SecureMCP-Lite
Local MCP firewall for AI agents
Go to RepoView on npm
Open-source security middleware for MCP
Latest release v0.1.1View release notes

Put a real policy layer in front of local AI tools.

SecureMCP-Lite wraps any local stdio MCP server, enforces a YAML policy, returns proper JSON-RPC denials, and keeps logs readable for humans while stdout stays protocol-clean for agents.

Read the docsSocial media kitCheck compatibilityGo to Reponpm Package
Verified in this reponpm run demo:blockednpm run demo:allowednpm run demo:session
secure-mcp.yml
tools:
  allow:
    - read_file
    - list_dir

  parameterRules:
    read_file:
      path:
        allow:
          - '^/workspace/src(?:/.*)?$'
        deny:
          - '\.\.'
stderr
INFO    SecureMCP-Lite proxy started
ALLOWED Forwarding client request method="tools/call" id=2 tool="read_file"
BLOCKED Tool "delete_file" is not allowlisted by SecureMCP-Lite policy.
Why teams use it

Useful on day one, narrow on purpose.

SecureMCP-Lite is not trying to be a platform. It is a local-first enforcement layer that is small enough to audit and practical enough to adopt without rebuilding your workflow.

Control

Allowlist tools, restrict parameters, block traversal, deny dangerous shell or SQL patterns, and rate-limit repeated calls.

Reliability

Reject malformed JSON-RPC locally, fail closed when the target dies, and keep stdout clean for MCP while logs stay on stderr.

Adoption

Run it with npx, install it into a repo, share one policy file, and wire the same wrapper command into multiple AI clients.

Use cases

Built for developers, maintainers, and security-minded AI users.

Read-only coding assistant

Let AI agents inspect a repo, search files, and explain code without granting silent write or shell access.

Guarded shell assistant

Keep shell access available, but block obvious high-risk commands like rm -rf, curl | sh, or sudo.

Safer SQL workflows

Allow analytics and schema exploration while denying destructive query families such as DROP, TRUNCATE, and ALTER.

Shared team policy

Check one YAML policy into the repo so contributors and reviewers inherit the same MCP guardrails instead of inventing their own local setup.

Compatibility

Best today for local stdio clients.

The current MVP is intentionally stdio-first. That makes it a strong fit for local MCP clients, and not yet a direct fit for remote-only MCP connector surfaces.

strongAI coding agents

Claude Code

Local stdio integration pattern for Claude Code.

strongAI coding agents

Codex

Local MCP integration pattern for Codex CLI and IDE extension.

strongAI coding agents

Cursor

Cursor mcp.json configuration for SecureMCP-Lite.

caveatAI coding agents

Antigravity

Raw-config integration guidance with an explicit caveat.

goodAI coding agents

GitHub Copilot Chat

Editor-side local MCP configuration for Copilot Chat.

goodAI coding agents

GitHub Copilot CLI

Local MCP setup for Copilot CLI.

Developers

Who this project is built for.

SecureMCP-Lite is maintained as an open-source infrastructure tool for people who care about AI productivity and safety at the same time.

Solo maintainers

Need a policy layer that is small, legible, and does not demand platform-level maintenance.

Security reviewers

Need a place to express clear allowlists and denial rules instead of trusting vague prompt instructions.

AI tool builders

Need a practical local control layer to ship with demos, templates, or internal team workflows.

Meet the maintainer