Guardian Agent provides governance and compliance monitoring for MCP (Model Context Protocol) communications between AI agents. When deployed as a sidecar, Guardian Agent can:
- Monitor all MCP protocol messages (tool calls, resource access, prompts)
- Validate tool calls and resource access against policies
- Block unauthorized operations (optional)
- Audit all MCP interactions with immutable logs
- Detect PII in tool arguments and resource contents
- Enforce compliance policies on MCP traffic
┌─────────────────────────────────────┐
│ MCP Client Agent │
│ ┌──────────────────────────────┐ │
│ │ MCP Client │ │
│ │ │ │
│ │ MCP Protocol │ │
│ │ ──────────────→ │ │
│ └──────────┬───────────────────┘ │
│ │ │
│ ┌──────────▼───────────────────┐ │
│ │ Guardian Agent Sidecar │ │
│ │ • Parse MCP messages │ │
│ │ • Validate tool calls │ │
│ │ • Validate resources │ │
│ │ • Apply policies │ │
│ │ • Audit all traffic │ │
│ └──────────┬───────────────────┘ │
│ │ │
│ ┌──────────▼───────────────────┐ │
│ │ MCP Server │ │
│ └──────────────────────────────┘ │
└─────────────────────────────────────┘
Guardian Agent monitors the following MCP methods:
- Validates tool name against allowed/blocked patterns
- Extracts and validates tool arguments
- Can block unauthorized tool executions
- Logs all tool calls for audit
- Validates resource URI against allowed/blocked patterns
- Checks resource types (file://, https://, etc.)
- Can block access to sensitive resources
- Logs all resource access for compliance
- Monitors prompt access (for audit)
- Can validate prompt names against policies
mcp:
enabled: true
monitor_tool_calls: true
monitor_resources: true
monitor_prompts: truemcp:
enabled: true
validate_tool_calls: true
validate_resources: true
# Block dangerous tools
blocked_tool_patterns:
- "^.*delete.*$"
- "^.*exec.*$"
- "^.*eval.*$"
- "^.*system.*$"
# Block sensitive resources
blocked_resource_patterns:
- "^file:///etc/.*$"
- "^file:///root/.*$"
- "^file://.*/\.(env|key|pem|secret)$"mcp:
enabled: true
block_unauthorized_tools: true
block_unauthorized_resources: true
# Only allow specific tools
allowed_tool_patterns:
- "^read_file$"
- "^search_web$"
- "^calculate$"
# Only allow specific resources
allowed_resource_patterns:
- "^file:///tmp/.*$"
- "^file:///var/data/.*$"
- "^https://public-api\\.example\\.com/.*$"POST /mcp/monitor
Content-Type: application/json
{
"message": "{\"jsonrpc\":\"2.0\",\"id\":1,\"method\":\"tools/call\",\"params\":{\"name\":\"read_file\",\"arguments\":{\"path\":\"/tmp/test.txt\"}}}",
"direction": "client_to_server"
}Response:
{
"allowed": true,
"reason": "Tool 'read_file' is allowed",
"should_block": false,
"metadata": {
"tool_name": "read_file",
"tool_arguments": {"path": "/tmp/test.txt"}
}
}GET /mcp/configPOST /mcp/config
Content-Type: application/json
{
"blocked_tool_patterns": ["^.*delete.*$"],
"block_unauthorized_tools": true
}GET /mcp/statsResponse:
{
"messages_monitored": 1523,
"tool_calls_validated": 892,
"resources_validated": 631,
"blocked_messages": 12
}Guardian Agent runs as a sidecar container alongside your MCP agent:
containers:
- name: mcp-agent
image: your-mcp-agent:latest
env:
- name: MCP_SERVER_URL
value: "http://localhost:8081" # Guardian proxy
- name: guardian
image: guardian:latest
ports:
- containerPort: 8081 # MCP proxy port
env:
- name: MCP_MODE
value: "proxy"Guardian Agent acts as an MCP proxy between client and server:
# Client connects to Guardian instead of server
MCP_SERVER_URL=http://guardian:8081
# Guardian forwards to actual MCP server
GUARDIAN_MCP_TARGET=http://mcp-server:8000Guardian Agent intercepts MCP messages at the network level (with service mesh integration).
All MCP messages are logged with:
- Timestamp
- Direction (client→server or server→client)
- Method name
- Tool/resource information
- Validation result
- Policy decisions
Guardian Agent can detect PII in:
- Tool call arguments
- Resource contents (when accessed)
- Prompt responses
MCP audit logs are subject to retention policies:
- GDPR: 90 days (default)
- HIPAA: 6 years (configurable)
- SOC 2: 1 year (configurable)
mcp:
blocked_tool_patterns:
- "^.*delete.*$"
- "^.*write_file$" # Block writes to sensitive locations
blocked_resource_patterns:
- "^file:///etc/.*$"
- "^file:///home/.*$"mcp:
block_unauthorized_tools: true
allowed_tool_patterns:
- "^read_file$"
- "^search_web$"
- "^calculate.*$"mcp:
monitor_resources: true
blocked_resource_patterns:
- "^https://.*internal.*$" # Block internal APIs
- "^https://.*admin.*$" # Block admin endpointsuse guardian::{MCPMonitor, MCPMonitorConfig, MCPDirection};
// Create MCP monitor
let config = MCPMonitorConfig {
enabled: true,
monitor_tool_calls: true,
validate_tool_calls: true,
blocked_tool_patterns: vec![r"^.*delete.*$".to_string()],
..Default::default()
};
let monitor = MCPMonitor::new(config);
// Parse and monitor MCP message
let mcp_json = r#"{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "delete_file",
"arguments": {"path": "/tmp/test.txt"}
}
}"#;
let parsed = monitor.parse_message(mcp_json, MCPDirection::ClientToServer)?;
let result = monitor.monitor_message(&parsed).await?;
if result.should_block {
// Block the MCP message
return Err("Tool call blocked by policy");
}
// Allow the message to proceed
// Forward to MCP server...- Governance: Enforce policies on all MCP interactions
- Compliance: Complete audit trail for MCP communications
- Security: Block unauthorized tool calls and resource access
- Observability: Monitor all MCP traffic in one place
- PII Protection: Detect and redact sensitive data in MCP messages
- Compliance Reporting: Include MCP audit logs in compliance reports
- Implement MCP proxy mode (forward messages to server)
- Add MCP server emulation for testing
- Integrate with OPA for advanced policy validation
- Add MCP-specific compliance framework mappings
- Support MCP streaming responses
- Add MCP session tracking
MCP monitoring enables governance and compliance for AI agent communications. Monitor, validate, and audit all MCP interactions with Guardian Agent.