Block dangerous MCP tool calls at the protocol layer. Scan, proxy, enforce.
Part of the MCP Security Platform. Scan before you trust with mcp-observatory (236★), then enforce at runtime with mcp-seatbelt. 📄 Read the technical whitepaper.
🌐 Website: kryptosai.github.io/mcp-seatbelt — demo, comparison, pricing
AI coding agents (Cursor, Claude, VS Code, ChatGPT, Windsurf, and others) connect to MCP servers that expose file systems, shell interpreters, network access, and environment variables. Static scanners tell you you're exposed — but they act after the fact. By the time a scanner flags a risky server, the agent may have already run a destructive command, exfiltrated credentials, or reached out to an untrusted endpoint.
MCP Seatbelt adds a runtime enforcement layer. It acts as a policy proxy between the agent and every MCP server, evaluating each JSON-RPC tool call against rules you control and denying dangerous requests before they reach the upstream. It does not operate at the TCP level — it inspects and gate-checks every call at L7 (the MCP protocol layer) before forwarding.
-
Detects MCP configs across 8 clients — Automatically discovers MCP server configurations from Cursor, Claude Desktop, VS Code (user + workspace), ChatGPT Desktop, Codex, JetBrains IDEs (IntelliJ, PyCharm, WebStorm, etc.), Windsurf, and project-local files (
.mcp.json,.mcp/config.json). No manual wiring required. -
Runtime proxy with policy enforcement — Starts a transparent JSON-RPC 2.0 proxy on port 9420. Every tool call, resource access, and prompt request is intercepted, evaluated against your policy, and allowed, denied, warned, or redacted. Three modes:
default-deny(zero-trust),allowlist(whitelist known-good), andaudit(log only, no blocking). -
13 built-in risk rules — Covers shell interpreters (
bash,sh,zsh,python,node), sandbox bypass (--no-sandbox,--disable-web-security), credential exposure in environment variables, Docker privileged containers, raw network tools (curl,nc,telnet), process spawning, destructive filesystem operations, remote URL access, risky package runners (npx,uvx), privilege escalation (sudo,chmod), and sensitive filesystem paths. -
Policy engine with time-windowed rules, learning mode, rule inheritance, and context awareness — Rules support regex pattern matching, exact-match, and substring containment. Restrict tool access by day of week and hour range (
timeWindow). Condition rules on client identity or request rate (contextCondition). Policies canextendparent templates. Theauditmode serves as a learning mode: run it to observe actual tool usage before switching toenforce. -
Live dashboard, SARIF reports, CI/CD integration, and observatory bridge — A real-time HTML dashboard shows request stats, block rates, connected clients, and recent blocked calls. Generate SARIF 2.1.0 reports for GitHub Code Scanning. Import security findings from mcp-observatory and automatically convert them to policy rules.
mcp-seatbelt checkexits non-zero in CI when critical risks are detected. -
Per-call timeouts — Hung tool calls are killed and return a clean JSON-RPC error instead of a raw 503. Configurable per-rule (10s for shell commands, 60s for safe tools).
- OWASP LLM Top 10 mapping — Every blocked call is tagged with OWASP categories (LLM01 Prompt Injection, LLM06 Excessive Agency, etc.)
- Compliance framework mapping — Policy rules carry SOC2, HIPAA, GDPR, ISO 27001, and PCI-DSS control tags
- Multi-step attack chain detection — XState-based state machine tracks call sequences: recon → execution → persistence → exfiltration
- Honeytoken injection & detection — Plants decoy credentials (AWS keys, GitHub tokens, DB URLs) in tool responses, alerts on access
- Forensic session capture — Records full request/response pairs as
.mcpcap.jsonfor incident analysis - Schema-aware argument validation — Validates tool arguments against declared JSON Schemas, detects path traversal and injection
- Threat intelligence integration — Queries ThreatFox IOC database for IP/domain reputation checks
- Input fuzzing — Generates edge-case payloads against policy rules to find bypasses
- Role-based access control — Per-agent permissions with casbin. Admin can execute all tools, agents get scoped access
- Response DLP — Scans upstream responses for secret patterns (API keys, tokens, private keys) and redacts them
npm install -g @kryptosai/mcp-seatbelt # or: brew install mcp-seatbelt
npx @kryptosai/mcp-seatbelt init # scan all clients, assess risk, generate policy
npx mcp-seatbelt proxy # start the enforcing proxy on port 9420
npx mcp-seatbelt dashboard # view live stats at http://localhost:9421On first run, init creates .mcp-seatbelt/policy.yml (your editable ruleset) and .mcp-seatbelt/risk-report.md (a summary of every server and its risk flags). The proxy starts in audit mode by default — observe actual tool usage, then switch to enforce when ready.
mcp-seatbelt fuzz --policy .mcp-seatbelt/policy.yml --iterations 200 # find policy bypasses
mcp-seatbelt record --output .mcp-seatbelt/sessions # forensic recording mode
mcp-seatbelt rbac-init -o .mcp-seatbelt # init RBAC model + policy filesImages are automatically built and published on every release via GitHub Actions.
docker run -p 9420:9420 -v $(pwd)/.mcp-seatbelt:/app/.mcp-seatbelt ghcr.io/kryptosai/mcp-seatbelt:latest proxy┌─────────┐ JSON-RPC 2.0 ┌────────────────────────────────────┐ JSON-RPC 2.0 ┌─────────────┐
│ Agent │ ────────────────────▶ │ MCP Seatbelt Proxy │ ────────────────────▶ │ MCP Server │
│ (Cursor) │ │ (localhost:9420) │ │ (filesystem)│
└─────────┘ │ │ └─────────────┘
│ ┌──────────────┐ ┌───────────┐ │
│ │ Policy Engine│──│Interceptor │ │
│ │ ┌───────┐ │ │ ┌──────┐ │ │
│ │ │ Rules │ │ │ │Allow?│ │ │
│ │ │Allowlist│ │ │ │Deny? │ │ │
│ │ │Templates│ │ │ │Redact│ │ │
│ │ │TimeWin │ │ │ │Warn? │ │ │
│ │ └───────┘ │ │ └──────┘ │ │
│ └──────────────┘ └─────┬─────┘ │
│ │ │
│ ┌─────▼─────┐ │
│ │ Transport │ │
│ │ Client │ │
│ └───────────┘ │
└────────────────────────────────────┘
- Proxy — Listens for inbound JSON-RPC 2.0 requests from the AI agent. Manages server registration, proxied URL routing, and connection lifecycle.
- Policy Engine — Evaluates each request against the loaded policy. Checks tool name, arguments, and description against rules. Returns
allow,deny,warn, orredactwith reasons. - Interceptor — Applies the engine's decision. Allowed calls are forwarded. Denied calls receive an MCP error response. Warned calls proceed but are logged.
redactreplaces argument values matching credential patterns with***. - Transport Client — Forwards allowed requests to the real upstream MCP server and streams responses back to the agent.
The proxy never returns a raw upstream error to the agent. If a call exceeds its timeout, the child process is killed and the agent receives a clean error message — no 503s, no hanging connections.
Every request flows through an 11-stage pipeline: RBAC → Schema Validation → Path Safety → Policy Engine → Threat Intel → Honeytokens → Attack Chains → Proxy → Response DLP → Forensics → Audit Log.
| Feature | mcp-seatbelt | mcp-firewall | mcp-guardian | Prismor | mcp-proxy | |---|---|---|---|---|---|---| | Runtime blocking | ✓ | ✓ | ✓ | ✓ | ✗ | | Pre-install scanning | ✓ | ✗ | ✗ | ✗ | ✗ | | 8+ client detection | ✓ | ✗ | ✗ | ✗ | ✗ | | Argument redaction | ✓ | ✗ | ✗ | ✗ | ✗ | | Learning mode | ✓ | ✗ | ✗ | ✗ | ✗ | | Live dashboard | ✓ | ✗ | ✓ | ✗ | ✗ | | SARIF / GitHub Code Scanning | ✓ | ✗ | ✗ | ✗ | ✗ | | mcp-observatory integration | ✓ | ✗ | ✗ | ✗ | ✗ | | Per-call timeouts | ✓ | ✗ | ✗ | ✗ | ✗ | | OWASP LLM Top 10 mapping | ✓ | ✗ | ✗ | ✗ | ✗ | | Compliance tagging (SOC2/HIPAA) | ✓ | ✗ | ✗ | ✗ | ✗ | | Attack chain detection | ✓ | ✗ | ✗ | ✗ | ✗ | | Honeytoken/injection detection | ✓ | ✗ | ✗ | ✗ | ✗ | | Schema-aware validation | ✓ | ✗ | ✗ | ✗ | ✗ | | Threat intel (IOC lookup) | ✓ | ✗ | ✗ | ✗ | ✗ | | RBAC (per-agent access) | ✓ | ✗ | ✗ | ✗ | ✗ |
Seatbelt is the only tool that combines pre-install scanning with runtime enforcement, covers all major AI agent clients, redacts credential arguments inline, and bridges static analysis results from mcp-observatory into live policy rules.
mcp-seatbelt includes a defense-in-depth security pipeline that evaluates every tool call through multiple layers:
| Layer | Feature | Description |
|---|---|---|
| 1 | RBAC | Casbin-based role-based access control for agents and tools. mcp-seatbelt rbac-init generates model and policy files. |
| 2 | Schema Validation | AJV-based JSON Schema validation of tool arguments against compiled schemas. |
| 3 | Path Safety | Detects path traversal, null-byte injection, and sensitive path access in arguments. |
| 4 | Policy Engine | Rule-based evaluation with regex/exact/contains matching, time windows, context conditions, and arg constraints. |
| 5 | Threat Intel | Async ThreatFox IOC lookup for IPs and domains in tool arguments. |
| 6 | Honeytokens | Plants decoy credentials in responses; detects exfiltration when honeytokens appear in subsequent calls. |
| 7 | Attack Chain Tracking | XState-based state machine tracking multi-step attack patterns (recon→execution→persistence→exfiltration). |
| 8 | Forensic Capture | Records all requests and responses in signed .mcpcap.json session files when enabled. |
| 9 | Response DLP | Scans upstream responses for secret patterns (API keys, tokens, private keys) and redacts them. |
| 10 | Input Fuzzing | Generates edge-case payloads from JSON schemas and tests policy bypass resilience. mcp-seatbelt fuzz --policy policy.yml |
mcp-seatbelt fuzz generates randomized tool call arguments using json-schema-faker, injects edge-case payloads (path traversal, command injection, SQL injection, Log4Shell), and evaluates each payload against your policy. Bypasses are reported with the specific payload and rule that should have blocked them.
mcp-seatbelt fuzz --policy .mcp-seatbelt/policy.yml --iterations 200 --jsonmcp-seatbelt init --policy enforce # generate an enforcing policy
mcp-seatbelt proxy --config my.yml # start proxy with custom policy
mcp-seatbelt report --sarif # SARIF 2.1.0 output for CI
mcp-seatbelt check # exit 1 if critical risks found
mcp-seatbelt diff old.yml new.yml # compare two policy files
mcp-seatbelt import-observatory # convert observatory findings to rules| Command | Description |
|---|---|
mcp-seatbelt fuzz |
Fuzz a policy against tool schemas to find bypasses |
mcp-seatbelt record |
Start proxy in forensic recording mode |
mcp-seatbelt rbac-init |
Initialize RBAC model and policy files |
mcp-seatbelt simulate |
Simulate a tool call against the policy and show evaluation trace |
mcp-seatbelt benchmark |
Run performance benchmarks against the proxy |
mcp-seatbelt test-policy |
Run policy tests from a test YAML file |
mcp-seatbelt baseline |
Generate a behavioral baseline from audit logs |
mcp-seatbelt verify-audit |
Verify signed audit log integrity |
| Rule | Target | Description |
|---|---|---|
block-shell-execution |
command | Blocks direct shell interpreter invocations (bash, sh, zsh, cmd, powershell) |
block-sensitive-paths |
file | Blocks filesystem writes to /etc, /root, ~/.ssh, ~/.aws, C:\Windows |
block-credential-access |
command | Blocks tools whose descriptions mention passwords, secrets, tokens, keys |
redact-credentials |
command | Redacts argument values whose key names match credential patterns |
block-private-network |
network | Blocks HTTP requests to private/loopback address ranges |
block-process-execution |
process | Blocks tools that spawn child processes or evaluate code |
allow-filesystem-writes-business-hours |
file | Allows filesystem writes only Mon-Fri, 09:00-17:00 |
| Template | Default Action | Use Case |
|---|---|---|
minimal-workstation |
allow | Blocks shell execution and credential access only; everything else permitted |
pci-compliance |
deny | Blocks shell, credentials, PAN/cardholder data paths, audit log tampering |
strict-production |
deny | Blocks all tool calls, network requests, and filesystem operations by default |
Templates can be extended via the extends field in your policy file:
version: '1'
mode: enforce
extends:
- pci-compliance
rules:
- id: custom-rule
target: network
match: pattern
values: ['.*']
action: denyrules:
- id: example-rule # unique identifier
description: What this blocks # human-readable explanation
target: command # command | file | network | env | process
match: pattern # exact | pattern | contains
values: # list of strings or regex patterns
- '^rm\s+-rf'
action: deny # allow | deny | warn | redact
timeWindow: # optional — restrict by day/hour
days: [Monday, Tuesday, Wednesday, Thursday, Friday]
startHour: 9
endHour: 17
contextCondition: # optional — restrict by client or rate
clientIn: [cursor, claude-desktop]
maxRequestsPerMinute: 60Entries in the allowlist bypass all deny rules. Use after running init to whitelist known-good tools, paths, hosts, and environment variables:
allowlist:
tools: [safe-tool, read-only-fs]
paths: [/home/user/projects/]
hosts: [api.github.com]
envVars: [NODE_ENV, PATH]After starting the proxy, update each client's MCP configuration to route through localhost:9420. The proxy prints a table of proxy URLs on startup — copy and paste them.
Cursor — ~/.cursor/mcp.json
{ "mcpServers": { "my-server": { "url": "http://localhost:9420/my-server" } } }Claude Desktop — ~/Library/Application Support/Claude/claude_desktop_config.json
{ "mcpServers": { "my-server": { "url": "http://localhost:9420/my-server" } } }VS Code — .vscode/mcp.json or User settings
{ "servers": { "my-server": { "url": "http://localhost:9420/my-server" } } }ChatGPT Desktop — App config
{ "mcpServers": { "my-server": { "url": "http://localhost:9420/my-server" } } }Codex / JetBrains / Windsurf — Same pattern: replace the command/args transport with "url": "http://localhost:9420/<server-name>".
mcp-observatory scans MCP servers at rest — auditing source code, supply chain posture, and manifest hygiene. Seatbelt provides the runtime counterpart.
Workflow:
- Scan first — Run mcp-observatory to audit every MCP server before installation. It produces a security findings artifact (JSON).
- Convert —
mcp-seatbelt import-observatory ./observatory-results.jsonconverts findings into policy rules. - Enforce at runtime — The proxy loads those rules and blocks any tool call that matches an observatory finding, closing the loop from static analysis to live enforcement.
The observatory bridge (mergeObservatoryPolicy) can merge findings into an existing seatbelt policy without overwriting your custom rules.
mcp-observatory Cloud provides hosted dashboards, private CI scanning, certification badges, and supply-chain compliance reports for teams and organizations. Seatbelt integrates as the runtime enforcement layer — observatory validates what you install; seatbelt controls what it can do at execution time.
- Observatory Cloud: hosted scanning, private registries, team dashboards
- Seatbelt: on-machine proxy with policy enforcement, redaction, and live monitoring
- Together: scan at rest + enforce at runtime = complete MCP security lifecycle
- Multi-client detection (8 clients)
- Runtime JSON-RPC 2.0 proxy with request interception
- Policy engine with regex/exact/contains matching, time windows, context conditions
- Risk assessment engine (13 rules)
- Live dashboard web UI with auto-refresh
- SARIF 2.1.0 and markdown report generation
- mcp-observatory integration bridge
- CI/CD check command (
mcp-seatbelt check) - OWASP LLM Top 10 mapping and compliance framework tagging
- Multi-step attack chain detection (XState state machine)
- Honeytoken injection and detection
- Forensic session capture (.mcpcap.json)
- Schema-aware argument validation
- Threat intelligence integration (ThreatFox IOC lookup)
- Input fuzzing against policy rules
- Role-based access control (casbin RBAC)
- Policy diff and migration tooling (#12)
- Prometheus
/metricsendpoint for observability stacks (#15) - OPA/Rego policy integration (#18)
- Per-tool granularity — allow tool A but deny tool B on the same server (#20)
- Persistent audit trail and request logging with SQLite (#22)
- Plugin system for custom risk rules (#25)
See CONTRIBUTING.md for development setup, testing instructions, and pull request guidelines. Security issues should follow the process in SECURITY.md.
- 485 tests across 18 test suites (CLI, detectors, policy engine, proxy server, proxy interception, reports, security modules, RBAC, threat intel, LLM judge, forensics, honeytokens, attack chains, schema validator, audit, notifications, baseline, integration)
npm testruns the full Vitest suite;npm run typecheckverifies TypeScript- PRs should include tests for new rules, detectors, or policy features
