ORA Warden sits between your AI agent and your machine and enforces a hard floor: destructive commands, secret files, and network exfiltration are blocked by default, risky work waits for your approval, and every action lands on a tamper-evident audit log. It works with any MCP client — Claude, Codex, Cursor, Cline.
How it works
Warden is a thin bridge. The real enforcement is a local broker that gates every call — nothing reaches your shell or files without passing the floor.
1 · MCP client
Claude Desktop, Codex, Cursor, Cline, or Claude Code — it calls Warden's tools instead of raw shell.
2 · ora-warden
A loopback-only stdio MCP server. Presents the governed tools and forwards each call to the broker.
3 · broker
Blocks destruction + secrets + exfiltration, routes risky work to your approval queue, signs the audit chain.
The surface
shellRun a command through the audited broker — destructive + exfil blocked.
read_file / write_fileLocal files, approved-path enforced, secrets blocked, logged.
shell_destructiveA deliberately destructive command — operator-token gated, fails closed.
proposeQueue an impactful action for your approval instead of doing it.
queue / proposals_list / proposal_getInspect what's waiting.
proposal_approve / reject / executeDispose of a proposal — operator-token gated.
audit_verify / audit_sthProve the hash-chained log is intact (signed tree head).
audit_recentShow the trail of what actually ran.
healthConfirm the governance layer is up.
Connect it
Install the broker once (cargo install ora-warden-broker), then point your client at Warden.
claude mcp add ora-warden -- uvx ora-warden
{
"mcpServers": {
"ora-warden": { "command": "uvx", "args": ["ora-warden"] }
}
}[mcp_servers.ora-warden] command = "uvx" args = ["ora-warden"]
Where it fits
The gateways govern many users and servers from the cloud. Warden is the opposite: one developer, one machine, no control plane. Both are useful — this is the small one.
| ORA Warden | Enterprise gateways | |
|---|---|---|
| Primary user | Individual developer / operator | Teams and organizations |
| Deployment | Local stdio bridge + loopback broker | Hosted gateway or control plane |
| Policy model | Fail-closed local floors | Central policy, RBAC, identity, federation |
| Setup | uvx ora-warden + local broker | Admin-managed deployment |
| Data path | Your machine, loopback only | Often cloud- or gateway-mediated |
| Best fit | Guarding one agent on one workstation | Governing many users and servers |
The destructive-command block, secret-file protection, human approval queue, and tamper-evident audit work on all three.
One honest caveat: the kernel-level network egress lock (a hijacked command physically can't reach the internet) uses a Linux kernel feature and is Linux-only for now. On macOS and Windows you get every other floor; the kernel egress lock is on the roadmap. We'll never claim identical protection where it isn't true.
Free, open-source, and local-first. Get it, or step up to the full ORA operator with the plain-English control room.