Runtime governance proxy for MCP servers. Risk scoring, hash-chained audit, per-tenant policy.
Config is the same across clients — only the file and path differ.
{
"mcpServers": {
"io-github-vaaraio-vaara": {
"args": [
"-y",
"@github/mcp-server"
],
"command": "npx"
}
}
}Are you the author?
Add this badge to your README to show your security score and help users find safe servers.
Vaara is the open-source runtime evidence layer for AI agents under the EU AI Act. It sits in front of an agent's tool calls, gates each one against your policy, and writes a tamper-evident record an outside party can verify. When a regulator, an auditor, or a public-sector buyer needs proof of what your agent actually did and why, that record is the answer. Runs entirely in your own environment. No SaaS, no telemetry.
Run this in your terminal to verify the server starts. Then let us know if it worked — your result helps other developers.
npx -y '@github/mcp-server' 2>&1 | head -1 && echo "✓ Server started successfully"
After testing, let us know if it worked:
Five weighted categories — click any category to see the underlying evidence.
No known CVEs.
Checked @github/mcp-server against OSV.dev.
Click any tool to inspect its schema.
Be the first to review
Have you used this server?
Share your experience — it helps other developers decide.
Sign in to write a review.
Others in other
Pi Coding Agent extension (CLI-first) — routes bash/read/grep/find/ls through lean-ctx CLI for strong token savings. Optional MCP bridge can register advanced tools.
Compress tool outputs, logs, files, and RAG chunks before they reach the LLM. 60-95% fewer tokens, same answers. Library, proxy, MCP server.
97% token reduction for AI coding sessions — zero deps, 21 languages, MCP server
Autonomous spec-to-product coding-agent CLI with an MCP server exposing 34 tools over stdio.
MCP Security Weekly
Get CVE alerts and security updates for io.github.vaaraio/vaara and similar servers.
Start a conversation
Ask a question, share a tip, or report an issue.
Sign in to join the discussion.
Your AI agent transferred the funds, wrote the file, called the tool. Later, someone who does not trust you asks you to prove exactly what it did and why: a regulator, an auditor, a customer after an incident. Your own logs will not settle it, because you could have edited them.
Vaara checks every agent tool call against your policy and writes the call and its outcome into a signed, hash-chained record an outside party can verify offline, with no access to your system and none of your software. It needs no special hardware, and binds to your machine's TPM 2.0 or confidential-VM root when you have one. It runs entirely in your own environment. No SaaS, no telemetry. EU AI Act Article 12 is what it was built for; it answers any "show me what the agent actually did" just as well.
pip install vaara
import vaara
@vaara.govern
def transfer_funds(to: str, amount: float) -> str:
...
That is the whole thing. Every call to a governed function is risk-scored and decided against your policy before the body runs. A blocked call raises vaara.Blocked; an allowed call runs, and the decision, the call, and the outcome land in a signed record anyone can verify offline. Python 3.10+, zero runtime dependencies.
The decorator drives the same engine you can call directly when you want the decision object in hand.
from vaara.pipeline import InterceptionPipeline
pipeline = InterceptionPipeline()
result = pipeline.intercept(
agent_id="agent-007",
tool_name="fs.write_file",
parameters={"path": "/etc/service.yaml", "content": "..."},
agent_confidence=0.8,
)
if result.allowed:
pipeline.report_outcome(result.action_id, outcome_severity=0.0)
else:
print(result.reason)
Every call gets a risk score and an allow / block / escalate decision against your policy, then the call, the decision, and the real outcome are written to the audit trail. report_outcome closes the loop: the scorer reweights based on which signals actually predicted the outcome. Releases ship SLSA Build Level 3 provenance, verifiable with slsa-verifier verify-artifact. Optional ML classifier: pip install 'vaara[ml]'.
Writing a trail is the easy half. The half that matters is letting someone who does not trust you check it, with no key, no access, and none of your code. Every Vaara record is content-addressed and fail-closed on authenticity, and ships with public conformance vectors plus a standalone checker that imports no Vaara code, so an independent party reproduces every verdict offline.
vaara verif
... [View full README on GitHub](https://github.com/vaaraio/vaara#readme)