dvārapāla — gatekeeper
Dvarapala sits between your LLM client and any third-party MCP server. It parses every JSON-RPC message, enforces a YAML policy, and denies, redacts, or logs anything that violates the rules — with zero changes to the underlying MCP.
$ brew tap tharvid/dvarapala
$ brew install dvarapala
$ dvarapala install --client claude-code --wrap-all
# Done. Restart Claude Code; dvarapala logs -f to watch traffic.
> scoop bucket add dvarapala https://github.com/TharVid/scoop-dvarapala
> scoop install dvarapala
> dvarapala install --client claude-desktop --wrap-all
# Restart the desktop app; dvarapala logs -f to watch traffic.
$ docker pull ghcr.io/tharvid/dvarapala:latest $ docker run --rm -i \ -v ~/.dvarapala:/root/.dvarapala \ ghcr.io/tharvid/dvarapala:latest \ wrap --policy /root/.dvarapala/policy.yaml -- \ npx -y @modelcontextprotocol/server-filesystem /workspace # Multi-arch image (amd64 + arm64). Hub mode + sidecars: see docs/deployment/docker.md.
Dvarapala doesn't reinvent detection — it composes battle-tested OSS (gitleaks, Microsoft Presidio, ProtectAI llm-guard) into an MCP-aware enforcement layer, plus two novel detectors only the gateway can do.
Malicious instructions hidden in tool descriptions are flagged before the LLM ever reads them. Regex on prompt-injection patterns, always on.
Cross-restart SHA-256 fingerprints catch tool definitions silently changing between sessions — the supply-chain attack unique to MCP.
AWS keys, GitHub tokens, GCP creds, JWTs, private keys — 150+ rules from gitleaks, embedded as a Go library. JSON-aware redaction preserves message validity.
50+ recognizers via Microsoft Presidio sidecar. HIPAA, GDPR, PCI-aware. Opt-in via DVARAPALA_PRESIDIO_URL.
ML model + heuristics catch injection in tool outputs that would otherwise hijack the LLM. Via ProtectAI llm-guard sidecar.
rm -rf, DROP TABLE, dd if=…of=/dev/sd*, mkfs — denied at the gateway before ever reaching the shell.
One static binary. Three deployment shapes — all sharing the same engine, detectors, audit log, and policy YAML.
All three ship in one binary, all three reuse the same policy + detector pipeline.
Every JSON-RPC message in either direction is parsed, evaluated, audited. dvarapala logs renders the audit stream as a per-MCP, per-tool, per-action timeline.
$ dvarapala logs -f 14:03:01 deepwiki → allow tools/list 14:03:02 deepwiki ← allow tools/list → 3 tools 14:03:02 filesystem → allow tools/list 14:03:02 filesystem ← allow tools/list → 14 tools 14:03:59 deepwiki → allow ask_question(repoName="facebook/react", question="What is React?") 14:04:04 deepwiki ← allow ask_question → React is a JavaScript library for building UIs… 14:05:11 filesystem ← redact read_file → key=[REDACTED:aws-access-token] // Secret in tool output redacted (gitleaks) [redact-secrets-in-tool-output] 14:06:30 shell → deny exec(command="rm -rf /") // Destructive shell command blocked [deny-destructive-actions]
Detection of well-defined classes is delegated to existing OSS — Dvarapala is the MCP-aware layer that glues them together.
150+ secret-detection rules, embedded as a Go library. No subprocess, no network call.
PII / PHI / PCI recognition, 50+ entity types. Sidecar HTTP service.
Prompt-injection detection (ML + heuristics). Sidecar HTTP service.
Adversarial test scenarios, curated into the attack-corpus fixture format.
Typed MCP message structs where useful; raw JSON-RPC where transparency matters.
Cross-platform binaries, signed checksums, SBOMs, multi-arch container images, all in one config.