devsafe mcp
Proxy MCP servers through DevSafe. Control which tools your AI can call, inject secrets from your vault, and log every tool invocation. Free, no account needed.
What it does
MCP (Model Context Protocol) lets AI coding tools call external servers. Your GitHub MCP server can create repos, delete branches, read private code. Your database MCP server can run arbitrary SQL. These are powerful tools, and right now nothing sits between your AI and those servers.
devsafe mcp is a local proxy. It sits between your AI coding tool and any MCP server, giving you three things:
- Permission control. Block dangerous tools. Allow read operations but deny writes. Decide what your AI can and cannot do, per server.
- Secret injection. Pull API tokens and credentials from your vault or lockbox instead of storing them in plaintext config files.
- Audit logging. See exactly which tools were called, what arguments were passed, and what data came back. Every invocation is logged locally.
Usage
$ devsafe mcp <subcommand>
Subcommands
devsafe mcp proxy <server>— Start the proxy for a configured MCP serverdevsafe mcp list— List all configured MCP servers and their proxy statusdevsafe mcp status— Show which proxies are currently running
devsafe mcp proxy
The proxy subcommand starts a local proxy for a specific MCP server. Your AI tool connects to the proxy instead of the real server. The proxy forwards allowed calls and blocks everything else.
$ devsafe mcp proxy github --vault ✓ loaded vault credentials for github (GITHUB_TOKEN) ✓ proxy listening on stdio ✓ 2 tools blocked: delete_repo, transfer_repo 38 tools allowed audit log: ~/.devsafe/logs/mcp-github.log
Flags
--vault— Inject credentials from the DevSafe vault. The proxy reads the token from your vault and passes it to the MCP server at startup. The token never appears in your MCP config file.--block <tool>— Block a specific tool by name. Can be repeated. Example:--block delete_repo --block transfer_repo--allow-only <tool>— Only allow specific tools (deny everything else). Can be repeated.--log <path>— Write the audit log to a custom path instead of the default.
Example: GitHub MCP with vault credentials
This is the most common setup. You want your AI to use the GitHub MCP server, but you do not want it to delete repositories. You also do not want your GitHub token sitting in a plaintext JSON config file.
Step 1: Store your token in the vault
$ devsafe vault set GITHUB_TOKEN --from-env ✓ stored GITHUB_TOKEN in vault (encrypted with AES-256-GCM)
Step 2: Configure the proxy rules
Add a block to your ~/.devsafe/mcp.json config:
{
"servers": {
"github": {
"command": "npx @modelcontextprotocol/server-github",
"vault_keys": ["GITHUB_TOKEN"],
"blocked_tools": ["delete_repo", "transfer_repo"]
}
}
}
Step 3: Start the proxy
$ devsafe mcp proxy github --vault ✓ loaded vault credentials for github (GITHUB_TOKEN) ✓ proxy listening on stdio ✓ 2 tools blocked: delete_repo, transfer_repo
What happens when a blocked tool is called
If your AI tries to call delete_repo, the proxy intercepts the call and returns an error. The call never reaches the GitHub MCP server.
14:23:08 ALLOW list_repos args: {owner: "acme"} 14:23:09 ALLOW get_file_contents args: {repo: "api", path: "main.go"} 14:23:11 BLOCK delete_repo args: {repo: "api"} ^ blocked by rule: delete_repo in blocked_tools 14:23:11 ALLOW create_issue args: {repo: "api", title: "..."}
The AI receives an error message explaining that the tool is blocked by policy. It can continue using other allowed tools normally.
devsafe mcp list and status
List configured servers
$ devsafe mcp list server command blocked vault ──────────────────────────────────────────────────────────────────────── github npx @modelcontextprotocol/server-github 2 tools yes postgres npx @modelcontextprotocol/server-postgres 0 tools yes slack npx @modelcontextprotocol/server-slack 1 tool no
Check proxy status
$ devsafe mcp status server status pid uptime calls ────────────────────────────────────────────────────── github running 41302 2h 14m 128 postgres stopped - - - slack running 41305 1h 03m 34
Automatic config rewriting with lockbox
If you already have MCP config files with plaintext tokens in them (many tools store tokens directly in JSON config), you can use devsafe lockbox wrap-mcp to rewrite those files automatically.
$ devsafe lockbox wrap-mcp ~/.cursor/mcp.json ✓ found 3 secrets in mcp.json ✓ stored GITHUB_TOKEN in lockbox ✓ stored POSTGRES_URL in lockbox ✓ stored SLACK_TOKEN in lockbox ✓ rewrote mcp.json to use lockbox references ✓ backup saved to ~/.cursor/mcp.json.bak
This command scans your MCP config file for anything that looks like an API token or credential. It moves each secret into the lockbox (encrypted locally on your machine) and replaces the plaintext value with a lockbox reference. A backup of the original file is saved automatically.
After wrapping, your config file contains references like ${lockbox:GITHUB_TOKEN} instead of raw tokens. When the MCP server starts through the DevSafe proxy, the lockbox resolves these references and injects the real values at runtime.
Both the vault and the lockbox store credentials locally, encrypted with nonce-unique AEAD (AES-256-GCM). Secrets never leave your machine, and they never appear in plaintext config files where other tools or processes could read them.
The proxy only blocks tools you explicitly list. If an MCP server adds new tools in an update, those new tools will be allowed by default. Run devsafe mcp-scan periodically to check for new tools that may need to be blocked. See devsafe mcp-scan for details.
How it works
The proxy runs as a local process on your machine. It speaks the MCP protocol on both sides: your AI tool talks to the proxy as if it were the real MCP server, and the proxy talks to the real MCP server on your behalf.
When a tool call comes in, the proxy checks it against your rules:
- If the tool is in
blocked_tools, the call is rejected immediately. The real server never sees it. - If you used
--allow-only, any tool not in that list is rejected. - If the call is allowed, the proxy forwards it to the real server, logs the invocation, and returns the result to your AI tool.
All of this happens locally. No data is sent to DevSafe servers. The proxy is just a local process that enforces your rules.