Free & open · Apache-2.0Loopback onlyThe open core of ORA

A fail-closed leash for your AI agent.

ORA Warden sits between your AI agent and your machine and enforces a hard floor: destructive commands, secret files, and network exfiltration are blocked by default, risky work waits for your approval, and every action lands on a tamper-evident audit log. It works with any MCP client — Claude, Codex, Cursor, Cline.

$uvx ora-warden

How it works

Your agent asks. The broker decides.

Warden is a thin bridge. The real enforcement is a local broker that gates every call — nothing reaches your shell or files without passing the floor.

1 · MCP client

Your agent

Claude Desktop, Codex, Cursor, Cline, or Claude Code — it calls Warden's tools instead of raw shell.

2 · ora-warden

The bridge

A loopback-only stdio MCP server. Presents the governed tools and forwards each call to the broker.

3 · broker

The enforcement

Blocks destruction + secrets + exfiltration, routes risky work to your approval queue, signs the audit chain.

The surface

What your agent gets.

Governed execution

  • shell

    Run a command through the audited broker — destructive + exfil blocked.

  • read_file / write_file

    Local files, approved-path enforced, secrets blocked, logged.

  • shell_destructive

    A deliberately destructive command — operator-token gated, fails closed.

Human approval queue

  • propose

    Queue an impactful action for your approval instead of doing it.

  • queue / proposals_list / proposal_get

    Inspect what's waiting.

  • proposal_approve / reject / execute

    Dispose of a proposal — operator-token gated.

Tamper-evident audit

  • audit_verify / audit_sth

    Prove the hash-chained log is intact (signed tree head).

  • audit_recent

    Show the trail of what actually ran.

  • health

    Confirm the governance layer is up.

Connect it

One line, any client.

Install the broker once (cargo install ora-warden-broker), then point your client at Warden.

Claude Codebash
claude mcp add ora-warden -- uvx ora-warden
Claude Desktop / Cursor / Clinejson
{
  "mcpServers": {
    "ora-warden": { "command": "uvx", "args": ["ora-warden"] }
  }
}
Codextoml
[mcp_servers.ora-warden]
command = "uvx"
args = ["ora-warden"]

Where it fits

Warden vs enterprise MCP gateways.

The gateways govern many users and servers from the cloud. Warden is the opposite: one developer, one machine, no control plane. Both are useful — this is the small one.

ORA WardenEnterprise gateways
Primary userIndividual developer / operatorTeams and organizations
DeploymentLocal stdio bridge + loopback brokerHosted gateway or control plane
Policy modelFail-closed local floorsCentral policy, RBAC, identity, federation
Setupuvx ora-warden + local brokerAdmin-managed deployment
Data pathYour machine, loopback onlyOften cloud- or gateway-mediated
Best fitGuarding one agent on one workstationGoverning many users and servers

Runs on Linux, macOS, and Windows

The destructive-command block, secret-file protection, human approval queue, and tamper-evident audit work on all three.

One honest caveat: the kernel-level network egress lock (a hijacked command physically can't reach the internet) uses a Linux kernel feature and is Linux-only for now. On macOS and Windows you get every other floor; the kernel egress lock is on the roadmap. We'll never claim identical protection where it isn't true.

Put your agent on a leash.

Free, open-source, and local-first. Get it, or step up to the full ORA operator with the plain-English control room.