What are the requirements for MCPKernel?

MCPKernel requires a compatible MCP client such as Claude Desktop, Claude Code, or Cursor. No additional environment variables are needed for basic setup.

Is MCPKernel free to use?

Yes, MCPKernel is open source and free to use. You can find the source code on GitHub.

What MCP clients support MCPKernel?

MCPKernel works with any MCP-compatible client including Claude Desktop (Anthropic's official desktop app), Claude Code (CLI tool), Cursor, and other editors with MCP support.

How do I configure MCPKernel?

Configure MCPKernel by adding it to your MCP client's config file. For Claude Desktop, edit claude_desktop_config.json and add the server configuration. See the Configuration section above for a ready-to-use example.

MCPKernel MCP Server

Q: How do I install MCPKernel?

Install MCPKernel by running: pip install "mcpkernel[all]"

Local setup required. This server has to be cloned and prepared on your machine before you register it in Claude Code.

Set the server up locally

Run this once to clone and prepare the server before adding it to Claude Code.

Run in terminal

pip install "mcpkernel[all]"

Register it in Claude Code

After the local setup is done, run this command to point Claude Code at the built server.

Run in terminal

claude mcp add mcpkernel -- node "<FULL_PATH_TO_MCPKERNEL>/dist/index.js"

Replace <FULL_PATH_TO_MCPKERNEL>/dist/index.js with the actual folder you prepared in step 1.

README.md

Open-source MCP/A2A security gateway for AI agents

MCPKernel — The Security Kernel for AI Agents

Open-source MCP/A2A security gateway — policy enforcement, taint tracking, sandboxed execution, deterministic envelopes, and Sigstore audit for every AI agent tool call. OWASP ASI 2026 compliant.

Quick Start

pip install "mcpkernel[all]"
mcpkernel serve --host 127.0.0.1 --port 8000

Point your MCP client to http://localhost:8000/mcp instead of targeting tool servers directly. Every tool call is now policy-checked, taint-scanned, sandboxed, and audit-logged.

Why MCPKernel?

AI agents (LangChain, CrewAI, AutoGen, Copilot) call tools autonomously — reading files, executing code, making HTTP requests. Without a security layer, a single prompt injection can exfiltrate secrets, overwrite critical files, or run arbitrary code.

MCPKernel is the missing chokepoint. It sits between your agent and MCP tool servers, enforcing security policies on every single call:

┌─────────────┐     ┌──────────────────────────┐     ┌─────────────┐
│  AI Agent    │────▶│       MCPKernel           │────▶│  MCP Tool   │
│ (LangChain,  │◀────│  Security Gateway        │◀────│  Server     │
│ CrewAI, etc) │     └──────────────────────────┘     └─────────────┘
└─────────────┘       │ Policy │ Taint │ Sandbox │
                      │  DEE   │ Audit │ eBPF    │

What happens to every tool call:

Step	What MCPKernel Does
1. Policy Check	Evaluates against YAML rules with OWASP ASI 2026 mappings — blocks or allows
2. Taint Scan	Detects secrets (AWS keys, JWTs), PII (SSN, credit cards), and user input in arguments
3. Sandbox Execution	Runs code in Docker, Firecracker, WASM, or Microsandbox — never on bare metal
4. Deterministic Envelope	Hashes inputs/outputs, Sigstore-signs the trace — fully replayable
5. Audit Log	Writes to tamper-proof append-only log with SIEM export (CEF, JSONL, CSV)

Features

YAML Policy Engine — define allow/deny/audit/sandbox rules per tool, argument pattern, or taint label
Taint Tracking — automatic detection of secrets, PII, API keys, JWTs in tool call arguments
4 Sandbox Backends — Docker, Firecracker microVMs, WASM, Microsandbox
Deterministic Execution Envelopes (DEE) — every execution is hashed and Sigstore-signed for replay
OWASP ASI 2026 Compliance — built-in policy sets mapping to ASI-01 through ASI-08
Append-Only Audit Logs — SQLite-backed, content-hashed, with CEF/JSONL/CSV SIEM export
Kong-Style Plugin Pipeline — pre_execution → execution → post_execution → log with priorities
Rate Limiting — per-identity token bucket with LRU eviction
Prometheus Metrics + OpenTelemetry — full observability out of the box
Optional eBPF Probes — kernel-level syscall monitoring at MCP boundaries

Getting Started

# Install with all backends
pip install "mcpkernel[all]"

# Start the security gateway
mcpkernel serve --host 127.0.0.1 --port 8000

Point your MCP client to http://localhost:8000/mcp instead of targeting tool servers directly.

Use Cases

Scenario	How MCPKernel Helps
AI Coding Assistants	Intercepts Copilot/Cursor tool calls, blocks dangerous file writes, prevents secret exfiltration
Autonomous Agents	Policy-enforces LangChain/CrewAI/AutoGen tool usage, sandboxes code execution
Enterprise MCP Deployments	OWASP ASI compliance, tamper-proof audit trails, SIEM integration
Research Reproducibility	Deterministic execution envelopes — every result is signed and replayable
Multi-Agent Workflows	Cross-tool taint tracking — PII in one tool's output can't leak to another's HTTP call
Regulated Industries	Append-only audit logs, integrity verification, CEF export for security teams

Architecture

src/mcpkernel/
├── proxy/          # FastAPI MCP/A2A gateway — auth, rate limiting, plugin pipeline
├── policy/         # YAML rule engine with OWASP ASI 2026 mappings
├── taint/          # Source/sink taint tracking — secrets, PII, user input detection
├── sandbox/        # Docker, Firecracker, WASM, Microsandbox execution backends
├── dee/            # Deterministic Execution Envelopes — hash, sign, replay, drift detect
├── audit/          # Append-only Sigstore-signed audit logs + SIEM export
├── context/        # Token-efficient context reduction via TF-IDF + AST pruning
├── ebpf/           # Optional kernel-level syscall monitoring (BCC probes)
├── observability/  # Prometheus metrics, OpenTelemetry trac

Configuration

claude_desktop_config.json

{"mcpServers": {"mcpkernel": {"command": "mcpkernel", "args": ["serve", "--host", "127.0.0.1", "--port", "8000"]}}}

Try it

→Configure the policy engine to block all file system write operations for my current agent session.

→Audit the last 10 tool calls for potential PII leaks or secret exfiltration.

→Set up a sandboxed execution environment for the next code execution task using Docker.

→Verify the integrity of the recent tool call trace using the deterministic execution envelope.

Frequently Asked Questions

What are the key features of MCPKernel?

YAML-based policy engine for defining allow/deny/audit rules. Automatic taint tracking for secrets, PII, and API keys. Support for 4 sandbox backends: Docker, Firecracker, WASM, and Microsandbox. Deterministic Execution Envelopes (DEE) for signed, replayable traces. OWASP ASI 2026 compliant security policy mapping.

What can I use MCPKernel for?

Protecting AI coding assistants from dangerous file writes and secret exfiltration. Enforcing security policies on autonomous agents like LangChain or CrewAI. Ensuring enterprise compliance with tamper-proof audit trails and SIEM integration. Enabling reproducible research through signed, deterministic execution envelopes. Preventing cross-tool data leakage in multi-agent workflows.

How do I install MCPKernel?

Install MCPKernel by running: pip install "mcpkernel[all]"

What MCP clients work with MCPKernel?

MCPKernel works with any MCP-compatible client including Claude Desktop, Claude Code, Cursor, and other editors with MCP support.

Turn this server into reusable context

Keep MCPKernel docs, env vars, and workflow notes in Conare so your agent carries them across sessions.

Need the old visual installer? Open Conare IDE.

Open Conare

View all ai-tools servers →