Secure Harness
FreeNot checkedVerify-and-repair secure-coding harness that generates, hardens, audits, and scores Go code with a build and security scan feedback loop, and includes a transpa
About
Verify-and-repair secure-coding harness that generates, hardens, audits, and scores Go code with a build and security scan feedback loop, and includes a transparent proxy to harden any client automatically.
README
A verify-and-repair secure-coding harness, exposed as an MCP server (and a transparent proxy).
Consumer / self-hosted LLMs write code with the security posture of their training data — which is to say, insecurely by default, and often plausibly wrong: code that looks fine and isn't. This project wraps any OpenAI-compatible model in a verify-and-repair loop — generate, then build and security-scan the result, feed every compiler error and finding back, and regenerate — so the model cannot ship code that fails to compile or trips a detector without you knowing.
It is the operational form of a simple research result: how you wrap the model (the harness) determines output security far more than which model you pick, and a secure-coding prompt alone is a trap — only the feedback loop delivers both security and buildability.
⚠️ A strong filter, not a proof. The harness removes what its instruments can see (build errors, pattern detectors,
bandit) and reports honest residuals for the rest. It does not guarantee security — static analysis still misses classes such as argument injection. Treat its output as hardened and checked, not certified.
What it gives you
MCP tools (Go-focused: build + pattern-scan + repair loop):
| tool | what it does |
|---|---|
secure_generate(spec) |
write new Go for a spec, guided prompt + build/scan repair loop; returns vetted code |
harden_code(code) |
take existing code, fix its weaknesses, return a before/after comparison |
audit_code(code) |
run the pattern detectors (+ CWE + rationale) — candidates, not verdicts |
score_code(code) |
build/robustness + findings scorecard for a snippet |
A transparent proxy (secure-harness-proxy, Go and Python): an OpenAI-compatible endpoint that
fronts any model; every completion containing code is run through the loop automatically, so any
client pointed at it is hardened with no client change.
Architecture
Two entry points — the MCP server (explicit tools) and the transparent proxy (implicit, on
every completion) — share one verify-and-repair core (generate.py), which drives a model backend
and gates its output on self-tested instruments before returning it.
flowchart TD
C1["Qwen Code"] -->|stdio MCP| MCP
C2["Claude Code"] -->|stdio MCP| MCP
C3["Cursor / any MCP client"] -->|stdio MCP| MCP
C4["curl / editor / any agent"] -->|HTTP /v1| PROXY
MCP["MCP server — secure_coding_mcp.py<br/>tools: secure_generate · harden_code · audit_code · score_code"]
PROXY["Transparent proxy — secure_proxy.py<br/>OpenAI-compatible /v1 · hardens every code block"]
MCP --> GEN
PROXY --> GEN
subgraph loop["Verify-and-repair core · generate.py"]
direction TB
GEN["generate · model_chat"] --> EXT["extract code block"]
EXT --> SCAN["build + scan"]
SCAN --> DEC{"builds clean<br/>and no findings?"}
DEC -->|"no — feed each error / finding back (≤ N iters)"| GEN
end
DEC -->|yes / fast path| OUT["hardened code<br/>+ honest residual note"]
OUT -.->|returned to caller| C4
GEN <-->|OpenAI API| BE["Model backend<br/>vLLM · Ollama · llama.cpp · hosted<br/>SECURE_HARNESS_MODEL_URL"]
subgraph instr["Self-tested instruments — +/- controls, documented FP quarantine"]
direction TB
I1["go build / go vet"]
I2["gosec"]
I3["bandit — advisory subprocess FPs quarantined; shell=True still blocks"]
I4["pattern detectors · vuln_patterns.yaml"]
end
SCAN --> I1
SCAN --> I2
SCAN --> I3
SCAN --> I4
AUD["scan_repo.py — shard + refute repo audit"] --> I4
How to read it. A request enters through either the MCP tools or the proxy and lands in the same
loop: generate → extract → build and scan → if the code fails to compile or trips a detector, feed
the specific errors and findings back and regenerate (up to N iterations); otherwise return it with
an honest residual note. Code that is already clean takes the fast path — zero extra model calls,
so cost is proportional to risk. Every gate is a self-tested instrument: a known-insecure snippet
must score worse than its secure twin and a broken snippet must fail to build, so a reported "0
findings" means the instrument looked and found nothing. scan_repo.py reuses the same pattern
detectors to audit an existing repository.
How the loop works
spec ─▶ generate (model) ─▶ build + scan (self-tested) ─▶ clean & builds? ──yes──▶ return
▲ │
└──────────── feed each error/finding back ◀───no (≤ N iters)
Every instrument is self-tested: a known-insecure snippet must score worse than a secure one, and
a broken snippet must fail to build — so a reported "0 findings" means the instrument looked and found
nothing, not that it was misconfigured. Known false-positive classes (e.g. bandit's advisory-only
subprocess notices, or Go's secure exec.Command(bin, args...) form) are quarantined and documented,
while genuine injection (shell=True) stays blocking.
Requirements
- Python 3.10+ with
mcp,PyYAML(andbanditfor the Python proxy path). - Go on
PATH(the build check compiles generated Go; also enablesgolang.org/x/cryptoso secure choices likebcryptbuild). - An OpenAI-compatible model endpoint (local vLLM / llama.cpp / Ollama, or a hosted API).
Install
Homebrew (recommended)
brew tap calvarado2004/secure-harness https://github.com/calvarado2004/secure-harness-mcp
brew install --HEAD secure-harness-mcp
This installs two commands: secure-harness-mcp (the MCP server) and secure-harness-proxy (the
transparent proxy), each in its own virtualenv, with go and [email protected] as dependencies.
(Or, from a clone: brew install --HEAD ./Formula/secure-harness-mcp.rb.)
From source
git clone https://github.com/calvarado2004/secure-harness-mcp
cd secure-harness-mcp
python3 -m venv .venv && . .venv/bin/activate
pip install -r requirements.txt
python secure_coding_mcp.py # stdio MCP server
Configure the model backend
The harness hardens the output of whatever model you point it at (model choice barely matters — that's
the thesis). Set three env vars (copy .env.example):
export SECURE_HARNESS_MODEL_URL=http://localhost:11434/v1 # any OpenAI-compatible endpoint
export SECURE_HARNESS_MODEL=qwen2.5-coder:32b # the served model id
export SECURE_HARNESS_KEY=dummy # API key if the endpoint needs one
Add the MCP to your tools
Qwen Code
One-liner:
qwen mcp add secure-coding secure-harness-mcp
Or add it to ~/.qwen/settings.json under mcpServers (use the from-source path if not installed via
Homebrew):
{
"mcpServers": {
"secure-coding": {
"command": "secure-harness-mcp",
"env": {
"SECURE_HARNESS_MODEL_URL": "http://localhost:11434/v1",
"SECURE_HARNESS_MODEL": "qwen2.5-coder:32b",
"SECURE_HARNESS_KEY": "dummy"
},
"description": "Verify-and-repair secure-coding harness"
}
}
}
Verify it connected, then use it (headless runs need -y to auto-approve tool calls):
qwen mcp list # → secure-coding ... Connected
qwen -y -p "Use secure_generate to write a Go HTTP handler that returns a file from ./data by name.
Report builds and findings."
Claude Code
claude mcp add secure-coding \
-e SECURE_HARNESS_MODEL_URL=http://localhost:11434/v1 \
-e SECURE_HARNESS_MODEL=qwen2.5-coder:32b \
-- secure-harness-mcp
Cursor / any MCP client
Add to the client's mcp.json:
{
"mcpServers": {
"secure-coding": {
"command": "secure-harness-mcp",
"env": {
"SECURE_HARNESS_MODEL_URL": "http://localhost:11434/v1",
"SECURE_HARNESS_MODEL": "qwen2.5-coder:32b"
}
}
}
}
If you installed from source instead of Homebrew, replace "command": "secure-harness-mcp" with
"command": "/absolute/path/to/.venv/bin/python" and "args": ["/absolute/path/to/secure_coding_mcp.py"].
Bonus: the transparent proxy (harden any client automatically)
Instead of calling a tool, front your model with the loop so every request is hardened — no client change, the model can't opt out:
# run it directly
secure-harness-proxy --port 8090 # env: SECURE_PROXY_UPSTREAM / SECURE_PROXY_KEY / SECURE_PROXY_MAX_ITERS
# or always-on via Docker (toolchain baked in)
cp .env.example .env # set SECURE_PROXY_UPSTREAM
docker compose up -d # -> http://localhost:8090/v1
Then point any OpenAI-compatible client (Qwen Code, Cursor, curl) at http://localhost:8090/v1.
Code that already builds clean passes through with zero extra model calls (cost is proportional to
risk); risky code is repaired and returned with an honest residual note.
Recursive by design
An agent that writes code can call harden_code on its own output before returning it — the research
result as a runtime safety layer.
Deep dive
See docs/TECHNICAL.md for the full technical reference: the repair algorithm, every instrument and detector, the self-tests and false-positive quarantine, the MCP/proxy API surfaces, configuration, the measured findings, and an honest limitations section.
Honest caveats
- Filter, not proof — it removes what the instruments detect; static analysis misses some classes.
- Some weaknesses resist the loop — e.g. code that needs restructuring rather than a local fix; the residual note says so plainly.
- Needs the toolchain — without
go/banditpresent, the loop degrades to prompt-only (a trap); the Docker image bakes them in so this can't happen silently. - Cost — each risky generation costs 1 + up-to-N repair passes; well spent when quality matters.
License
MIT — see LICENSE.
Installing Secure Harness
This server has no published package — it is built from source. Open the repository and follow its README.
▸ github.com/calvarado2004/secure-harness-mcpFAQ
Is Secure Harness MCP free?
Yes, Secure Harness MCP is free — one-click install via Unyly at no cost.
Does Secure Harness need an API key?
No, Secure Harness runs without API keys or environment variables.
Is Secure Harness hosted or self-hosted?
Self-hosted: the server runs locally on your machine via the install command above.
How do I install Secure Harness in Claude Desktop, Claude Code or Cursor?
Open Secure Harness on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.
Related MCPs
GitHub
PRs, issues, code search, CI status
by GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
by mcpdotdirectCompare Secure Harness with
Not sure what to pick?
Find your stack in 60 seconds
Author?
Embed badge for your README
Browse similar
All development MCPs
