Assay
The firewall for MCP tool calls. Block unsafe calls, audit every decision, replay anything. Deterministic policy enforcement with replayable evidence bundles.
Your MCP agent calls read_file, exec, web_search — but should it?
Assay sits between your agent and its tools. It intercepts every MCP tool call, checks it against your policy, and blocks what shouldn't happen. Every decision produces an evidence trail you can audit, diff, and replay.
Agent ──► Assay ──► MCP Server
│
├─ ✅ ALLOW (policy match)
├─ ❌ DENY (blocked, logged)
└─ 📋 Evidence bundle
No hosted backend. No API keys. Deterministic — same input, same decision, every time.
The average MCP server scores 34/100 on security. Assay gives you the policy gate and audit trail to fix that. Covers 7 of 10 OWASP MCP Top 10 risks.
See It Work
cargo install assay-cli
mkdir -p /tmp/assay-demo && echo "safe content" > /tmp/assay-demo/safe.txt
assay mcp wrap --policy examples/mcp-quickstart/policy.yaml \
-- npx @modelcontextprotocol/server-filesystem /tmp/assay-demo
✅ ALLOW read_file path=/tmp/assay-demo/safe.txt reason=policy_allow
✅ ALLOW list_dir path=/tmp/assay-demo/ reason=policy_allow
❌ DENY read_file path=/etc/passwd reason=path_constraint_violation
❌ DENY exec cmd=ls reason=tool_denied
Is This For Me?
Yes, if you:
- Build with Claude Desktop, Cursor, Windsurf, or any MCP client
- Ship agents that call tools and you need to control which ones
- Want a CI gate that catches tool-call regressions before production
- Need a deterministic audit trail, not sampled observability
Not yet, if you:
- Don't use MCP (Assay is MCP-native; other protocols are on the roadmap)
- Need a hosted dashboard (Assay is CLI-first and offline)
Policy Is Simple
version: "1.0"
name: "my-policy"
allow: ["read_file", "list_dir"]
deny: ["exec", "shell", "write_file"]
constraints:
- tool: "read_file"
params:
path:
matches: "^/app/.*"
Or don't write one — generate it from what your agent actually does:
assay init --from-trace trace.jsonl
Add to CI
# .github/workflows/assay.yml
name: Assay Gate
on: [push, pull_request]
permissions:
contents: read
security-events: write
jobs:
assay:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: Rul1an/assay-action@v2
PRs that violate policy get blocked. SARIF results show up in the Security tab.
Beyond MCP: Protocol Adapters
Assay already ships adapters for emerging agent protocols:
| Protocol | Adapter | What it maps |
|---|---|---|
| ACP (OpenAI/Stripe) | assay-adapter-acp | Checkout events, payment intents, tool calls |
| A2A (Google) | assay-adapter-a2a | Agent capabilities, task delegation, artifacts |
| UCP (Google/Shopify) | assay-adapter-ucp | Discover/buy/post-purchase state transitions |
Each adapter translates protocol-specific events into Assay's canonical evidence format. Same policy engine, same evidence trail — regardless of which protocol your agent speaks.
The agent protocol landscape is fragmenting (ACP, A2A, UCP, AP2, x402). Assay's bet: governance is protocol-agnostic. The evidence and policy layer stays the same even as protocols come and go.
Why Assay
| Deterministic | Same input, same decision, every time. Not probabilistic. |
| MCP-native | Built for MCP tool calls. Adapters for ACP, A2A, UCP. |
| Evidence trail | Every decision is auditable, diffable, replayable. |
| Offline-first | No backend, no API keys. Runs on your machine. |
| Fast | < 5ms per tool call. |
| Tested | 3 security experiments, 12 attack vectors, 0 false positives. |
Install
cargo install assay-cli
In CI: use the GitHub Action directly.
Python SDK: pip install assay-it
Learn More
- MCP Quickstart — full walkthrough with a filesystem server
- CI Guide — GitHub Action setup
- OWASP MCP Top 10 Mapping — how Assay addresses each risk
- Evidence Store — push bundles to S3, B2, or MinIO
- Security Experiments — 12 vectors, 0 false positives
Contributing
cargo test --workspace
cargo clippy --workspace --all-targets -- -D warnings
See CONTRIBUTING.md. Join the discussion.
License
Related Servers
Scout Monitoring MCP
sponsorPut performance and error data directly in the hands of your AI assistant.
Alpha Vantage MCP Server
sponsorAccess financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
Klever VM
MCP server for [Klever](https://klever.org) blockchain smart contract development, on-chain data exploration, and VM interaction. Public remote server available at `https://mcp.klever.org/mcp`.
Ghibli Video
Generates AI images and videos using the GPT4O Image Generator API.
gNMIBuddy
Retrieves essential network information from devices using gNMI and OpenConfig models.
CURSOR25X
An interactive task loop server for Cursor IDE, designed to perform task-based operations for modern web application development.
FileForge
Transforms raw code into polished solutions with optimized performance and vector embeddings support.
mcp-of-mcps
MCP of MCPs is a meta-server that merges all your MCP servers into a single smart endpoint. It gives AI agents instant tool discovery, selective schema loading, and massively cheaper execution, so you stop wasting tokens and time. With persistent tool metadata, semantic search, and direct code execution between tools, it turns chaotic multi-server setups into a fast, efficient, hallucination-free workflow. It also automatically analyzes the tools output schemas if not exist and preserves them across sessions for consistent behavior.
SysPlant
Your Windows syscall hooking factory - feat Canterlot's Gate - All accessible over MCP
NmapMCP
Integrates the Nmap network scanning tool with MCP, enabling network scanning capabilities within MCP-compatible environments.
Remote MCP Server (Authless)
An authentication-free, remote MCP server deployable on Cloudflare Workers or locally via npm.
cli-mcp
A command-line interface (CLI) client for calling tools from local and remote MCP servers.