The reference implementation of the Agent Identity Protocol — a policy enforcement proxy for MCP (Model Context Protocol).
"Sudo for AI Agents"
- Tool allowlist enforcement — Only permitted tools can be called
- Argument validation — Regex patterns for tool parameters
- Human-in-the-Loop — Native OS dialogs for sensitive operations
- DLP scanning — Redact secrets from tool responses
- Audit logging — Immutable JSONL trail of all decisions
- Monitor mode — Test policies without enforcement
- Identity tokens — Cryptographic session identity with automatic rotation
- Server-side validation — HTTP endpoints for distributed policy enforcement
- Policy signatures — Ed25519 signatures for policy integrity
- Prometheus metrics —
/metricsendpoint for observability
# Quick install with Go
go install github.com/openagentidentityprotocol/agentidentityprotocol/cmd/aip-proxy@latest
# Or from source
git clone https://github.com/openagentidentityprotocol/aip-go.git
make build
./bin/aip --help# policy.yaml
apiVersion: aip.io/v1alpha1
kind: AgentPolicy
metadata:
name: my-policy
spec:
mode: enforce
allowed_tools:
- read_file
- list_directory
tool_rules:
- tool: write_file
action: ask # Require approval
- tool: exec_command
action: block # Never allow# policy-v1alpha2.yaml
apiVersion: aip.io/v1alpha2
kind: AgentPolicy
metadata:
name: enterprise-agent
spec:
allowed_tools:
- read_file
- write_file
identity:
enabled: true
token_ttl: "10m"
rotation_interval: "8m"
require_token: true
session_binding: "strict"
server:
enabled: true
listen: "127.0.0.1:9443"
# tls:
# cert: "/etc/aip/cert.pem"
# key: "/etc/aip/key.pem"# Wrap any MCP server with policy enforcement
./bin/aip --policy policy.yaml --target "npx @modelcontextprotocol/server-filesystem /tmp"
# Verbose mode for debugging
./bin/aip --policy policy.yaml --target "python mcp_server.py" --verbose# Generate Cursor config
./bin/aip --generate-cursor-config \
--policy /path/to/policy.yaml \
--target "your-mcp-server-command"Add the output to ~/.cursor/mcp.json.
| Flag | Description | Default |
|---|---|---|
--target |
MCP server command to wrap (required) | — |
--policy |
Path to policy YAML file | agent.yaml |
--audit |
Path to audit log file | aip-audit.jsonl |
--verbose |
Enable detailed logging to stderr | false |
--generate-cursor-config |
Output Cursor IDE config JSON | false |
| Document | Description |
|---|---|
| Quickstart | Step-by-step tutorial with echo server |
| Architecture | Deep dive into proxy design |
| Integration Guide | Cursor, VS Code, Claude Desktop setup |
| Policy Reference | Complete YAML schema |
| AIP v1alpha1 Spec | Original protocol spec |
| AIP v1alpha2 Spec | Identity & server-side validation |
See examples/ for ready-to-use policies:
agent.yaml— Full-featured example with all optionsread-only.yaml— Block all write operationsgpu-policy.yaml— GPU/ML workload controlsgemini-jack-defense.yaml— Prompt injection mitigationmonitor-mode.yaml— Dry-run testingidentity-server.yaml— v1alpha2 identity tokens + HTTP server
┌─────────────┐ ┌──────────────────┐ ┌─────────────────┐
│ MCP Client │────▶│ AIP Proxy │────▶│ MCP Server │
│ (Agent) │◀────│ Policy Engine │◀────│ (Subprocess) │
└─────────────┘ └──────────────────┘ └─────────────────┘
│
▼
┌─────────────┐
│ Audit Log │
│ (JSONL) │
└─────────────┘
The proxy:
- Intercepts JSON-RPC messages on stdin/stdout
- Evaluates
tools/callrequests against the policy - Blocks, allows, or prompts for approval
- Logs all decisions to the audit file
- Applies DLP redaction to responses
# Build
make build
# Test
make test
# Lint
make lint
# All checks
make allApache 2.0 — See LICENSE