VellaVeto is a fail-closed gateway between an AI agent and its MCP tools. Every tool call is evaluated before execution; if evaluation fails for any reason, the call is denied.
Concrete example: under shield mode, a filesystem server trying to read ~/.ssh/id_rsa is denied by default. A list_files /tmp call from the same server is allowed.
What it does not solve: prompt injection, model-level jailbreaks, or supply-chain attacks in server packages. It only controls what crosses the tool-call boundary.
Since March, I added three zero-config protection levels, topology discovery, tamper-evident audit, Consumer Shield, and MCPSEC, an open benchmark for MCP gateways.
The feedback I’d most like:
Is the tool-call boundary the right place to enforce MCP security? Are the MCPSEC attack classes sensible? What important attack classes am I still missing?
We solved a similar boundary problem by signing all outputs with HMAC-SHA256 so downstream consumers can verify the response wasn't modified after the tool-call boundary. Not a replacement for your approach but complementary — input validation + output signing covers both ends.
Is the MCPSEC benchmark public yet?