Deconvolute SDK
The MCP Firewall (Infrastructure Protection)

Basic Usage & Strict Integrity

Learn how to wrap your MCP sessions and prevent rug pull attacks.

The MCP Firewall sits between your application and the MCP Server. It intercepts tool discovery and execution to enforce your security policy. To use it, you wrap your existing MCP session with the mcp_guard function.

from mcp import ClientSession
from deconvolute import mcp_guard

# Wrap your existing MCP session
safe_session = mcp_guard(original_session)

# Use as normal; the firewall intercepts discovery and execution
await safe_session.initialize()

# Allowed: read_file is in your policy
result = await safe_session.call_tool("read_file", path="/docs/report.md")
print(result.content[0].text)

# Blocked: execute_code not in policy
# Returns a valid result with isError=True to prevent crashes
result = await safe_session.call_tool("execute_code", code="import os; os.system('rm -rf /')")

if result.isError:
    print(f"Firewall blocked: {result.content[0].text}")
    # Output: "Tool 'execute_code' not in approved policy"
TODO

Custom Policy Path

You can specify a custom location for your policy file if you do not want to use the default deconvolute_policy.yaml in your working directory.

from deconvolute import mcp_guard

safe_session = mcp_guard(
    original_session,
    policy_path="./config/production_policy.yaml"
)
TODO

The MCP Firewall

How Deconvolute protects your infrastructure using the Snapshot and Seal architecture.

Policy Configuration

Define security rules, evaluate conditions, and use CEL for advanced policies.

On this page

Custom Policy Path