Sudo for AI Agents — A Python implementation of the Agent Identity Protocol proxy. Sits between an AI agent and an MCP server, enforcing policy rules on every tool call.
Agent → [Upstream] → AIP Proxy → [Policy Engine] → MCP Server
[Rate Limit]
[Human Ask]
[Audit Log]
Agent ← [Downstream] ← AIP Proxy ← [DLP Scan] ← MCP Server
[Redaction]
[Audit Log]
- Tool allowlisting/denylisting — explicitly permit or block tool invocations
- Argument validation — regex-based parameter constraints per tool
- Human-in-the-loop — native OS dialogs for user approval on sensitive actions
- DLP scanning — redact secrets, tokens, and PII from responses
- Audit logging — JSONL audit trail for every decision
- Rate limiting — per-tool rate limits to prevent abuse
- Monitor mode — dry-run enforcement for policy testing
- Identity tokens — cryptographic session tokens with auto-rotation (v1alpha2)
- HTTP validation server — distributed policy validation endpoint (v1alpha2)
TODO
TODO
aip-proxy --target "npx @modelcontextprotocol/server-filesystem ." \
--policy examples/agent.yaml \
--audit aip-audit.jsonl| Flag | Description | Default |
|---|---|---|
--target |
Command to wrap (required) | — |
--policy |
YAML policy file path (required) | — |
--audit |
Audit log output path | aip-audit.jsonl |
--verbose |
Enable verbose stderr logging | false |
--generate-cursor-config |
Print Cursor mcp.json snippet | — |
apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
name: my-agent
version: "1.0.0"
spec:
mode: enforce # or "monitor"
allowed_tools:
- read_file
- list_directory
denied_tools:
- exec_command
- delete_file
protected_paths:
- ~/.ssh
- ~/.aws/credentials
- .env
tool_rules:
- tool: write_file
action: ask
- tool: postgres_query
action: allow
allow_args:
query: "^SELECT\\s+.*"
dlp:
detect_encoding: true
patterns:
- name: "AWS Key"
regex: "(AKIA)[A-Z0-9]{16}"
- name: "Generic Secret"
regex: "(?i)(api_key|secret)\\s*[:=]\\s*['\"]?([a-zA-Z0-9-_]+)['\"]?"Apache 2.0