The problem: AI agents using MCP can execute database queries, push code, send Slack messages, and run shell commands — with no security boundary. Claude Desktop has basic approve/deny, but it's per-call with no persistent rules, no automation, and no audit trail.
How it works: Kvlar runs as a stdio proxy between the agent and the MCP server. You define policies in YAML — allow, deny, or require human approval — and Kvlar enforces them deterministically. Fail-closed: if no rule matches, the action is denied.
kvlar init --template postgres # curated policy (11 rules) kvlar wrap # inject proxy into Claude Desktop kvlar test -f policy.test.yaml # verify your policy in CI
What it catches today:
Postgres: blocks DROP TABLE, gates INSERT/UPDATE, allows SELECT GitHub: blocks repo creation, gates force-push and merges, allows reads Slack: gates message sending, allows channel reads Shell: blocks rm -rf, sudo, curl|bash — gates installs, allows ls/cat/grep Technical details:
Written in Rust (4 crates), pure policy engine with zero I/O 100+ policy tests Policy composition via extends — build on top of curated templates (docker compose style) Works with Claude Desktop
Apache 2.0 Website: https://kvlar.io Install: cargo install kvlar-cli
I'd love feedback on the policy design and what MCP servers you'd want covered next.