npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mcp-airlock

v0.10.1

Published

Deterministic trust layer for AI agents — a governance gateway for MCP tool calls (allow/block/review + tamper-evident hash-chained audit ledger). OWASP Agentic (ASI) Top 10 mapped coverage. No LLM, zero-dep.

Downloads

2,694

Readme

AI agents now act: MCP tools went from 5,000 → 177,000 in 15 months (97M monthly SDK downloads, backed by every major vendor), and they've shifted from reading data to executing code and transactions. But the safety hasn't kept up: 41% of MCP servers have no auth, 30+ CVEs landed in early 2026, 88% of agent deployments hit a security incident, and — in the words of Fortune — "there's no way to let an agent work freely and verify before accepting; the trust infrastructure simply doesn't exist."

airlock is that infrastructure. It sits between the agent and its tools and governs every call (= every action) against a policy you set: allow / block / require-approval — and logs every decision to an audit ledger. Governs both MCP (agent↔tools) and A2A (agent↔agent — message/send, tasks/send), over stdio and HTTP. No LLM (you can't catch hallucinations with hallucinations), deterministic, zero per-call cost, zero-dep.

agent ──tools/call──▶ airlock ──(allow)──▶ real MCP server
                         │
                         ├─(block/review)─▶ ⛔ denied, agent gets an error
                         └──────────────────▶ audit ledger (every decision)

Why this, why now

  • judge ≠ player: the agent proposes an action; a deterministic governor disposes. The agent is built to complete tasks, not to question them — so the governor must be separate.
  • Rides the MCP standard's distribution: install it wherever MCP is used.
  • Compliance is a byproduct: the audit ledger is the EU AI Act Article 12 record (hard-gate/soft-gate interventions) — no extra work.

Verify, don't trust

The ledger is recomputable: every entry is hash-chained and the file carries the proof needed to verify itself. mcp-airlock verify re-checks the whole chain without trusting the issuer — a regulator, an auditor, or a counterparty agent can independently confirm what was governed, offline, from the artifact alone.

That's the primitive the emerging agent-trust standards are converging on — recomputable attestation of agent behavior (cf. NIST's AI Agent Standards Initiative, which names agent identity & authorization as the priority gap; the recomputable trust protocol line of work, arXiv:2605.06738). Most of that is still spec and concept. airlock is a running, installable implementation of it today — one line in front of any MCP server.

Quickstart

Put airlock -- in front of any MCP server in your client config. Example (Claude Desktop / Claude Code mcpServers) — wrap the real filesystem server:

{
  "mcpServers": {
    "filesystem": {
      "command": "npx",
      "args": ["mcp-airlock", "--", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/path"]
    }
  }
}

The agent now talks to airlock; airlock spawns the real server and mediates every tool call. Dangerous calls (rm -rf, curl | sh, reading ~/.ssh/id_rsa, DROP TABLE, hardcoded secrets, git push --force, data exfil…) are blocked or held for approval; everything else passes; all logged.

Verified end-to-end against real MCP servers (@modelcontextprotocol/server-everything and server-filesystem). Example with the filesystem server — an agent reading a normal file passes through and returns the real content, but reading .ssh/id_rsa is held for your approval:

read_text_file  notes.txt        → ✅ "hello from a normal file"   (reaches the real server)
read_text_file  .ssh/id_rsa      → ⛔ airlock: Human approval required (secret-file-access)

Commands

mcp-airlock demo                            5-second live demo (no server of your own needed)
mcp-airlock -- <mcp-server-cmd> [args...]   proxy a local (stdio) MCP server
mcp-airlock http --upstream <url> [--port]  proxy a remote (HTTP) MCP server
mcp-airlock policy [--json]                 show the active policy (what gets blocked/held)
mcp-airlock pending                         list actions waiting for your approval
mcp-airlock approve <sig>                   approve one held action (approve-once)
mcp-airlock report [--json]                 EU AI Act Art.12 governance record from the ledger
mcp-airlock verify                          re-check the hash-chain (trust no issuer, offline)

block = hard-forbidden (never approvable). review = held until you approve its signature.

Customize the policy

  • Your rules: AIRLOCK_POLICY=rules.json — a JSON array of {id, pattern, action, reason} (action: block | review). Your rules take priority.
  • Ecosystem sync: install @portunus/kernel and airlock uses its DANGER set as the single source for security patterns (no drift); otherwise the built-in policy stands alone (zero-dep).
  • Ledger path: AIRLOCK_LEDGER (default airlock-ledger.jsonl), approvals: AIRLOCK_APPROVALS.
  • Accountability: set AIRLOCK_PRINCIPAL=<your-name> to record which agent acted under whose authority in the ledger (the identity/audit trail required by emerging agent-governance rules).

Security posture (honest threat model)

airlock is defense-in-depth, not a sandbox. Be clear about what it does and doesn't do:

Catches — known/obvious dangerous patterns (destructive commands rm -rf/shred/find -delete, curl|sh, secret files & literals, DROP TABLE, git push --force, exfil, path traversal, command substitution), runaway agents (loops / rate — a $48k-in-14h class of incident: throttles repeated & high-frequency calls), supply-chain attacks (pins tool descriptions → flags rug-pulls & description-injection, then blocks calls to poisoned tools), output injection (scans tool-call results and neutralizes hidden instructions — "ignore previous…", "exfiltrate the key" — before they reach the agent's context, blunting goal-hijack & context-poisoning), and rogue-agent detection (the ledger is a behavior baseline; report grades each agent's intervention rate and flags elevated/possible-rogue). Fail-closed on batches. Deterministic, no per-call cost, no hallucinations.

OWASP Agentic Top 10 (2026) — touches all ten to varying depth: active prevention for ASI02 tool-misuse, ASI03 identity, ASI04 supply-chain, ASI05 code-exec, ASI07 inter-agent (A2A), ASI08 cascading/resource; detection / defense-in-depth for ASI01 goal-hijack & ASI06 memory-poisoning (output scanning), ASI09 human-agent-trust (every held action shows the human exactly what the agent is about to do before they approve), ASI10 rogue-agents (risk report). Depth is honest — the last four raise the floor and surface signal, they don't claim full prevention.

Does NOT — it is pattern-based, so a determined adversary can craft evasions (encoding/obfuscation, novel commands, homoglyphs) in both requests and tool outputs. Output neutralization is best-effort text redaction, not a guarantee. It is not a substitute for OS-level sandboxing, least-privilege file/network permissions, or human review.

Use it as one layer: airlock (block known-bad + require approval) + OS sandbox/ least-privilege + review. It raises the floor and creates the audit trail; it doesn't claim to stop a sophisticated attacker. (This honesty is the point — overclaiming is how security tools lose trust.)

Open-core

  • Free / OSS: the local gateway (this repo). Adoption = distribution.
  • Team: hosted control plane — central policy, shared audit, team analytics, approvals.
  • Enterprise: compliance evidence (EU AI Act Art.12 / AIBOM), SSO, RBAC, SOC2.

Built on the same deterministic-governance engine as the portunus stack (gates · shadow→graduate policy rollout · attest audit evidence) — airlock is that engine with an MCP transport.