Skip to content

Getting Started

Get Agent Wall protecting your MCP servers in under 2 minutes.

Installation

bash
npm install -g @agent-wall/cli
bash
pnpm add -g @agent-wall/cli
bash
yarn global add @agent-wall/cli

Quick Start

1. Generate a policy config

bash
agent-wall init

This creates agent-wall.yaml with sensible defaults.

2. Wrap your MCP server

bash
agent-wall wrap -- npx @modelcontextprotocol/server-filesystem /home/user

That's it. Agent Wall is now intercepting every tool call and enforcing your policy.

3. Integrate with your MCP client

Update your MCP client config to use Agent Wall as the command:

json
// ~/.claude/mcp_servers.json
{
  "mcpServers": {
    "filesystem": {
      "command": "agent-wall",
      "args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home/user"]
    }
  }
}
json
// ~/.cursor/mcp.json
{
  "mcpServers": {
    "filesystem": {
      "command": "agent-wall",
      "args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home/user"]
    }
  }
}
json
// ~/Library/Application Support/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "filesystem": {
      "command": "agent-wall",
      "args": ["wrap", "--silent", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home/user"]
    }
  }
}
json
// .vscode/mcp.json
{
  "mcpServers": {
    "filesystem": {
      "command": "agent-wall",
      "args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home/user"]
    }
  }
}
json
// ~/.codeium/windsurf/mcp_config.json
{
  "mcpServers": {
    "filesystem": {
      "command": "agent-wall",
      "args": ["wrap", "--", "npx", "@modelcontextprotocol/server-filesystem", "/home/user"]
    }
  }
}

Verify It Works

Test a tool call against your policy without starting a server:

bash
# Should be DENIED (SSH key access)
agent-wall test --tool read_file --arg path=/home/.ssh/id_rsa

# Should be ALLOWED (normal file read)
agent-wall test --tool read_file --arg path=/home/user/project/README.md

Run the health check to verify everything is set up:

bash
agent-wall doctor

Environment Variables

Set these once to avoid repeating flags:

bash
export AGENT_WALL_CONFIG=/path/to/agent-wall.yaml
export AGENT_WALL_LOG=/var/log/agent-wall.log

These are used as fallbacks by wrap, test, validate, and doctor.

What's Next?

Released under the MIT License.