WorkspaceGuard
БесплатноНе проверенStructured workspace runtime for long-running coding agents, providing controlled workspace capabilities with task state, snapshots, checkpoints, drift detectio
Описание
Structured workspace runtime for long-running coding agents, providing controlled workspace capabilities with task state, snapshots, checkpoints, drift detection, verification evidence, audit logs, and structured handoff.
README
Structured workspace runtime for long-running coding agents.
WorkspaceGuard exposes a real local development workspace through MCP while adding the missing operational layer: task state, snapshots, checkpoints, drift detection, verification evidence, audit logs, and structured handoff.
It is host-neutral by design. ChatGPT, Claude, Gemini, Grok, and custom MCP clients should all use the same core tool contracts.
What This Is
WorkspaceGuard is not a coding model and not a hidden local agent. The MCP host does the reasoning. WorkspaceGuard provides controlled workspace capabilities:
- open an allowed workspace
- read, search, edit, and write files
- run terminal commands under policy
- inspect git status and diffs
- create snapshots and checkpoints
- detect workspace drift
- run verification and store evidence
- hand off task state across hosts or sessions
Design Docs
Recommended Build Path
Implemented in the current skeleton:
- MCP server over stdio and Streamable HTTP
- split MCP tool registration modules
- workspace allowlist and instruction loading
- canonical path containment with symlink escape tests
- file read/search/list/write/edit tools
- structured shell runner with timeout and redaction
- git status/diff helpers
- in-memory task runtime tools
- file-manifest snapshots
- checkpoint and drift MCP tools
- verification command execution and freshness checks
- append-only JSONL audit log
- failed MCP tool-call audit events
- required bearer-token and Origin helper for remote HTTP
- OAuth-dev protected resource metadata and PKCE authorization-code flow
- secure HTTP proxy for tunnel/public entrypoints
- shared runtime context across HTTP sessions
- MCP integration test using the SDK in-memory transport
Next build path:
- Add SQLite-backed state instead of in-memory registries.
- Replace OAuth-dev with production OAuth issuer integration.
- Add before/after audit envelopes for every tool call.
- Verify against ChatGPT, Claude, Gemini, and Grok host profiles.
Development
npm install
npm test
npm run build
npx tsc --noEmit
Remote HTTP security knobs:
WORKSPACEGUARD_TOKEN=long-random-token
WORKSPACEGUARD_ALLOWED_ORIGINS=https://chatgpt.com,https://example.com
WORKSPACEGUARD_TOKEN or --bearer-token is required when --transport http
is used.
ChatGPT developer-mode HTTP can use the built-in OAuth-dev profile:
WORKSPACEGUARD_OAUTH_APPROVAL_CODE=local-human-code \
workspaceguard serve \
--transport http \
--auth-mode oauth-dev \
--public-base-url https://your-tunnel.example.com \
--allowed-roots ~/work
Or keep WorkspaceGuard private on localhost and expose a separate proxy:
WORKSPACEGUARD_TOKEN=inner-local-token \
workspaceguard serve --transport http --allowed-roots ~/work
WORKSPACEGUARD_PROXY_TARGET_TOKEN=inner-local-token \
WORKSPACEGUARD_OAUTH_APPROVAL_CODE=local-human-code \
workspaceguard proxy \
--target-url http://127.0.0.1:8787/mcp \
--auth-mode oauth-dev \
--public-base-url https://your-tunnel.example.com
oauth-dev is for single-user developer-mode testing. Production deployments
should replace it with a real OAuth issuer and durable token storage.
Security Baseline
WorkspaceGuard exposes local machine capabilities. It must default to narrow filesystem roots, localhost binding, explicit remote authentication, canonical path checks, command policy, redacted logs, and auditable tool calls.
Shell and worktrees are workflow boundaries, not security sandboxes.
Установка WorkspaceGuard
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/majiayu000/workspaceguard-mcpFAQ
WorkspaceGuard MCP бесплатный?
Да, WorkspaceGuard MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для WorkspaceGuard?
Нет, WorkspaceGuard работает без API-ключей и переменных окружения.
WorkspaceGuard — hosted или self-hosted?
Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.
Как установить WorkspaceGuard в Claude Desktop, Claude Code или Cursor?
Открой WorkspaceGuard на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
Notion
Read and write pages in your workspace
автор: NotionLinear
Issues, cycles, triage — from Claude
автор: LinearGoogle Drive
Search and read your Drive files
автор: Googlemindsdb/mindsdb
Connect and unify data across various platforms and databases with [MindsDB as a single MCP server](https://docs.mindsdb.com/mcp/overview).
автор: mindsdbCompare WorkspaceGuard with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории productivity
