sovr-mcp-proxy
Transparent MCP Proxy — The Execution Firewall for AI Agents.
sovr-mcp-proxy is a superset of sovr-mcp-server. It includes all MCP Server capabilities plus a transparent proxy layer that intercepts, evaluates, and audits every agent→tool call against configurable policy rules before forwarding to downstream MCP servers.
Architecture
┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ AI Agent │────▶│ sovr-mcp-proxy │────▶│ Downstream MCP │
│ (Claude etc) │ │ Gate-Check Layer│ │ (Stripe/GitHub) │
└─────────────┘ └──────────────────┘ └─────────────────┘
│
Policy Rules
Permit/Receipt
Audit Trail
Key Differences: Proxy vs Server
| Feature | sovr-mcp-proxy | sovr-mcp-server |
|---|---|---|
| 286 Native Tools | ✅ | ✅ |
| 1630 SDK Routes | ✅ | ✅ |
| Transparent Proxy Mode | ✅ | ❌ |
| Downstream Server Interception | ✅ | ❌ |
| Spawn/Discover/Intercept/Forward | ✅ | ❌ |
| Multi-server Routing | ✅ | ❌ |
| Anti-loop Protection | ✅ | N/A |
| Hop Counter | ✅ | N/A |
Quick Start
Install
npm install -g sovr-mcp-proxy
Claude Desktop Configuration
{
"mcpServers": {
"sovr-proxy": {
"command": "npx",
"args": ["sovr-mcp-proxy"],
"env": {
"SOVR_API_KEY": "sovr_sk_...",
"SOVR_PROXY_CONFIG": "/path/to/proxy.json"
}
}
}
}
Proxy Configuration (proxy.json)
{
"downstream": {
"stripe": {
"command": "npx",
"args": ["@stripe/agent-toolkit"],
"env": { "STRIPE_SECRET_KEY": "sk_test_..." }
},
"github": {
"command": "npx",
"args": ["@modelcontextprotocol/server-github"],
"env": { "GITHUB_TOKEN": "ghp_..." }
}
}
}
Every tool call to stripe or github is intercepted by SOVR's gate-check layer before forwarding.
How It Works
- Spawn — On startup, sovr-mcp-proxy spawns all downstream MCP servers as child processes
- Discover — Enumerates tools from each downstream server via
tools/list - Intercept — When the AI agent calls any tool, the proxy evaluates it against policy rules
- Gate-Check — Applies permit/deny/escalate verdict based on rules
- Forward — Approved calls are forwarded to the downstream server; denied calls return an error
Security Features
HTTPS Enforcement
All non-localhost connections are validated for HTTPS. HTTP connections to external hosts are rejected.
Fail-Close / Fail-Local Degradation
- Default (fail-close): If SOVR Cloud is unreachable, all gated operations are denied
- Configurable (fail-local): Set
SOVR_FAIL_MODE=fail-localto fall back to 20 built-in local rules
Three-State Degradation
| Mode | Behavior | Use Case |
|---|---|---|
strict (default) | Enforce all deny/escalate verdicts | Production |
record-only | Log violations but allow execution | Emergency availability rescue |
propose-only | Return verdict without executing | Dry-run / testing |
Anti-Loop Protection
- Hop counter prevents infinite proxy chains (default max: 3 hops)
- Re-entry guard detects circular tool call patterns
Data Redaction
Sensitive fields (password, secret, token, key, authorization, cookie, ssn, credit_card) are automatically redacted in all logs and audit entries.
Unified Alert Dispatcher
Configurable alert routing to Webhook, Slack, PagerDuty, or OpsGenie (replaces hardcoded Telegram).
Built-in Rules (Free Tier)
| Rule | Effect | Description |
|---|---|---|
| Destructive Commands | DENY | Blocks rm -rf, mkfs, dd, shred |
| DDL Operations | DENY | Blocks DROP, TRUNCATE, ALTER |
| Privilege Escalation | ESCALATE | Flags sudo, chmod, chown for approval |
| Payment APIs | ESCALATE | Flags Stripe, PayPal calls for approval |
| Deployment Ops | ESCALATE | Flags deploy/publish/release for approval |
Environment Variables
| Variable | Required | Description |
|---|---|---|
SOVR_API_KEY | No | Connect to SOVR Cloud for expanded tools and persistent audit |
SOVR_PROXY_CONFIG | No | Path to proxy configuration JSON |
SOVR_RULES_FILE | No | Path to custom rules JSON file |
SOVR_PROXY_MODE | No | strict / record-only / propose-only (default: strict) |
SOVR_FAIL_MODE | No | fail-close / fail-local (default: fail-close) |
SOVR_MAX_HOPS | No | Max proxy hop count before loop detection (default: 3) |
SOVR_TENANT_ID | No | Tenant identifier for multi-tenant deployments |
SOVR_ACTOR_ID | No | Actor identifier for audit trail |
SOVR_SESSION_ID | No | Session identifier for trace correlation |
SOVR_ENDPOINT | No | Custom Cloud endpoint (advanced) |
Tier Comparison
| Free | Personal | Starter | Pro | Enterprise | |
|---|---|---|---|---|---|
| Tools | 8 | 23 | 48 | 98 | 274 |
| Built-in Rules | 5 | 15+ | 15+ | 15+ | 15+ |
| Custom Rules | 3 | Unlimited | Unlimited | Unlimited | Unlimited |
| Proxy Downstream | 1 server | Unlimited | Unlimited | Unlimited | Unlimited |
| Permit/Receipt | Local only | Cloud | Cloud | Cloud | Cloud |
| Audit Trail | In-memory | Persistent | Persistent | Persistent | Persistent |
| Approval Workflow | — | Basic | Full | Full | Full + SLA |
Free tier works offline with zero configuration. Upgrade at sovr.inc/pricing.
Related Packages
sovr-mcp-server— MCP Server mode only (no proxy capabilities)
License
BSL-1.1 — Code is source-available. Free for non-commercial use. Commercial use requires a license from SOVR AI.
After the Change Date (February 18, 2030), this software converts to Apache-2.0.
SOVR — Eyes on AI. sovr.inc