AI agents need leashes.
I’ve chased Silicon Valley hype for two decades, from dot-com bubbles to crypto winters, and here’s the pattern: flashy tech ships without brakes, chaos ensues, then someone slaps on a fix. Enter sidclaw-mcp-guard, a no-nonsense CLI that wraps your MCP servers with policy checks and human approval. It’s for folks running these in production, where an agent’s “quick query” could wipe your data.
MCP servers? They’re the plumbing for AI agents—think Claude Desktop or Cursor firing off SQL to Postgres or shell commands to your filesystem. No guardrails by default. Agent says “DROP TABLE users,” and poof—it’s gone. No questions asked.
But.
This tool changes that. Fire up npx sidclaw-mcp-guard@latest demo, and watch:
ALLOW SELECT * FROM users
Allowed: read query on users. Read-only queries are safe.
HOLD DELETE FROM users WHERE id = 42
Held for approval: delete from users. Data changes need approval.
BLOCK DROP TABLE users
Blocked: drop users. Schema changes are never allowed.
Three calls, three smart decisions. Reads zip through. Writes? They chill in a dashboard at localhost:9091 until you nod. Destructive stuff? Dead on arrival.
Why No One Saw This Coming in MCP Land?
MCP’s hot—Model Context Protocol, the new darling for agent tools. Everyone’s building servers for databases, files, shells. But production? Crickets on safety. Anthropic pushes it hard, yet their docs gloss over the “agent gone wild” nightmare. Sidclaw (some stealthy outfit, GitHub: sidclawhq) steps in with Apache 2.0 open source. No signup. No API keys. Just npx and YAML.
It’s a proxy. Your client (VS Code extension, whatever) talks to guard first, guard pokes upstream server second. Policies in YAML—semantic patterns, not brittle regex. sql-read catches SELECTs. sql-write grabs DELETEs. shell-destructive flags rm -rf. Mix ‘em for multi-server setups.
Quickstart? npx sidclaw-mcp-guard@latest quickstart. Boom—policy.yaml, client config, dashboard live.
And the audit trail? JSONL logs in .sidclaw/audit.jsonl. Grep it. Pipe to Splunk. Every decision timestamped:
{“timestamp”:”…”,”tool”:”query”,”args”:{“sql”:”DELETE FROM users WHERE id=42”},”decision”:”approve”,”rule”:”approve-writes”,”status”:”approved”}
No black box. You own the logs.
Here’s the cynical bit—I’ve seen this movie. Remember early AWS days? Everyone spun up EC2 with god-mode IAM. Then Heartbleed, breaches, boom—everyone needed proxies like HAProxy or iptables rules. Sidclaw-mcp-guard is the iptables for AI agents. Local. Scriptable. No vendor breathing down your neck with $0.01 per approval fees. (Yeah, I’m eyeing those SaaS “agent governance” startups already fundraising on YC. Who profits? Not you.)
Is Sidclaw-mcp-guard Bulletproof for Production?
Short answer: Mostly. Long one—it’s action-layer only. Catches tool calls post-agent-decision. Won’t sniff prompt injections (that’s Lakera’s turf) or LLM hallucinations. Compound statements? “SELECT 1; DROP TABLE users”—flags the DROP, smart.
Filesystem? Shell? Yep. ls allows, curl holds (risky outbound), chmod 777 blocks.
But fix your upstream perms first. If Postgres user can DROP, guard’s just a speed bump. Layered defense, not silver bullet.
Unique angle nobody’s saying: This revives the devops ethos we lost to SaaS bloat. 2010 me would’ve npm-installed this for Jenkins pipelines. Today? It’s a breath of fresh air amid agent hype. Prediction: By Q2 2025, every serious MCP deploy will proxy through something like this—or regret it when the first “oops” tweetstorm hits.
Policies look like this:
rules: - name: allow-reads description: Read-only queries are safe match: pattern: sql-read action: allow - name: approve-writes description: Data changes need human review match: pattern: sql-write action: approve - name: deny-destructive description: Schema changes are never allowed match: pattern: sql-destructive action: deny default: deny
Tweak. Reload. Done. No restarts.
Repo’s fresh—v0.1.2—but demo’s slick. npx sidclaw-mcp-guard --upstream "npx -y @modelcontextprotocol/server-postgres postgresql://localhost/mydb" --ui. Plug in your server, go.
Skeptical vet take: Love the no-SaaS vibe, but watch for edge cases. Agents evolve fast—what if they semantic-trick the parser? Test your YAML hard. Still, for $0 and local control, it’s a steal.
Who wins? You, the operator tired of PR-spun “safe agents.” Sidclaw? Probably hooks consulting gigs. Valley as usual.
Why Does This Matter for AI Devs Right Now?
Agents aren’t toys. Production MCP means real stakes—customer data, infra. Without this, you’re rolling dice. With it? Sanity. Dashboard for on-call heroics. Audits for compliance audits (SOC2, anyone?).
I’ve grilled execs on worse: “Our agents are fine-tuned!” Famous last words. This tool asks the money question: Who’s paying for the downtime?
Deploy it. Sleep better.
🧬 Related Insights
- Read more: Snapstate: Rescuing React from useEffect Overload with Pure Class Magic
- Read more: Data Center Shift: NX-OS VXLAN EVPN Overtakes Cisco ACI in 2026
Frequently Asked Questions
What is sidclaw-mcp-guard?
CLI proxy for MCP servers adding YAML policies, human approval dashboard, and JSONL audits. Open source, no code changes.
How to add human approval to MCP tool calls?
npx sidclaw-mcp-guard@latest quickstart—generates policy.yaml and .mcp.json, starts localhost:9091 UI.
Does mcp-guard work with Postgres and shell servers?
Yes, semantic patterns for SQL (read/write/destructive) and shell (safe/risky/destructive). Mix rules in one YAML.
