mcpindex.ai
In-path trust gate for agent tool calls

The tool your agent trusted on Monday can change on Tuesday — silently.
mcpindex holds the call before your agent acts on the change.

It pins every MCP tool’s contract on first sight and HOLDs the call the instant that contract drifts, before your agent acts on it. It now also grades each call’s blast radius — what it would do (read, write, delete, send) and whether it can be undone — so an irreversible action never runs unseen. Zero credentials. One-click in Claude Desktop, Cursor, Cline, Zed.

In-path · deterministic · on your host

The gate makes a deterministic contract-diff in the call path and HOLDs before your agent acts — no model in the loop, nothing leaves your machine. Open-source, so you can audit exactly what runs.

Watch it hold a drift →Read the methodology →Read the whitepaper →
Runs locally · works in Claude Desktop, Cursor, Cline, Zed · the default build egresses nothing
Bitcoin-anchored historyDeterministic diff · contract-diff, not a safety verdict
The concept, in ~70 seconds

Why the gate exists: a tool's contract can change silently after you trust it. Watch mcpindex hold the call before your agent acts on the change.

Live
/changelog
How the gate works

Pin the contract. HOLD the change.

Agents act on a tool’s description the way they act on a system prompt. MCP tools are remote and updatable with no version bump. The description your agent trusted can change underneath it. The gate is the in-path check that catches that change before the call goes through.

01

Install once, rides your agent

One config-wire in Claude Desktop, Cursor, Cline, or Zed. The gate sits in the MCP session your agent already opens. No credentials and no proxy account; the deterministic contract-diff runs locally and the default build egresses nothing (the optional cloud tier-1 lookup, held off by default, sends only a contract hash, never tokens or call data).

stdio interceptor + TS / Python SDK
02

Pins each tool on first sight

The first time a tool is offered, the gate records its contract (name, params, constraints, annotations, input and output schema) and persists it across restarts. Trust-on-first-use (TOFU): the baseline is what you actually saw, not a registry claim.

TOFU pin · cross-restart persistence
03

HOLDs the call when the contract changes

On every later call the gate diffs the live contract against your pin. If a tool silently added a required param, narrowed a constraint, flipped an annotation to destructive, or grew a new output field, the gate HOLDs the call before your agent acts and names exactly what changed: the ChangeKind, in plain words.

deterministic diff · Monitor / Guard / Strict
04

You review, re-pin, or validate

A held call is a decision, not a dead end: read the diff, accept the change and re-pin the new contract, or send it back. A benign added-optional param proceeds silently, no false alarm. The verdict is "this changed", never "this is unsafe".

review · re-pin · validate
Grade the move, not just the tool

See the blast radius of a call before your agent makes it.

A read and an irreversible delete leave your agent looking identical: both are just “a tool call.” The gate now labels each one in the call path — its action (read, write, delete, send, execute), what it touches, whether it can be undone, and whether it leaves your org. A call you can’t reverse is never indistinguishable from one that only reads.

Deterministic and advisory. The grade describes what a call would do, derived from the tool’s own contract; it rides alongside the gate’s decision and never overrides it. It says “this is an irreversible delete,” not “this is safe.” On by default in the @mcp-index/sdk and mcpindex-preflight clients.

Watch it hold a drift

Pin a tool, apply a change, see the verdict.

The same deterministic gate that runs in your agent: a contract-diff, not a safety verdict. Pick a drift. A breaking or dangerous change is HELD with the exact ChangeKind; a benign added-optional proceeds silently.

in-path drift gate
posture
pinned contract TOFU baseline
make_report(
  title:    string,
  count:    integer[0..1000],
  mode:     enum[fast, full],
)  // read-only
apply a silent change to the tool
contract-diff, not a safety verdict·this is the same deterministic gate that runs in your agent

Persona walkthrough & embed: Videos & embed →

How to use it

One gate. Three ways to run it.

By persona: the MCP-client user, the SDK builder, the enterprise fleet. One install, one line, or one policy. The model never sees the gate; your host or your code does.

How to use it, by persona

One-click install, then the gate pins every tool and holds a silent change before your agent runs it. By persona: MCP-client user, SDK builder, enterprise.

Honest about the edges

What the gate claims — and what it doesn't.

A trust product earns trust by stating its edges. The gate’s verdict is “this contract changed”, never “this is safe”; the blast-radius grade is advisory and static — what a call would do, read from its contract, not a safety call. Read the methodology.

A contract-diff, not a safety verdict

The gate reports that a tool’s contract changed versus what you pinned. It does not judge whether the change is malicious or whether the tool is "safe". It tells you what changed and lets you decide.

Advisory in judgment, in-path so it can HOLD

The verdict is advice. But the gate runs inside the call path, so a HOLD actually stops your agent before it acts on the changed contract. It is not a notification after the fact.

Fails closed, never open

When the gate can’t verify a changed contract (an unparsed tool, a tier held off, a degraded check), it HOLDs the call rather than waving it through. Doubt resolves to REVIEW or a hold, never to a silent proceed.

Deterministic diff, not an LLM guess

The ChangeKind taxonomy (added-required-param, constraint-narrowed, annotation-flip-to-destructive, output-schema-changed, removed / type / enum drift) is computed structurally. Same pin, same contract, same verdict, every time.

Zero credential custody

The gate never holds your API keys or tokens. It reads tool contracts in the session you already opened; nothing is sent to a server to make the call.

Tier-0 is live; tiers 1-3 are built but held off by default

What runs on Cursor today: the in-path stdio interceptor, the TOFU pin with cross-restart persistence, the deterministic ChangeKind diff, Monitor / Guard / Strict postures, and the marker scan for input and output schemas. Above tier-0 the ladder is built as in-path seams (a cloud tier-1 corpus lookup, a tier-2 LLM consult, a tier-3 behavioral verifier), but each is held off by default and requires explicit opt-in. The default build egresses nothing and stays fail-closed.

The behavioral tier clears or refutes — it never proves safe

When enabled, the tier-3 verifier exercises a changed tool to clear the change or refute it; it is not a proof of safety, and it is unavailable by default. Confidence is reported but not yet calibrated against a held-out corpus (calibrated=false at v1). We say "caught / held / cleared", never "guaranteed safe".

Trust, stated plainly

In-path, deterministic, and no custody of your credentials.

The gate diffs a tool’s live contract against what you pinned, fails closed to a HOLD on doubt, and never holds your keys. We state where it stops as plainly as what it catches.

Read the trust model →Methodology →Status →
The corpus the gate queries

One question, two moments.

Different verdict, same question. Before you wire a tool, the public directory screens it and says REVIEW or UNVERIFIED — a prior on whether a tool does what it claims. While you use it, the gate says HELD or PROCEED in the call path. Every screen verdict is semantic-only and advisory: a prior, not a guarantee, and never an ALLOW or DENY (those unlock with the behavioral corpus).

And the gate no longer works alone. mcpindex crawls the public MCP registry every day and records which tool contracts silently change. When you pin a tool, the gate asks the network one question: has the crawler already caught this contract drifting? If it has, you are warned on the first call — before a change you never saw burns you. Opt-in and crawler-corroborated: a contract-diff advisory that rides alongside the verdict and never moves the decision. Every drift the crawler catches is public in the live drift ledger.

screening
Agentic News
REVIEW

Semantic screen found no manipulation pattern in the description. Conformance probe not yet run.

integrity · pass
real verdicts · pause or hover
Maturity Rankings →Screen a tool →Drift ledger →322 tools screened so far · advisory, semantic-only
Install Now

One command. Claude Desktop, Cursor, Cline, or Zed.

The gate is what you install. It rides the MCP session your agent already opens, no key required. Prefer to read before you run? The auditable path is uv tool install plus a manual wire — both in the docs. The one command below is the convenience path.

Install the gate: one command (Claude Desktop / Cursor / Cline / Zed)

Wires the in-path gate into your host config: each MCP server launches behind the gate, which checks every tool's contract in-path and HOLDs on a silent change. Inspect it first with `curl -fsSL https://mcpindex.ai/install.sh | less` — it only rewrites your MCP host config; uninstall.sh restores it. Zero credentials change hands; the gate reuses the session you already authenticated. The auditable uv install, per-client manual wiring, and the SDK one-liner are in the docs.

curl -fsSL https://mcpindex.ai/install.sh | sh

Pinned, in-path, zero custody. The gate ships as the mcpindex-preflight package (via uv); it reads only public tool contracts, never your tokens. Full wiring — including the auditable uv tool install path — is in the docs.

Also available: the directory client
The directory client: discovery + advisory trust lookups (published)

A separate, published MCP client for the directory: recommend, search, and check_tool_trust. This is the advisory network the gate queries, not the in-path gate itself.

npm install -g mcp-server-mcpindex