Why
Every existing OSS MCP firewall only inspects requests (tool call arguments). None inspect responses (data returned by the MCP server). This is an explicitly acknowledged gap — the mcpwall DEV article 'What mcpwall Does and Doesn't Protect Against' calls this out as a missing capability.
A compromised or malicious MCP server can leak secrets, PII, or encoded exfiltration payloads in its responses, and no guardrail catches it.
What
Inspect MCP server responses before forwarding back to the agent client.
Acceptance Criteria
- Scan responses for secret patterns (API keys, tokens)
- Scan responses for PII (configurable)
- Detect base64-encoded suspicious content in responses
- Policy YAML section:
response_rules with configurable patterns
- Action: block response, redact matches, or warn
- Tests: compromised server returning secrets in response
Competitive advantage
This would make IntentGuard the first OSS MCP guardrail with response-side inspection. Unique differentiator.
Why
Every existing OSS MCP firewall only inspects requests (tool call arguments). None inspect responses (data returned by the MCP server). This is an explicitly acknowledged gap — the mcpwall DEV article 'What mcpwall Does and Doesn't Protect Against' calls this out as a missing capability.
A compromised or malicious MCP server can leak secrets, PII, or encoded exfiltration payloads in its responses, and no guardrail catches it.
What
Inspect MCP server responses before forwarding back to the agent client.
Acceptance Criteria
response_ruleswith configurable patternsCompetitive advantage
This would make IntentGuard the first OSS MCP guardrail with response-side inspection. Unique differentiator.