Free Tools Pricing
Log in Sign up →
Docs AI Safety devsafe mcp

devsafe mcp

Proxy MCP servers through DevSafe. Control which tools your AI can call, inject secrets from your vault, and log every tool invocation. Free, no account needed.

What it does

MCP (Model Context Protocol) lets AI coding tools call external servers. Your GitHub MCP server can create repos, delete branches, read private code. Your database MCP server can run arbitrary SQL. These are powerful tools, and right now nothing sits between your AI and those servers.

devsafe mcp is a local proxy. It sits between your AI coding tool and any MCP server, giving you three things:

Usage

terminal
$ devsafe mcp <subcommand>

Subcommands

devsafe mcp proxy

The proxy subcommand starts a local proxy for a specific MCP server. Your AI tool connects to the proxy instead of the real server. The proxy forwards allowed calls and blocks everything else.

terminal
$ devsafe mcp proxy github --vault
 loaded vault credentials for github (GITHUB_TOKEN)
 proxy listening on stdio
 2 tools blocked: delete_repo, transfer_repo
  38 tools allowed
  audit log: ~/.devsafe/logs/mcp-github.log

Flags

Example: GitHub MCP with vault credentials

This is the most common setup. You want your AI to use the GitHub MCP server, but you do not want it to delete repositories. You also do not want your GitHub token sitting in a plaintext JSON config file.

Step 1: Store your token in the vault

terminal
$ devsafe vault set GITHUB_TOKEN --from-env
 stored GITHUB_TOKEN in vault (encrypted with AES-256-GCM)

Step 2: Configure the proxy rules

Add a block to your ~/.devsafe/mcp.json config:

~/.devsafe/mcp.json
{
  "servers": {
    "github": {
      "command": "npx @modelcontextprotocol/server-github",
      "vault_keys": ["GITHUB_TOKEN"],
      "blocked_tools": ["delete_repo", "transfer_repo"]
    }
  }
}

Step 3: Start the proxy

terminal
$ devsafe mcp proxy github --vault
 loaded vault credentials for github (GITHUB_TOKEN)
 proxy listening on stdio
 2 tools blocked: delete_repo, transfer_repo

What happens when a blocked tool is called

If your AI tries to call delete_repo, the proxy intercepts the call and returns an error. The call never reaches the GitHub MCP server.

audit log output
14:23:08 ALLOW  list_repos          args: {owner: "acme"}
14:23:09 ALLOW  get_file_contents    args: {repo: "api", path: "main.go"}
14:23:11 BLOCK  delete_repo          args: {repo: "api"}
         ^ blocked by rule: delete_repo in blocked_tools
14:23:11 ALLOW  create_issue         args: {repo: "api", title: "..."}

The AI receives an error message explaining that the tool is blocked by policy. It can continue using other allowed tools normally.

devsafe mcp list and status

List configured servers

terminal
$ devsafe mcp list
server     command                                    blocked    vault
────────────────────────────────────────────────────────────────────────
github     npx @modelcontextprotocol/server-github    2 tools    yes
postgres   npx @modelcontextprotocol/server-postgres  0 tools    yes
slack      npx @modelcontextprotocol/server-slack     1 tool     no

Check proxy status

terminal
$ devsafe mcp status
server     status     pid      uptime       calls
──────────────────────────────────────────────────────
github     running    41302    2h 14m       128
postgres   stopped    -        -            -
slack      running    41305    1h 03m       34

Automatic config rewriting with lockbox

If you already have MCP config files with plaintext tokens in them (many tools store tokens directly in JSON config), you can use devsafe lockbox wrap-mcp to rewrite those files automatically.

terminal
$ devsafe lockbox wrap-mcp ~/.cursor/mcp.json
 found 3 secrets in mcp.json
 stored GITHUB_TOKEN in lockbox
 stored POSTGRES_URL in lockbox
 stored SLACK_TOKEN in lockbox
 rewrote mcp.json to use lockbox references
 backup saved to ~/.cursor/mcp.json.bak

This command scans your MCP config file for anything that looks like an API token or credential. It moves each secret into the lockbox (encrypted locally on your machine) and replaces the plaintext value with a lockbox reference. A backup of the original file is saved automatically.

After wrapping, your config file contains references like ${lockbox:GITHUB_TOKEN} instead of raw tokens. When the MCP server starts through the DevSafe proxy, the lockbox resolves these references and injects the real values at runtime.

Your secrets stay on your machine.

Both the vault and the lockbox store credentials locally, encrypted with nonce-unique AEAD (AES-256-GCM). Secrets never leave your machine, and they never appear in plaintext config files where other tools or processes could read them.

Review your blocked tools carefully.

The proxy only blocks tools you explicitly list. If an MCP server adds new tools in an update, those new tools will be allowed by default. Run devsafe mcp-scan periodically to check for new tools that may need to be blocked. See devsafe mcp-scan for details.

How it works

The proxy runs as a local process on your machine. It speaks the MCP protocol on both sides: your AI tool talks to the proxy as if it were the real MCP server, and the proxy talks to the real MCP server on your behalf.

When a tool call comes in, the proxy checks it against your rules:

All of this happens locally. No data is sent to DevSafe servers. The proxy is just a local process that enforces your rules.