Skip to content

Stop trusting your AI agents blindly.

KnoTrust puts you back in charge of what your AI agents can actually do — the safe actions run instantly, the risky ones wait for your approval, and every attempt is logged. Works with Claude, Codex, and any MCP agent. Nothing to host, no account.

KnoTrustKnoTrust

Get started in under a minute

Not on npm yet — build from source

knotrust isn't published to npm yet, so npx knotrust … won't resolve. Install from source — a few minutes, and you get the same knotrust command on your PATH. Then use knotrust … in place of npx knotrust … in the examples below.

sh
# Point KnoTrust at Claude Desktop's existing MCP servers
npx knotrust init claude

# ...or wrap any MCP server directly, client-agnostic
npx knotrust -- node server.js

knotrust init finds your AI client's tool configuration, rewires each tool server to run behind knotrust --, and sets up a starting policy with suggested risk tiers based on what each tool says about itself. From there, every action your agent tries is decided by its risk tier: routine actions pass straight through, sensitive actions need a one-time approval (a "grant"), and critical actions stop and wait for you to say yes. See the installation & quickstart guide for the full walkthrough.

Honest boundaries

What KnoTrust is not

  • Not a sandbox. KnoTrust governs the MCP action surface only. A shell command, a file write, or a raw network call from your agent's own tools never becomes an MCP call — KnoTrust never sees it, and never blocks it.
  • Not a replacement for running agents in a sandbox. We recommend a disposable container or a least-privilege account with no production credentials. KnoTrust is the policy-and-approval layer on top of that wall, not the wall itself.
  • Not tamper-proof. The local audit log is hash-chained and tamper-evident, not tamper-proof — a same-account attacker can still rewrite it. Real tamper-evidence needs an off-box export. We will never call the local OSS log "immutable."

Read the full doctrine in Security & threat boundaries.

Released under the Apache License 2.0.