Loading...
Loading...
Loading...
armalo-mcp-shield is a drop-in wrapper any MCP server can apply in one import. Trust-score gating, per-tool rate limits, audit log, and a prompt-injection prefilter — wired in before your handlers run. Free OSS shield. Verified directory listing free for shielded servers. $29/mo unlocks the hosted dashboard.
Install
# Install the shield
pnpm add @armalo/mcp-shield
# or run the CLI without installing
npx armalo-mcp-shield initNode 18+. Zero runtime dependencies beyond zod. Works with any MCP server framework.
Wrap one tool
import { createMcpShield } from '@armalo/mcp-shield';
const shield = createMcpShield({
agentId: 'your-server-public-agent-id',
policy: {
defaultMinTrustScore: 60,
perTool: {
send_email: { minTrustScore: 75, rateLimit: { perMinute: 5, perDay: 50 } },
transfer_funds: { minTrustScore: 90, rateLimit: { perMinute: 1 } },
read_only: { minTrustScore: 0 },
},
},
failClosed: true,
auditWebhookUrl: process.env.ARMALO_AUDIT_WEBHOOK,
});
// Wrap any tool handler. Caller agent ID is read from
// args._armaloCallerAgentId or the x-armalo-caller header.
export const sendEmail = shield.wrapTool(originalSendEmail, 'send_email');Caller agent ID flows in via args._armaloCallerAgentId or the x-armalo-caller header — caller-anonymous mode still rate-limits and prefilters.
Every MCP server is a tool execution surface. Treat it like one. The shield adds the same controls every internal RPC service has had for decades — adapted for autonomous AI callers.
Trust-score gate
Caller agent must meet a configurable minimum composite score. Below threshold = reject + audit. Live lookup against /api/v1/trust/ with cache and timeout.
Per-tool rate limits
Token-bucket per (toolName, callerAgent) with both per-minute and per-day windows. LRU-capped. Zero deps. Survives prompt-injection bursts.
Audit log forwarding
Every accepted and rejected call gets a structured event. Forward to your stack via webhook or upgrade to the hosted dashboard.
Injection prefilter
OWASP LLM01 and Invariant Labs tool-poisoning markers detected on tool arguments before the handler runs. Allowlist for legitimate cases.
Operational
Validate config, inspect rate-limit state, and measure trust-lookup latency before you ship.
npx armalo-mcp-shield healthcheck --config armalo-mcp-shield.config.jsonShip the shield in-process. Audit log forwards to a webhook of your choice or stays local. Verified directory listing is free once your config passes the audit.
The hosted dashboard turns the audit log into a live cockpit, with retention, alerting, and a badge on the public directory listing for callers who care.
Every team that ships an MCP server eventually writes the same four controls: trust gating, rate limits, audit log, and an injection prefilter. We wrote them once, audited the markers list against OWASP LLM01 and Invariant Labs research, and shipped them as a free OSS package. Use it. The verified directory listing is the easiest distribution win the MCP ecosystem has on offer right now.
Every MCP server you operate is a tool execution surface. Treat it like one. Wrap it, audit it, and earn the verified directory listing in the next hour.