Assay
The firewall for MCP tool calls. Block unsafe calls, audit every decision, replay anything. Deterministic policy enforcement with replayable evidence bundles.
Assay
The firewall for MCP tool calls — with a replayable audit trail.
See It Work · Quick Start · CI Guide · Discussions
Your MCP agent calls read_file, exec, web_search — but should it?
Assay sits between your agent and its tools. It intercepts every MCP tool call, checks it against your policy, and blocks what shouldn't happen. Every decision produces an evidence trail you can audit, diff, and replay.
Agent ──► Assay ──► MCP Server
│
├─ ✅ ALLOW (policy match)
├─ ❌ DENY (blocked, logged)
└─ 📋 Evidence bundle
No hosted backend. No API keys. Deterministic — same input, same decision, every time.
The average MCP server scores 34/100 on security. Assay gives you the policy gate and audit trail to fix that. Covers 7 of 10 OWASP MCP Top 10 risks.
See It Work
cargo install assay-cli
mkdir -p /tmp/assay-demo && echo "safe content" > /tmp/assay-demo/safe.txt
assay mcp wrap --policy examples/mcp-quickstart/policy.yaml \
-- npx @modelcontextprotocol/server-filesystem /tmp/assay-demo
✅ ALLOW read_file path=/tmp/assay-demo/safe.txt reason=policy_allow
✅ ALLOW list_dir path=/tmp/assay-demo/ reason=policy_allow
❌ DENY read_file path=/etc/passwd reason=path_constraint_violation
❌ DENY exec cmd=ls reason=tool_denied
Is This For Me?
Yes, if you:
- Build with Claude Desktop, Cursor, Windsurf, or any MCP client
- Ship agents that call tools and you need to control which ones
- Want a CI gate that catches tool-call regressions before production
- Need a deterministic audit trail, not sampled observability
Not yet, if you:
- Don't use MCP (Assay is MCP-native; other protocols are on the roadmap)
- Need a hosted dashboard (Assay is CLI-first and offline)
Policy Is Simple
version: "1.0"
name: "my-policy"
allow: ["read_file", "list_dir"]
deny: ["exec", "shell", "write_file"]
constraints:
- tool: "read_file"
params:
path:
matches: "^/app/.*"
Or don't write one — generate it from what your agent actually does:
assay init --from-trace trace.jsonl
Add to CI
# .github/workflows/assay.yml
name: Assay Gate
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
assay:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Rul1an/assay-action@v2
PRs that violate policy get blocked. SARIF results show up in the Security tab.
Beyond MCP: Protocol Adapters
Assay already ships adapters for emerging agent protocols:
| Protocol | Adapter | What it maps |
|---|---|---|
| ACP (OpenAI/Stripe) | assay-adapter-acp | Checkout events, payment intents, tool calls |
| A2A (Google) | assay-adapter-a2a | Agent capabilities, task delegation, artifacts |
| UCP (Google/Shopify) | assay-adapter-ucp | Discover/buy/post-purchase state transitions |
Each adapter translates protocol-specific events into Assay's canonical evidence format. Same policy engine, same evidence trail — regardless of which protocol your agent speaks.
The agent protocol landscape is fragmenting (ACP, A2A, UCP, AP2, x402). Assay's bet: governance is protocol-agnostic. The evidence and policy layer stays the same even as protocols come and go.
Why Assay
| Deterministic | Same input, same decision, every time. Not probabilistic. |
| MCP-native | Built for MCP tool calls. Adapters for ACP, A2A, UCP. |
| Evidence trail | Every decision is auditable, diffable, replayable. |
| Offline-first | No backend, no API keys. Runs on your machine. |
| Fast | < 5ms per tool call. |
| Tested | 3 security experiments, 12 attack vectors, 0 false positives. |
Install
cargo install assay-cli
In CI: use the GitHub Action directly.
Python SDK: pip install assay-it
Learn More
- MCP Quickstart — full walkthrough with a filesystem server
- CI Guide — GitHub Action setup
- OWASP MCP Top 10 Mapping — how Assay addresses each risk
- Evidence Store — push bundles to S3, B2, or MinIO
- Security Experiments — 12 vectors, 0 false positives
Contributing
cargo test --workspace
cargo clippy --workspace --all-targets -- -D warnings
See CONTRIBUTING.md. Join the discussion.
License
Похожие серверы
Scout Monitoring MCP
спонсорPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
спонсорAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Tox Testing
Executes tox commands to run Python tests with pytest. Requires the TOX_APP_DIR environment variable to be set.
Remote MCP Server (Authless)
A template for deploying a remote, auth-less MCP server on Cloudflare Workers.
PyPI MCP Server
Search and access Python package metadata, version history, and download statistics from the PyPI repository.
Ansible & OpenShift Automation
Provides tools to interact with the Ansible Automation Platform API for automation tasks.
Blockchain MCP Server
A server for blockchain interactions, offering Ethereum vanity address generation, 4byte lookup, ABI encoding, and multi-chain RPC calls.
Lingo.dev
Make your AI agent speak every language on the planet, using Lingo.dev Localization Engine.
Tether MCP
Prevents AI coding agents from drifting off your architecture — blocks wrong dependencies, enforces file structure, and gives agents persistent memory of your project's rules.
my-mcp-server
A template for building Model Context Protocol (MCP) servers using the mcp-framework for Node.js.
MCP RAG Server
A Python server providing Retrieval-Augmented Generation (RAG) functionality. It indexes various document formats and requires a PostgreSQL database with pgvector.
Ant Design
Access comprehensive documentation for Ant Design components, including examples, API references, and best practices.