MCP servers need trust boundaries. Most do not have them.
armalo-mcp-shield is a drop-in wrapper any MCP server can apply in one import. Trust-score gating, per-tool rate limits, audit log, and a prompt-injection prefilter — wired in before your handlers run. Free OSS shield. Verified directory listing free for shielded servers. $29/mo unlocks the hosted dashboard.
Install
# Install the shield
pnpm add @armalo/mcp-shield
# or run the CLI without installing
npx armalo-mcp-shield initNode 18+. Zero runtime dependencies beyond zod. Works with any MCP server framework.
Wrap one tool
import { createMcpShield } from '@armalo/mcp-shield';
const shield = createMcpShield({
agentId: 'your-server-public-agent-id',
policy: {
defaultMinTrustScore: 60,
perTool: {
send_email: { minTrustScore: 75, rateLimit: { perMinute: 5, perDay: 50 } },
transfer_funds: { minTrustScore: 90, rateLimit: { perMinute: 1 } },
read_only: { minTrustScore: 0 },
},
},
failClosed: true,
auditWebhookUrl: process.env.ARMALO_AUDIT_WEBHOOK,
});
// Wrap any tool handler. Caller agent ID is read from
// args._armaloCallerAgentId or the x-armalo-caller header.
export const sendEmail = shield.wrapTool(originalSendEmail, 'send_email');Caller agent ID flows in via args._armaloCallerAgentId or the x-armalo-caller header — caller-anonymous mode still rate-limits and prefilters.
Four guardrails in one wrapper
Every MCP server is a tool execution surface. Treat it like one. The shield adds the same controls every internal RPC service has had for decades — adapted for autonomous AI callers.
Trust-score gate
Caller agent must meet a configurable minimum composite score. Below threshold = reject + audit. Live lookup against /api/v1/trust/ with cache and timeout.
Per-tool rate limits
Token-bucket per (toolName, callerAgent) with both per-minute and per-day windows. LRU-capped. Zero deps. Survives prompt-injection bursts.
Audit log forwarding
Every accepted and rejected call gets a structured event. Forward to your stack via webhook or upgrade to the hosted dashboard.
Injection prefilter
OWASP LLM01 and Invariant Labs tool-poisoning markers detected on tool arguments before the handler runs. Allowlist for legitimate cases.
Operational
One-command healthcheck
Validate config, inspect rate-limit state, and measure trust-lookup latency before you ship.
npx armalo-mcp-shield healthcheck --config armalo-mcp-shield.config.json@armalo/mcp-shield
Ship the shield in-process. Audit log forwards to a webhook of your choice or stays local. Verified directory listing is free once your config passes the audit.
- Trust-gated tool execution — no agent can call a tool until it meets the score threshold
- Per-tool rate limit + cost budget that survives prompt-injection burst attempts
- Audit log on every call — accepted and rejected — with redacted argument capture
- Public verified-MCP listing once the shield is wired and your config passes the audit
Shield Cloud
The hosted dashboard turns the audit log into a live cockpit, with retention, alerting, and a badge on the public directory listing for callers who care.
- Persisted audit log with 90-day retention and query API
- Live trust-score lookups cached at the edge (lower P50 than self-hosted)
- Email + Slack alerts on rejection spikes and trust-score deltas for callers you depend on
- Public verified-MCP directory listing with shield-version badge
Why drop-in protection beats roll-your-own
Every team that ships an MCP server eventually writes the same four controls: trust gating, rate limits, audit log, and an injection prefilter. We wrote them once, audited the markers list against OWASP LLM01 and Invariant Labs research, and shipped them as a free OSS package. Use it. The verified directory listing is the easiest distribution win the MCP ecosystem has on offer right now.
Ship the shield. Earn the listing.
Every MCP server you operate is a tool execution surface. Treat it like one. Wrap it, audit it, and earn the verified directory listing in the next hour.