Server data from the Official MCP Registry
A firewall and password manager for AI coding agents: scoped, expiring access to their tools.
A firewall and password manager for AI coding agents: scoped, expiring access to their tools.
Valid MCP server (3 strong, 1 medium validity signals). No known CVEs in dependencies. ⚠️ Package registry links to a different repository than scanned source. Imported from the Official MCP Registry. Trust signals: trusted author (3/3 approved). 1 finding(s) downgraded by scanner intelligence.
9 files analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
This plugin requests these system permissions. Most are normal for its category.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-wkoverfield-switchboard": {
"args": [
"-y",
"@switchboard-mcp/cli"
],
"command": "npx"
}
}
}From the project's GitHub README.
A firewall and password manager for your AI coding agents.
Switchboard controls what Claude Code and Codex can reach in a repo. It finds the MCP servers and tokens your agents can already touch, gets secrets out of plaintext config and behind named keychain refs, and puts each agent on a scoped pass that expires on its own.

Everything runs locally. No account, no hosted service, no telemetry.
switchboard scan shows which MCP servers and tokens agents can reach in
this repo, and which routes bypass Switchboard entirely.switchboard import consolidates scattered Claude/Codex MCP config into one
Switchboard route, with timestamped backups and exact rollback commands.secretRef: "github/ci/token", never the token itself.switchboard grant puts the agent on a pass: named tools reachable,
everything else denied, gone in a few hours.switchboard status answers whether a pass is live right now.
switchboard revoke ends one early.switchboard logs reads it.npm install -g @switchboard-mcp/cli
Or without installing:
npx -y @switchboard-mcp/cli@latest scan
Requires Node 22 or newer. Daily use is on macOS, CI runs on Linux, and a Windows keychain backend exists but gets less exercise.
Start in a repo where your agents already work:
$ switchboard scan
This looks like acme-app.
Detected:
- Codex Switchboard route missing
- Claude Switchboard route missing
- Claude direct MCP server "github" detected
Authority bypasses:
high claude:github (github; direct-mcp-server, secret-env-name)
Warnings:
- 1 direct MCP bypass finding(s), including 1 high-risk finding(s), were detected.
That high-risk finding is a GitHub token sitting in plaintext in .mcp.json.
Move it behind Switchboard:
switchboard import --dry-run # see the plan first
switchboard import --write --cleanup-client
switchboard secrets set <ref> # store the token; import prints the exact command
switchboard install claude --write # route the agent through Switchboard
Import rewrites client config to a single Switchboard route, replaces the
plaintext token with a named keychain ref, and leaves a backup plus the exact
rollback command. Import never reads secret values itself; the secrets set
step is where the token actually enters your keychain. Then scope the agent:
switchboard grant --for 4h
You get the pass above. When you want it gone early:
$ switchboard revoke
Revoked pass grant-main (main). The agent's scoped access is off now.
switchboard doctor tells you the next thing to fix at any point. If a repo
has no MCP config yet, switchboard setup github-ci starts from a safe
provider template instead.
switchboard run. An agent with raw shell
access, a provider CLI, a browser session, or a direct MCP route can bypass
it. switchboard scan reports those bypass routes so you can clean them up
or accept them deliberately.switchboard grant says so itself when
no client is wired up yet, and switchboard install <claude|codex> closes
the gap.| Command | What it does |
|---|---|
switchboard scan | Show what agents can reach in this repo, including bypass routes |
switchboard import | Consolidate Claude/Codex MCP config into one guarded route |
switchboard grant / revoke | Give the repo's agent an expiring scoped pass, or end it now |
switchboard status | Is a pass live right now, and which config is active |
switchboard doctor | Check the setup and print the next thing to fix |
switchboard setup <preset> | Guided setup from a provider safety template (switchboard presets list shows them) |
switchboard auth <preset> | Store the provider token for a preset in the keychain |
switchboard secrets | Set, list, remove, and doctor named secret refs |
switchboard run | Run an allowed provider command with pass-scoped credentials and audit |
switchboard install <client> | Route Claude Code or Codex through Switchboard (add --scope user for one server across every repo) |
switchboard pass | Create and inspect task-scoped passes with leases, gates, handoffs |
switchboard approvals | Review and decide approval-gated tool calls |
switchboard tools | List the tool surface a pass exposes |
switchboard logs | Read the local audit log |
switchboard audit | Repo authority posture report, exportable as JSONL |
Commands that report state take --json for scripts and harnesses, with
versioned schemas. switchboard <command> --help has the rest.
Switchboard reads layered YAML config (global, then .switchboard.yaml, then
.switchboard.local.yaml). Each profile names an upstream MCP server and the
secret refs it needs. At runtime, Switchboard mounts permitted profiles as one
MCP endpoint, resolves secret refs from the OS keychain only at launch, and
namespaces every tool so a pass can allow github_ci_* and deny everything
else. Passes, approvals, and audit entries are plain local files that reference
secrets by name, never by value.
Secret storage uses OS keychain backends by default. Plaintext fallbacks exist
for dev machines and CI, and require an explicit
SWITCHBOARD_ALLOW_UNSAFE_SECRET_BACKENDS=1 opt-in.
switchboard pass create --from github-ci --json returns a
workspaceLease.mcpLaunch payload: the exact command to launch a
pass-scoped stdio MCP endpoint, plus the pass policy and lease. Switchboard
grants and audits authority; your harness owns scheduling, retries, and agent
processes. JSON contracts are documented in
docs/use-cases/harness-json-contracts.md.
git clone https://github.com/wkoverfield/switchboard.git
cd switchboard
pnpm install
pnpm build
pnpm switchboard --help
pnpm test
Contributions are welcome; see CONTRIBUTING.md, and report vulnerabilities privately per SECURITY.md.
Smoke tests and fresh-agent evals live in scripts/; CI runs the full set.
The top demo is a VHS tape: brew install vhs && pnpm build && vhs examples/switchboard.tape.
Deeper docs: quickstart,
trust model,
provider safety templates,
roadmap.
MIT. See LICENSE.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.
by Microsoft · Content & Media
Convert files (PDF, Word, Excel, images, audio) to Markdown for LLM consumption
by mcp-marketplace · Developer Tools
Search and install MCP servers from inside your AI client.
by mcp-marketplace · Finance
Free stock data and market news for any MCP-compatible AI assistant.