These packages give you a policy enforcement layer that sits between an AI agent and its MCP servers, intercepting every `tools/call` to validate, rate-limit, and audit tool invocations before they reach the upstream. You'd adopt them to prevent an agent from accidentally or maliciously executing destructive operations like `DROP TABLE` or `rm -rf /`, and to enforce budgets, approval workflows, and read-only modes across database, filesystem, or network MCP servers. The system is built as a pluggable middleware pipeline—rate limiter, cost tracker, secret scanner, argument validator, policy engine, anomaly detector, and approval workflow each implement the same `Middleware` interface and run in strict order, with stages registered only when enabled in the policy configuration.
A human-in-the-loop approval workflow engine for tool-use-firewall that provides an `ApprovalWorkflow` class for managing multi-level approval chains with timeouts, plus Express-based REST API, CLI prompts, and webhook/Slack/Discord notification approvers.
An audit logger for tool-use-firewall that records ALLOW, BLOCK, and APPROVAL_REQUIRED decisions with configurable verbosity levels, automatic sensitive data redaction, rotating file output, and optional HTTP forwarding to SIEM systems. Exports an `AuditLogger` class with a `log(event)` method and a `close()` flush method.
Zod-based policy schema definitions and YAML policy file loader for the tool-use-firewall proxy. Exports `loadPolicyConfig(path)` to read and validate a YAML policy file, `validatePolicyFile(path)` to lint policies (including ReDoS safety checks), and typed `z.infer` config types for rate limits, costs, approvals, audits, and more.
Core types, error classes, structured logger, sensitive data redactor, and ReDoS-safe regex utilities for the tool-use-firewall ecosystem. Exports TypeScript types (`RequestContext`, `Middleware`, `InterceptorResponse`), a typed error hierarchy (`FirewallError`, `RateLimitError`, `ValidationError`, `PolicyViolationError`, `BudgetExceededError`, `ApprovalRequiredError`), a JSON logger that writes to stderr, a `redact()` function with built-in patterns for API keys and tokens, and `safeRegExp()`/`isSafeRegex()` for ReDoS-safe regex compilation.
A collection of middleware components—policy engine, rate limiter, cost tracker, argument validators, SQL validator, secret scanner, anomaly detector, and read-only enforcement—each implementing the `Middleware` interface for pluggable use in a tool-use-firewall interceptor pipeline.
An MCP proxy server that spawns upstream MCP servers as child processes, intercepts JSON-RPC `tools/call` messages, runs them through a configurable policy pipeline (rate limiter, cost tracker, secret scanner, argument validator, schema validator, policy engine, read-only check, anomaly detector, approval workflow, audit logger), and forwards allowed requests. Exports the `MCPProxyServer` class and the `tool-use-firewall` CLI binary.
A CLI and programmatic proxy server that intercepts every tool call from an AI agent to an MCP server, validating each call against a policy file before forwarding it upstream. Exports an `MCPProxyServer` class for programmatic use and a `tool-use-firewall` binary that accepts `--config` and `--upstream` arguments.
