tomjwxf/scopeblind-gateway

Overview

A security gateway for MCP servers that enforces per-tool policies using the Cedar engine and produces Ed25519-signed receipts for accountability. Also documented as an IETF Internet-Draft with four patents pending. Available via npx protect-mcp.

Best for

Best for
Developers needing to secure MCP server deployments with policy-driven access control and auditable receipts

Use cases

• Restrict which tools an MCP client can invoke based on policy rules
• Audit every MCP tool invocation with tamper-evident receipts
• Enforce granular permissions per MCP server tool endpoint

Notes

A security gateway for MCP servers that enforces per-tool policies using the Cedar engine and produces Ed25519-signed receipts for accountability. Also documented as an IETF Internet-Draft with four patents pending. Available via npx protect-mcp.

8 stars on GitHub. Last updated 2026-04-11. Licensed MIT.

Use cases

• Restrict which tools an MCP client can invoke based on policy rules
• Audit every MCP tool invocation with tamper-evident receipts
• Enforce granular permissions per MCP server tool endpoint

Pros

• Leverages Cedar, a well-known policy engine for fine-grained access control
• Ed25519-signed receipts provide strong non-repudiation for audit logs
• Per-tool enforcement allows precise security boundaries

Cons

• Very early stage with only 8 GitHub stars and minimal community adoption
• Patents pending may limit licensing or community contributions
• Requires integration into existing MCP server workflows

Indexed from awesome-mcp-servers-punkpeye and enriched against its public facts.