Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"ai-marchward-mcp-server": {
"args": [
"marchward"
],
"command": "uvx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Govern what your AI agents are allowed to do. Marchward sits in front of your agent's tool calls and decides, by policy, whether each one runs, pauses for a human, or is blocked, and writes a tamper-evident record of every decision. Self-hostable, Apache-2.0.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
uvx 'marchward' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked marchward against OSV.dev.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in ai-ml / security
Dynamic problem-solving through sequential thought chains
Persistent memory using a knowledge graph
Privacy-first. MCP is the protocol for tool access. We're the virtualization layer for context.
An open-source AI agent that brings the power of Gemini directly into your terminal.
MCP Security Weekly
Get CVE alerts and security updates for ai.marchward/mcp-server and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Marchward · runtime authority for AI agents
Govern what your AI agents are allowed to do. Marchward is one open layer that sits in front of an agent's tool calls and enforces four controls before any action runs, then writes a tamper-evident record of every decision. Self-hostable, Apache-2.0, framework-agnostic.
Most tools in this space cover one of these. Marchward brings all four together in one place, open and self-hostable.
Output guardrails check what an agent says (toxicity, PII, topic). Marchward governs what an agent does (spend, delete, act). A check on the agent's output cannot stop an agent that still holds the keys and can make a different call. Marchward governs the action itself.
Built for teams already running agents in production (LangGraph, LangChain, raw SDKs, any MCP server, or one HTTP call from any runtime) who need an agent to be autonomous without being able to drain a budget, take an irreversible action unattended, or act without an audit trail.
marchward-proxy wraps any MCP server as a child process and evaluates every tools/call against your policy before it runs (block, allow, or pause for human approval), entirely on your machine, with your own credentials.
# Write a policy (escalate anything destructive, allow the rest)
cat > policy.json <<'EOF'
{ "rules": [
{ "match": { "toolPattern": "*delete*" }, "decision": "ESCALATE" },
{ "match": { "toolPattern": "*" }, "decision": "ALLOW" }
]}
EOF
# Put Marchward in front of your agent's MCP server, local mode, no API
npx -p @marchward/proxy marchward-proxy \
--command "node my-mcp-server.js" \
--policy-file ./policy.json \
--local
Every tool call your agent makes now passes through policy first, and lands in a local tamper-evident (hash-chained) audit log you can verify offline. No account, no network call to us.
Prefer the SDK? pip install marchward and wrap calls with marchward.execute(). Point it at your own self-hosted setup, or at the managed plane (below).
The open packages in this repo are a fully functional self-host governor. Some operational features need shared state and run on the hosted plane (free tier, no card):
| Open (self-host, this repo) | Hosted plane (Marchward Cloud) | |
|---|---|---|
| Execution control: allow / block / escalate tool calls by policy | yes | yes |
| Local governor (MCP/HTTP intercept, your own credentials) | yes | yes |
| Tamper-evident audit: hash-chain primitive + offline verify | yes | retained, queryable, monitored |
| Approval-gate decision | yes | + managed workflow (notify, approve, resume) |
| Inference cost cap | local accounting | enforced (rolling-window spend) |
| Credential mediation (agent holds one key, real cred injected, the agent never sees it) | yes, from your own local secret store | yes, managed vault |
| Managed credential vault, multi-tenancy, SSO/RBAC | no | yes |
So: self-host this for execution control, credential mediation from your own local store, a local cost cap, and a local audit log; add the free hosted tier for the managed credential vault (rotation, team sharing), approval workflows, retained audit-as-a-service, and cross-agent enforcement. Same engine underneath. The proxy's --remote mode just points at the plane.