Wrap command-line tools in an MCP wrapper to separate secrets from the coding environment. Support introspection of tools and allow requests for additional cababilities.
- Go 96.6%
- Shell 3.4%
| cmd | ||
| docs | ||
| internal | ||
| testdata | ||
| .envrc | ||
| .gitignore | ||
| .gitlab-ci.yml | ||
| CLAUDE.md | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| manifest.scm | ||
| README.md | ||
| test-container.sh | ||
wraptool
An MCP server that wraps CLI tools behind a security whitelist, so AI
coding assistants can use tools like git, gcloud, and kubectl
without direct access to credentials.
Why
AI coding assistants need CLI tools to be productive, but giving them direct access exposes API keys, SSH keys, kubeconfigs, and service account credentials to the model context. wraptool sits between the assistant and the tools:
- Credentials stay isolated -- wraptool runs as a separate process with its own environment; secrets never enter the AI context.
- Subcommand-level whitelisting -- allow
git commitbut denygit push --force, with flag-level granularity and value constraints. - Auto-discovery -- wraptool parses
--helpoutput to generate MCP tool schemas with real descriptions. - Structured denial workflow -- denied commands trigger a capability-request flow that an operator approves from the CLI.
Quick start
go build -o wraptool .
wraptool init --harness claude --url http://127.0.0.1:8717/sse
wraptool serve
Documentation
Full documentation lives in docs/ and is rendered with
Quarto to a website (published via GitLab
Pages):
| Page | Source |
|---|---|
| Getting started | docs/getting-started.qmd |
| Configuration reference | docs/configuration.qmd |
| Security model | docs/security.qmd |
| Hot-reload & capability requests | docs/hot-reload.qmd |
| Isolated environments | docs/isolated-environments.md |
| Overview slides | docs/presentation.qmd |
Build the site locally
quarto preview docs # live-reloading dev server
quarto render docs # produce docs/_site/
License
GPLv3 -- see LICENSE.