MCP 服务器

Fida

A local-first redacting MCP gateway that strips secrets from file reads and shell output before they reach an AI coding agent's context, the command still runs with the real credential, but the model never sees it.

README

Keep secret values out of AI coding agents.

Fida is a local-first secret leak prevention layer for AI coding agents. It finds exposed credentials, gives agents redacted safe views of sensitive files and command output, and shows whether your installed agent integrations can still expose a raw value.

It is deliberately not a general agent policy engine, approval system, or developer workflow firewall. Fida does not decide which ordinary commands an agent may run, which files it may edit, or whether you may use curl | sh. Its one job is simple: a detected secret must not reach model context.

Project status: MVP implemented. Fida installs local integrations, verifies its redaction path with a synthetic credential, scans repo risk, and records redaction-safe audit events.

Quick start

# Install the binary. In a terminal it offers to set up protection right away.
curl -fsSL https://raw.githubusercontent.com/ajipurn/fida/main/install.sh | sh

# Run fida with no arguments any time to set up — or, once installed, to update.
fida

# Check coverage, including how many secrets have been protected.
fida status

fida is install-and-forget: it wires every coding agent it detects, and running it again later checks for an update. Run from a terminal, the installer offers to do this for you; piped or in CI it stays quiet and just prints fida as the next step.

What Fida does

When an agent needs content that may contain a credential, Fida provides a sanitized view instead of the raw bytes:

Agent -> fida_read .env -> scan -> redact -> agent

API_URL=https://example.test
API_KEY=[REDACTED]

Its integrations combine three layers:

Redacting MCP gateway — fida_read and fida_shell return redacted file content and captured command output. fida_shell still runs the real command — the child process keeps the true credential, so the work succeeds — and redacts only the output handed back to the model: the agent uses a secret without seeing it. File reads are confined to the workspace by default, including symlink and .. escape checks; secrets outside the workspace (e.g. ~/.aws) are covered only by the native-read hook on enforced agents.
Agent steering — a managed instruction tells the agent to use those redacting tools whenever it needs sensitive content.
Native-read hook, where supported — Codex and Claude Code can block a native read only when Fida detects secret content that the native tool cannot redact, then direct the agent to the gateway.

Normal clean reads, edits, commands, installs, network access, and approvals remain the agent's and developer's concern. Fida's gateway follows the same low-friction rule: it captures and redacts output; it does not apply a command allowlist or repository approval policy.

What Fida detects

The built-in detector catalog recognizes dotenv assignments, PEM private keys, and high-precision formats for AWS, GitHub, Google, Slack, Stripe, OpenAI, Anthropic, and JWT credentials. It favors precision over recall: a credential in a format Fida does not recognize passes through unredacted. This is best-effort protection against accidental exposure, not a guarantee of zero leakage. Use a dedicated history scanner such as gitleaks or GitGuardian alongside Fida.

Fida fails closed on redaction: if it cannot prove a response is clean, it suppresses that response rather than returning a partial secret.

Install

curl -fsSL https://raw.githubusercontent.com/ajipurn/fida/main/install.sh | sh

The binary is installed to ~/.local/bin by default. Run in an interactive terminal, the installer then offers to wire protection for you; otherwise start setup yourself:

fida

Pin a version or choose another install directory:

FIDA_VERSION=v0.1.0 FIDA_INSTALL_DIR=/usr/local/bin \
  curl -fsSL https://raw.githubusercontent.com/ajipurn/fida/main/install.sh | sh

Other options:

cargo install --git https://github.com/ajipurn/fida fida-cli

git clone https://github.com/ajipurn/fida
cd fida
./install.sh

Everyday commands

fida                  # protect every detected agent (or, once installed, update)
fida on [agent]       # protect one agent, or all detected agents
fida off [agent]      # remove protection from one agent, or all of them
fida status           # coverage + how many secrets have been protected
fida scan             # find secret risk without printing secret values
fida scan --fail-on high

fida scan reports whether a raw secret could reach a detected agent. It never prints a secret value, its length, or a fragment of it.

Agent coverage

Agent	Coverage
Codex, Claude Code	`enforced` when the hook and gateway self-test pass
Cursor, OpenCode, GitHub Copilot, Windsurf, Antigravity, Kiro	`best_effort` gateway + steering

fida status reports the actual state for each detected agent: enforced, best_effort, incomplete, or inactive.

Scope and limits

Fida protects model-bound content on its installed integration paths. It is not an OS sandbox or a complete data-loss-prevention product. An agent that can ignore steering, bypass a hook, or access a file through an unmediated native tool may still need OS-level containment. Fida names that coverage honestly instead of turning ordinary development into a permission maze.

Development

cargo fmt --all --check
cargo clippy --workspace --all-targets -- -D warnings
cargo test --workspace

Security

Please report security-sensitive issues privately when they could expose a secret, bypass redaction, or misrepresent protection coverage. See SECURITY.md.