{"passport":{"unfragile":{"@version":"1.0","version":"2026-05","artifact":{"id":"npm_npm-oconnectormcp-gateway","slug":"npm-oconnectormcp-gateway","name":"@oconnector/mcp-gateway","type":"mcp","url":"https://www.npmjs.com/package/@oconnector/mcp-gateway","page_url":"https://unfragile.ai/npm-oconnectormcp-gateway","categories":["mcp-servers","code-review-security"],"tags":["mcp","model-context-protocol","ai-governance","ai-security","agent-governance","non-repudiation","compliance","nist","ed25519","abs-core","nraas","crewai","langchain","sovereign-accountability"],"pricing":{"model":"open_source","free":true,"starting_price":null},"status":"active","verified":false},"capabilities":[{"id":"npm_npm-oconnectormcp-gateway__cap_0","uri":"capability://tool.use.integration.mcp.tool.call.interception.and.governance","name":"mcp tool call interception and governance","description":"Intercepts all Model Context Protocol tool invocations at the gateway layer before execution, applying configurable governance policies to approve, deny, or modify tool calls based on security rules and compliance requirements. Uses a proxy architecture that sits between LLM agents (CrewAI, LangChain) and MCP servers, inspecting call signatures and payloads against policy definitions without requiring changes to upstream agent code.","intents":["I need to prevent my AI agents from calling certain dangerous tools or APIs without explicit approval","I want to audit every tool call my agents make for compliance and security purposes","I need to enforce rate limits or resource quotas on specific tool invocations across my agent fleet","I want to inject additional validation or transformation logic into tool calls without modifying my agent code"],"best_for":["Enterprise teams deploying AI agents in regulated industries (finance, healthcare, legal)","Teams building multi-agent systems where tool access control is critical","Organizations requiring audit trails and compliance evidence for AI tool usage"],"limitations":["Adds latency to every tool call (exact overhead depends on policy complexity and NRaaS signing operations)","Requires explicit policy configuration — no sensible defaults for tool restrictions","Does not prevent agents from attempting calls; only governs execution post-interception","Policy evaluation logic must be maintained separately from agent code, creating potential drift"],"requires":["Node.js 16+ (typical for npm packages)","MCP-compatible agent framework (CrewAI, LangChain, or direct MCP client)","MCP server endpoints to proxy calls to","Policy configuration file or API to define governance rules"],"input_types":["MCP tool call requests (JSON-RPC format with tool name, arguments, context)","Policy definitions (likely JSON or YAML format)","Agent context and metadata"],"output_types":["Approved/denied/modified MCP tool call responses","Audit logs with call metadata and decision rationale","Non-repudiation signatures (ED25519-based)"],"categories":["tool-use-integration","safety-moderation"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_1","uri":"capability://safety.moderation.non.repudiation.signing.for.tool.call.decisions","name":"non-repudiation signing for tool call decisions","description":"Cryptographically signs all tool call governance decisions (approval, denial, modification) using ED25519 digital signatures, creating an immutable audit trail that proves who authorized or rejected each tool invocation and when. Each decision is bound to an actor identity and cannot be forged or altered retroactively, satisfying compliance requirements for accountability in regulated environments.","intents":["I need to prove to auditors that a specific tool call was approved by an authorized person at a specific time","I want to create a tamper-proof record of all AI tool usage decisions for legal/compliance purposes","I need to attribute tool call approvals to specific team members or roles for accountability","I want to detect if governance decisions have been forged or modified after the fact"],"best_for":["Regulated industries (finance, healthcare, legal) requiring audit trails for AI decisions","Organizations with strict compliance frameworks (HIPAA, SOX, GDPR, NIST)","Teams needing to demonstrate 'human-in-the-loop' approval for sensitive AI operations","Enterprises building sovereign AI systems with accountability requirements"],"limitations":["Signature verification requires access to public keys — key management infrastructure must be maintained","ED25519 signatures add cryptographic overhead (~5-10ms per signature operation)","Non-repudiation only applies to gateway decisions; does not cover agent reasoning or LLM outputs","Requires secure key storage and rotation policies — compromised keys invalidate all signatures"],"requires":["ED25519 key pair (private key for signing, public key for verification)","Key management infrastructure (HSM, secure vault, or KMS integration)","Timestamp service or reliable system clock for decision timestamping","Signature verification logic in audit/compliance systems"],"input_types":["Tool call governance decisions (approval/denial/modification)","Actor identity (user ID, role, service account)","Timestamp and context metadata"],"output_types":["ED25519 digital signature (base64 or hex encoded)","Signed decision record (JSON with signature, timestamp, actor, decision)","Audit log entries with cryptographic proof"],"categories":["safety-moderation","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_2","uri":"capability://safety.moderation.policy.based.tool.call.filtering.and.modification","name":"policy-based tool call filtering and modification","description":"Evaluates incoming MCP tool calls against a configurable policy engine that can allow, block, or transform tool invocations based on rules matching tool name, arguments, caller identity, resource usage, or other contextual signals. Policies are evaluated before tool execution, enabling fine-grained control over what agents can do without requiring changes to agent code or LLM prompts.","intents":["I want to block certain tools entirely (e.g., no file deletion, no external API calls to untrusted services)","I need to enforce argument validation (e.g., only allow file operations within a specific directory)","I want to rate-limit tool calls (e.g., max 10 API calls per minute per agent)","I need to transform tool arguments before execution (e.g., sanitize file paths, add authentication headers)"],"best_for":["Teams building multi-tenant AI systems where different users have different tool access levels","Organizations with strict security policies around tool usage (no external APIs, no file system access, etc.)","Developers needing to enforce resource quotas or rate limits on tool invocations","Compliance-heavy environments requiring granular audit trails of what tools were called and why"],"limitations":["Policy evaluation adds latency proportional to rule complexity (simple rules ~1-5ms, complex rules ~10-50ms)","No built-in policy language — requires custom implementation or integration with external policy engine","Policies must be maintained separately from agent code, creating potential for drift or inconsistency","Cannot prevent agents from attempting blocked calls; only prevents execution (may still consume tokens in LLM reasoning)"],"requires":["Policy definition format (JSON, YAML, or custom DSL)","Policy evaluation engine (built-in or external, e.g., OPA, Rego)","Tool metadata (name, arguments, expected behavior) for policy matching","Actor/caller identity information for role-based access control"],"input_types":["MCP tool call requests (tool name, arguments, caller context)","Policy rules (conditions and actions)","Actor identity and role information"],"output_types":["Decision (allow/deny/modify)","Modified tool call (if transformation applied)","Denial reason or error message (if blocked)","Audit log entry with policy evaluation details"],"categories":["safety-moderation","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_3","uri":"capability://safety.moderation.multi.agent.tool.access.control.with.role.based.enforcement","name":"multi-agent tool access control with role-based enforcement","description":"Manages tool access permissions across multiple AI agents based on actor identity, role, or team membership, ensuring that different agents or users can only invoke tools they are authorized to use. Uses identity context from the MCP request to evaluate role-based access control (RBAC) policies, enabling fine-grained delegation of tool access without modifying individual agent configurations.","intents":["I want different teams to have access to different sets of tools (e.g., finance team can call payment APIs, HR team cannot)","I need to restrict certain sensitive tools to specific users or service accounts","I want to implement least-privilege access where agents only get tools they need for their specific task","I need to audit which agent or user called which tool for compliance purposes"],"best_for":["Enterprise organizations with multiple teams using shared AI infrastructure","Multi-tenant SaaS platforms where different customers need different tool access","Organizations with strict role-based access control requirements (RBAC)","Teams building agent networks where tool access must be tightly controlled"],"limitations":["Requires reliable actor identity propagation through the MCP request chain — identity spoofing would bypass controls","Role definitions must be maintained in a separate system (identity provider, policy database) — creates operational overhead","No built-in integration with standard identity providers (OIDC, SAML, LDAP) — requires custom implementation","Policy evaluation adds latency proportional to role hierarchy complexity"],"requires":["Actor identity information in MCP requests (user ID, service account, API key, JWT token)","Role/permission definitions (stored in policy database, identity provider, or configuration file)","Identity verification mechanism (JWT validation, API key lookup, etc.)","Mapping between roles and tool access permissions"],"input_types":["MCP tool call requests with actor identity context","Role definitions and permission mappings","Tool metadata and access requirements"],"output_types":["Access decision (allow/deny)","Audit log entry with actor identity and tool access decision","Error message if access denied"],"categories":["safety-moderation","tool-use-integration"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_4","uri":"capability://safety.moderation.audit.logging.with.cryptographic.proof.of.tool.invocations","name":"audit logging with cryptographic proof of tool invocations","description":"Records comprehensive audit logs of all tool call governance decisions, including tool name, arguments, actor identity, decision (allow/deny/modify), timestamp, and ED25519 signature proving the decision was made by an authorized entity. Logs are structured for compliance reporting and can be exported for external audit or forensic analysis.","intents":["I need to generate audit reports showing which tools were called, by whom, and when, for compliance purposes","I want to investigate a security incident by reviewing the complete history of tool calls made by a specific agent or user","I need to prove to auditors that sensitive tool calls were properly authorized and logged","I want to detect unusual patterns in tool usage (e.g., an agent suddenly calling tools it normally doesn't use)"],"best_for":["Regulated industries (finance, healthcare, legal) requiring comprehensive audit trails","Organizations with strict compliance requirements (HIPAA, SOX, GDPR, NIST)","Security teams needing to investigate AI-related incidents or anomalies","Enterprises building audit-ready AI systems"],"limitations":["Audit logs can grow very large with high-volume tool usage — requires log storage and retention strategy","Signature verification requires access to public keys — key management infrastructure must be maintained","Logs are only as trustworthy as the system that generates them — compromised gateway could produce false logs","No built-in log analysis or anomaly detection — requires external SIEM or analytics tools"],"requires":["Log storage backend (file system, database, cloud logging service)","ED25519 public keys for signature verification","Timestamp service or reliable system clock","Log retention and archival policies"],"input_types":["Tool call governance decisions with metadata","Actor identity and context","Tool call details (name, arguments, result)"],"output_types":["Structured audit log entries (JSON or similar format)","Audit reports (CSV, PDF, or other formats for compliance)","Cryptographically-signed log entries"],"categories":["safety-moderation","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_5","uri":"capability://tool.use.integration.mcp.server.endpoint.proxying.with.transparent.request.response.handling","name":"mcp server endpoint proxying with transparent request/response handling","description":"Acts as a transparent proxy between LLM agents and MCP servers, intercepting all MCP protocol messages (JSON-RPC format), applying governance policies, and forwarding approved calls to the actual MCP server endpoints. Handles request/response transformation, error handling, and timeout management without requiring agents to be aware of the proxy layer.","intents":["I want to add governance to my existing MCP servers without modifying the servers themselves","I need to route tool calls to different MCP server endpoints based on governance policies","I want to add request/response logging and transformation without changing agent code","I need to handle MCP server failures gracefully while maintaining governance audit trails"],"best_for":["Teams with existing MCP server infrastructure who want to add governance without refactoring","Organizations needing to support multiple MCP server endpoints with unified governance","Developers building agent platforms that need to enforce governance across all tool calls","Teams migrating from uncontrolled tool access to governed tool access"],"limitations":["Adds latency to every tool call (proxy overhead + policy evaluation + signature generation)","Requires agents to be configured to point to the gateway instead of MCP servers — may require agent code changes","Does not provide end-to-end encryption between agent and MCP server — traffic is visible to the gateway","Gateway becomes a single point of failure — requires high availability setup for production use"],"requires":["MCP server endpoints to proxy to (HTTP, WebSocket, or other MCP transport)","Network connectivity between gateway and MCP servers","Agent configuration pointing to gateway instead of MCP servers","MCP protocol understanding (JSON-RPC format, tool schema, etc.)"],"input_types":["MCP JSON-RPC requests from agents (tool calls with arguments)","MCP server responses (results or errors)"],"output_types":["Forwarded MCP JSON-RPC requests to servers","MCP server responses back to agents","Governance decisions and audit logs"],"categories":["tool-use-integration","automation-workflow"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_6","uri":"capability://tool.use.integration.integration.with.crewai.and.langchain.agent.frameworks","name":"integration with crewai and langchain agent frameworks","description":"Provides native integration points with CrewAI and LangChain agent frameworks, allowing these frameworks to route tool calls through the MCP gateway for governance without requiring custom code. Handles framework-specific tool registration, context passing, and response handling to ensure seamless integration with existing agent code.","intents":["I'm using CrewAI or LangChain and want to add governance to my agents without rewriting them","I need to ensure all tool calls from my CrewAI/LangChain agents go through the governance gateway","I want to use the same governance policies across multiple agent frameworks","I need to maintain compatibility with existing CrewAI/LangChain code while adding governance"],"best_for":["Teams using CrewAI or LangChain who want to add governance to existing agents","Organizations standardizing on CrewAI/LangChain and needing governance across the platform","Developers building agent platforms that need to support multiple frameworks with unified governance","Teams migrating from uncontrolled agents to governed agents"],"limitations":["Integration is framework-specific — requires separate implementation for each framework version","Framework updates may break integration — requires maintenance and testing","Does not provide governance for framework-internal operations (LLM calls, reasoning) — only tool calls","Requires agents to be configured to use the gateway integration — may require code changes"],"requires":["CrewAI 0.x or LangChain 0.x (specific versions depend on integration)","Python 3.9+ (typical for CrewAI/LangChain)","MCP gateway running and accessible","Agent code using the framework's tool registration mechanism"],"input_types":["CrewAI/LangChain tool definitions and schemas","Agent tool call requests","Framework context and metadata"],"output_types":["Tool call results from MCP gateway","Governance decisions and audit logs","Framework-compatible responses"],"categories":["tool-use-integration","automation-workflow"],"confidence":0.5,"matches":0,"success_rate":0},{"id":"npm_npm-oconnectormcp-gateway__cap_7","uri":"capability://safety.moderation.sovereign.accountability.and.compliance.reporting","name":"sovereign accountability and compliance reporting","description":"Generates compliance reports and audit evidence demonstrating that AI tool usage meets regulatory requirements (NIST, HIPAA, SOX, GDPR, etc.) by providing cryptographically-signed records of tool call governance decisions, actor accountability, and policy enforcement. Reports can be exported for external audit or regulatory review.","intents":["I need to demonstrate to regulators that my AI agents are operating under proper governance and controls","I want to generate audit reports showing compliance with NIST, HIPAA, SOX, or GDPR requirements","I need to prove that sensitive tool calls were authorized by appropriate personnel","I want to show auditors that my AI system has proper accountability and non-repudiation controls"],"best_for":["Regulated industries (finance, healthcare, legal) subject to compliance audits","Organizations building sovereign AI systems with accountability requirements","Enterprises needing to demonstrate compliance with NIST, HIPAA, SOX, GDPR, or similar frameworks","Teams subject to external audits or regulatory oversight"],"limitations":["Reports are only as trustworthy as the underlying audit logs — compromised gateway could produce false reports","Compliance requirements vary by jurisdiction and industry — reports may need customization","No built-in integration with specific compliance frameworks — requires manual mapping of controls to requirements","Report generation requires access to complete audit logs — large-scale deployments may have performance issues"],"requires":["Complete audit logs with cryptographic signatures","Policy definitions and enforcement records","Actor identity and role information","Compliance framework definitions (NIST, HIPAA, SOX, GDPR, etc.)"],"input_types":["Audit logs with governance decisions and signatures","Policy definitions and enforcement records","Actor identity and role information","Compliance framework requirements"],"output_types":["Compliance reports (PDF, CSV, or other formats)","Audit evidence (cryptographically-signed records)","Control attestations (proof that specific controls are in place)","Gap analysis (areas where compliance is lacking)"],"categories":["safety-moderation","data-processing-analysis"],"confidence":0.5,"matches":0,"success_rate":0}],"trust":{"score":35,"verified":false,"data_access_risk":"high","permissions":["Node.js 16+ (typical for npm packages)","MCP-compatible agent framework (CrewAI, LangChain, or direct MCP client)","MCP server endpoints to proxy calls to","Policy configuration file or API to define governance rules","ED25519 key pair (private key for signing, public key for verification)","Key management infrastructure (HSM, secure vault, or KMS integration)","Timestamp service or reliable system clock for decision timestamping","Signature verification logic in audit/compliance systems","Policy definition format (JSON, YAML, or custom DSL)","Policy evaluation engine (built-in or external, e.g., OPA, Rego)"],"failure_modes":["Adds latency to every tool call (exact overhead depends on policy complexity and NRaaS signing operations)","Requires explicit policy configuration — no sensible defaults for tool restrictions","Does not prevent agents from attempting calls; only governs execution post-interception","Policy evaluation logic must be maintained separately from agent code, creating potential drift","Signature verification requires access to public keys — key management infrastructure must be maintained","ED25519 signatures add cryptographic overhead (~5-10ms per signature operation)","Non-repudiation only applies to gateway decisions; does not cover agent reasoning or LLM outputs","Requires secure key storage and rotation policies — compromised keys invalidate all signatures","Policy evaluation adds latency proportional to rule complexity (simple rules ~1-5ms, complex rules ~10-50ms)","No built-in policy language — requires custom implementation or integration with external policy engine","builder identity is not verified yet","no observed match outcomes yet"],"rank_breakdown":{"adoption":0.05,"quality":0.41,"ecosystem":0.6000000000000001,"match_graph":0.25,"freshness":0.75,"weights":{"adoption":0.25,"quality":0.25,"ecosystem":0.15,"match_graph":0.23,"freshness":0.12}},"observed_outcomes":{"matches":0,"success_rate":0,"avg_confidence":0,"top_intents":[],"last_matched_at":null},"maintenance":{"status":"active","updated_at":"2026-05-24T12:16:23.904Z","last_scraped_at":"2026-05-03T14:23:58.257Z","last_commit":null},"community":{"stars":null,"forks":null,"weekly_downloads":null,"model_downloads":null,"model_likes":null}},"distribution":{"claim_url":"https://unfragile.ai/submit?claim=npm-oconnectormcp-gateway","compare_url":"https://unfragile.ai/compare?artifact=npm-oconnectormcp-gateway"}},"signature":"19L/vf8t9gNQm4JFO9C+sa1xkpJ/mrMlj+j0yFj6V9ONqJOcCOlPSXm6adnoKBKqRjjz2Riog1WUGo9j8/JcCQ==","signedAt":"2026-06-20T00:20:08.886Z","signedBy":"unfragile.ai","version":1},"_links":{"self":"https://unfragile.ai/api/v1/passport/npm-oconnectormcp-gateway","artifact":"https://unfragile.ai/npm-oconnectormcp-gateway","verify":"https://unfragile.ai/api/v1/verify?slug=npm-oconnectormcp-gateway","publicKey":"https://unfragile.ai/api/v1/trust-passport-public-key","spec":"https://unfragile.ai/trust","schema":"https://unfragile.ai/schema.json","docs":"https://unfragile.ai/docs"}}