROVALS. - Accountability: set
AIRLOCK_PRINCIPAL=<your-name>to record which agent acted under whose authority in the ledger (the identity/audit trail required by emerging agent-governance rules).
Security posture (honest threat model)
airlock is defense-in-depth, not a sandbox. Be clear about what it does and doesn't do:
Catches — known/obvious dangerous patterns (destructive commands rm -rf/shred/find
-delete, curl|sh, secret files & literals, DROP TABLE, git push --force, exfil, path
traversal, command substitution), runaway agents (loops / rate — a $48k-in-14h class of
incident: throttles repeated & high-frequency calls), supply-chain attacks (pins tool
descriptions → flags rug-pulls & description-injection, then blocks calls to poisoned tools),
output injection (scans tool-call results and neutralizes hidden instructions —
"ignore previous…", "exfiltrate the key" — before they reach the agent's context, blunting
goal-hijack & context-poisoning), and rogue-agent detection (the ledger is a behavior
baseline; report grades each agent's intervention rate and flags elevated/possible-rogue).
Fail-closed on batches. Deterministic, no per-call cost, no hallucinations.
OWASP Agentic Top 10 (2026) — touches all ten to varying depth: active prevention for ASI02 tool-misuse, ASI03 identity, ASI04 supply-chain, ASI05 code-exec, ASI07 inter-agent (A2A), ASI08 cascading/resource; detection / defense-in-depth for ASI01 goal-hijack & ASI06 memory-poisoning (output scanning), ASI09 human-agent-trust (every held action shows the human exactly what the agent is about to do before they approve), ASI10 rogue-agents (risk report). Depth is honest — the last four raise the floor and surface signal, they don't claim full prevention.
Does NOT — it is pattern-based, so a determined adversary can craft evasions (encoding/obfuscation, novel commands, homoglyphs) in both requests and tool outputs. Output neutralization is best-effort text redaction, not a guarantee. It is not a substitute for OS-level sandboxing, least-privilege file/network permissions, or human review.
Use it as one layer: airlock (block known-bad + require approval) + OS sandbox/ least-privilege + review. It raises the floor and creates the audit trail; it doesn't claim to stop a sophisticated attacker. (This honesty is the point — overclaiming is how security tools lose trust.)
Open-core
- Free / OSS: the local gateway (this repo). Adoption = distribution.
- Team: hosted control plane — central policy, shared audit, team analytics, approvals.
- Enterprise: compliance evidence (EU AI Act Art.12 / AIBOM), SSO, RBAC, SOC2.
Built on the same deterministic-governance engine as the portunus stack (gates · shadow→graduate policy rollout · attest audit evidence) — airlock is that engine with an MCP transport.
