-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathllms-full.txt
More file actions
executable file
·197 lines (156 loc) · 6.33 KB
/
llms-full.txt
File metadata and controls
executable file
·197 lines (156 loc) · 6.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
# JadeGate — Complete Reference
> For a quick overview, see /llms.txt
## The Problem
MCP has no security layer. When an AI client calls an MCP tool, it trusts the server completely. There is no policy enforcement, no identity verification, no anomaly detection. Any tool can read files, make network requests, or execute commands without restriction.
JadeGate fixes this by adding a transparent security proxy between AI clients and MCP servers.
## Architecture
```
AI Client (Claude Desktop, Cursor, Windsurf, Cline, Continue, Zed)
↓
JadeGate Proxy
├── Policy Engine → allow/deny/ask per tool, rate limiting
├── Runtime Monitor → DAG call-chain tracking, anomaly detection, circuit breaker
├── Transport Layer → transparent stdio/SSE proxy, no server modification
├── Trust Store → TOFU fingerprinting + Ed25519 certificate verification
├── Security Scanner → static analysis, capability detection, risk scoring
└── Auto Installer → config injection for all supported clients
↓
MCP Server (filesystem, github, puppeteer, slack, etc.)
```
## Installation & Auto-Protection
```bash
pip install jadegate
```
On install, JadeGate automatically:
1. Scans the system for MCP client configurations
2. Wraps each configured MCP server with the JadeGate proxy
3. Backs up all original configs (fully reversible with `jadegate uninstall`)
No manual configuration required. Next time any supported client opens, all MCP tool calls are proxied through JadeGate.
## The 6 Security Layers — Detail
### Layer 1: Policy Enforcement
- Per-tool rules: allow, deny, or ask (requires human confirmation)
- Rate limiting: max calls per minute, configurable per tool
- Argument validation: pattern matching on tool call arguments
- Default policy blocks known dangerous patterns
### Layer 2: Runtime Monitoring
- Dynamic DAG: tracks call chains across tools in real time
- Anomaly detection: flags unusual call patterns (e.g., filesystem read → network send)
- Circuit breaker: automatically isolates failing or suspicious servers
- Session tracking: per-session call history and statistics
### Layer 3: Transport Proxy
- Transparent MCP proxy for stdio and SSE transports
- Intercepts all tool calls without modifying the MCP server
- Zero server-side changes required
- Supports all standard MCP message types
### Layer 4: Trust Verification
- TOFU (Trust On First Use): fingerprints server on first connection
- Ed25519 certificates: cryptographic identity verification
- Trust store: local database of known server fingerprints
- Mismatch detection: alerts on server identity changes
### Layer 5: Security Scanner
- Static analysis of MCP server tool definitions
- Capability detection: filesystem, network, shell, browser access
- Risk scoring: LOW / MEDIUM / HIGH / CRITICAL per server
- Pattern matching: known dangerous tool signatures
### Layer 6: Auto Installer
- Detects MCP client configs at standard paths
- Supported: Claude Desktop, Cursor, Windsurf, Cline, Continue, Zed
- Config injection: wraps each server entry with JadeGate proxy
- Backup & restore: original configs preserved, clean uninstall
## CLI Reference
```bash
jadegate status # Show protection status for all detected clients
jadegate scan # Run security audit on all configured MCP servers
jadegate install # Re-run auto-injection (after adding new servers)
jadegate uninstall # Revert all config changes, restore backups
```
### Scan Output Format
```
$ jadegate scan
💠 JadeGate v2.0.0 — AI Tool Call Security Protocol
MCP Server Security Scan
✓ filesystem ● MEDIUM filesystem access
tools: 3 discovered (read_file, write_file, list_directory)
✓ github ● MEDIUM network access
tools: 5 discovered (search_repos, create_issue, ...)
✓ puppeteer ● CRITICAL shell + network + browser
tools: 8 discovered (navigate, screenshot, evaluate, ...)
3 servers scanned: 0 low, 2 medium, 0 high, 1 critical
```
## Python SDK Integration
For Python agents using OpenAI or Anthropic SDKs directly:
```bash
# Environment variable activation
export JADEGATE=1
python my_agent.py
```
```python
# Programmatic activation
import jadegate
jadegate.activate()
# All subsequent SDK tool calls are intercepted
from openai import OpenAI
client = OpenAI()
# tool calls now pass through JadeGate policy engine
```
## Policy Configuration
```json
{
"default_action": "allow",
"tool_rules": {
"filesystem:write_file": {
"action": "ask",
"reason": "File write requires confirmation"
},
"shell:exec": {
"action": "deny",
"reason": "Shell execution blocked"
},
"github:create_issue": {
"action": "allow",
"rate_limit": 10
}
},
"rate_limit": {
"max_calls_per_minute": 60
},
"anomaly_detection": {
"enabled": true,
"max_chain_depth": 10
}
}
```
## Supported Clients
| Client | Config Path | Auto-detected |
|--------|-----------|:---:|
| Claude Desktop | `~/.config/claude/` | ✅ |
| Cursor | `~/.cursor/` | ✅ |
| Windsurf | `~/.codeium/windsurf/` | ✅ |
| Cline | `~/.vscode/cline/` | ✅ |
| Continue | `~/.continue/` | ✅ |
| Zed | `~/.config/zed/` | ✅ |
| Custom | `jadegate install --config <path>` | Manual |
## Design Principles
- **Zero config**: `pip install` = protected. No setup files, no env vars.
- **Transparent**: MCP servers are unaware of JadeGate. No protocol changes.
- **Reversible**: `jadegate uninstall` restores all original configurations.
- **Offline**: All analysis and enforcement runs locally. Zero telemetry.
- **Fail-open**: If JadeGate crashes, MCP servers continue to function normally.
- **Deterministic**: Same policy + same input = same result. No probabilistic decisions.
## Testing
238 tests covering all 6 layers:
- Policy engine: rule matching, rate limiting, argument validation
- Runtime: DAG tracking, anomaly detection, circuit breaker
- Transport: stdio/SSE proxy, message interception
- Trust: TOFU, Ed25519 signing/verification, trust store
- Scanner: capability detection, risk scoring
- Installer: config detection, injection, backup/restore
```bash
pip install pytest
pytest tests/ -v
```
## Links
- GitHub: https://github.com/JadeGate/jadegate
- PyPI: https://pypi.org/project/jadegate/
- Website: https://jadegate.io
- Quick reference: https://jadegate.io/llms.txt