{"id":30020680,"url":"https://github.com/gbrigandi/mcp-server-conceal","last_synced_at":"2026-05-18T03:36:37.617Z","repository":{"id":306194206,"uuid":"1025327833","full_name":"gbrigandi/mcp-server-conceal","owner":"gbrigandi","description":"Privacy-focused MCP proxy that intelligently pseudo-anonymizes PII in real-time before data reaches external AI providers, maintaining semantic relationships for accurate analysis","archived":false,"fork":false,"pushed_at":"2025-07-24T06:26:01.000Z","size":62,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-06T02:21:21.012Z","etag":null,"topics":["llm","mcp-server","model-context-protocol-servers","ollama","privacy-protection","pseudo-anonymization"],"latest_commit_sha":null,"homepage":"","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gbrigandi.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-07-24T05:11:45.000Z","updated_at":"2025-07-25T18:18:36.000Z","dependencies_parsed_at":"2025-07-24T08:35:01.653Z","dependency_job_id":"c5fad309-df64-4c3a-b9d1-b4fa0232df97","html_url":"https://github.com/gbrigandi/mcp-server-conceal","commit_stats":null,"previous_names":["gbrigandi/mcp-server-conceal"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/gbrigandi/mcp-server-conceal","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbrigandi%2Fmcp-server-conceal","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbrigandi%2Fmcp-server-conceal/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbrigandi%2Fmcp-server-conceal/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbrigandi%2Fmcp-server-conceal/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gbrigandi","download_url":"https://codeload.github.com/gbrigandi/mcp-server-conceal/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gbrigandi%2Fmcp-server-conceal/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33163808,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-17T22:39:12.733Z","status":"online","status_checked_at":"2026-05-18T02:00:06.436Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["llm","mcp-server","model-context-protocol-servers","ollama","privacy-protection","pseudo-anonymization"],"created_at":"2025-08-06T02:02:48.044Z","updated_at":"2026-05-18T03:36:37.600Z","avatar_url":"https://github.com/gbrigandi.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"# MCP Conceal\n\nAn MCP proxy that pseudo-anonymizes PII before data reaches external AI providers like Claude, ChatGPT, or Gemini.\n\n```mermaid\nsequenceDiagram\n    participant C as AI Client (Claude)\n    participant P as MCP Conceal\n    participant S as Your MCP Server\n    \n    C-\u003e\u003eP: Request\n    P-\u003e\u003eS: Request\n    S-\u003e\u003eP: Response with PII\n    P-\u003e\u003eP: PII Detection\n    P-\u003e\u003eP: Pseudo-Anonymization\n    P-\u003e\u003eP: Consistent Mapping\n    P-\u003e\u003eC: Sanitized Response\n```\n\nMCP Conceal performs pseudo-anonymization rather than redaction to preserve semantic meaning and data relationships required for AI analysis. Example: `john.smith@acme.com` becomes `mike.wilson@techcorp.com`, maintaining structure while protecting sensitive information.\n\n## Installation\n\n### Download Pre-built Binary\n\n1. Visit the [Releases page](https://github.com/gbrigandi/mcp-server-conceal/releases)\n2. Download the binary for your platform:\n\n| Platform | Binary |\n|----------|--------|\n| Linux x64 | `mcp-server-conceal-linux-amd64` |\n| macOS Intel | `mcp-server-conceal-macos-amd64` |\n| macOS Apple Silicon | `mcp-server-conceal-macos-aarch64` |\n| Windows x64 | `mcp-server-conceal-windows-amd64.exe` |\n\n3. Make executable: `chmod +x mcp-server-conceal-*` (Linux/macOS)\n4. Add to PATH:\n   - **Linux/macOS**: `mv mcp-server-conceal-* /usr/local/bin/mcp-server-conceal`\n   - **Windows**: Move to a directory in your PATH or add current directory to PATH\n\n### Building from Source\n\n```bash\ngit clone https://github.com/gbrigandi/mcp-server-conceal\ncd mcp-server-conceal\ncargo build --release\n```\n\nBinary location: `target/release/mcp-server-conceal`\n\n## Quick Start\n\n### Prerequisites\n\nInstall Ollama for LLM-based PII detection:\n\n1. Install Ollama: [ollama.ai](https://ollama.ai)\n2. Pull model: `ollama pull llama3.2:3b`\n3. Verify: `curl http://localhost:11434/api/version`\n\n### Basic Usage\n\nCreate a minimal `mcp-server-conceal.toml`:\n\n```toml\n[detection]\nmode = \"regex_llm\"\n\n[llm]\nmodel = \"llama3.2:3b\"\nendpoint = \"http://localhost:11434\"\n```\n\nSee the [Configuration](#configuration) section for all available options.\n\nRun as proxy:\n\n```bash\nmcp-server-conceal \\\n  --target-command python3 \\\n  --target-args \"my-mcp-server.py\" \\\n  --config mcp-server-conceal.toml\n```\n\n## Configuration\n\nComplete configuration reference:\n\n```toml\n[detection]\nmode = \"regex_llm\"                # Detection strategy: regex, llm, regex_llm\nenabled = true                    \nconfidence_threshold = 0.8        # Detection confidence threshold (0.0-1.0)\n\n[detection.patterns]\nemail = \"\\\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\\\.[A-Z|a-z]{2,}\\\\b\"\nphone = \"\\\\b(?:\\\\+?1[-\\\\.\\\\s]?)?(?:\\\\(?[0-9]{3}\\\\)?[-\\\\.\\\\s]?)?[0-9]{3}[-\\\\.\\\\s]?[0-9]{4}\\\\b\"\nssn = \"\\\\b\\\\d{3}-\\\\d{2}-\\\\d{4}\\\\b\"\ncredit_card = \"\\\\b\\\\d{4}[-\\\\s]?\\\\d{4}[-\\\\s]?\\\\d{4}[-\\\\s]?\\\\d{4}\\\\b\"\nip_address = \"\\\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\b\"\nurl = \"https?://[^\\\\s/$.?#].[^\\\\s]*\"\n\n[faker]\nlocale = \"en_US\"                  # Locale for generating realistic fake PII data\nseed = 12345                      # Seed ensures consistent anonymization across restarts\nconsistency = true                # Same real PII always maps to same fake data\n\n[mapping]\ndatabase_path = \"mappings.db\"     # SQLite database storing real-to-fake mappings\nretention_days = 90               # Delete old mappings after N days\n\n[llm]\nmodel = \"llama3.2:3b\"             # Ollama model for PII detection\nendpoint = \"http://localhost:11434\"\ntimeout_seconds = 180\nprompt_template = \"default\"       # Template for PII detection prompts\n\n[llm_cache]\nenabled = true                    # Cache LLM detection results for performance\ndatabase_path = \"llm_cache.db\"\nmax_text_length = 2000\n```\n\n### Configuration Guidance\n\n**Detection Settings:**\n- `confidence_threshold`: Lower values (0.6) catch more PII but increase false positives. Higher values (0.9) are more precise but may miss some PII.\n- `mode`: Choose based on your latency vs accuracy requirements (see Detection Modes below)\n\n**Faker Settings:**\n- `locale`: Use \"en_US\" for American names/addresses, \"en_GB\" for British, etc. Affects realism of generated fake data\n- `seed`: Keep consistent across deployments to ensure same real data maps to same fake data\n- `consistency`: Always leave `true` to maintain data relationships\n\n**Mapping Settings:**\n- `retention_days`: Balance between data consistency and storage. Shorter periods (30 days) reduce storage but may cause inconsistent anonymization for recurring data\n- `database_path`: Use absolute paths in production to avoid database location issues\n\n## Detection Modes\n\nChoose the detection strategy based on your performance requirements and data complexity:\n\n### RegexLlm (Default)\n**Best for production environments** - Combines speed and accuracy:\n- Phase 1: Fast regex catches common patterns (emails, phones, SSNs)\n- Phase 2: LLM analyzes remaining text for complex PII\n- **Use when**: You need comprehensive detection with reasonable performance\n- **Performance**: ~100-500ms per request depending on text size\n- Configure: `mode = \"regex_llm\"`\n\n### Regex Only\n**Best for high-volume, latency-sensitive applications**:\n- Uses only pattern matching - no AI analysis\n- **Use when**: You have well-defined PII patterns and need \u003c10ms response\n- **Trade-off**: May miss contextual PII like \"my account number is ABC123\"\n- Configure: `mode = \"regex\"`\n\n### LLM Only  \n**Best for complex, unstructured data**:\n- AI-powered detection catches nuanced PII patterns\n- **Use when**: Accuracy is more important than speed\n- **Performance**: ~200-1000ms per request\n- Configure: `mode = \"llm\"`\n\n\n## Advanced Usage\n\n### Claude Desktop Integration\n\nConfigure Claude Desktop to proxy MCP servers:\n\n```json\n{\n  \"mcpServers\": {\n    \"database\": {\n      \"command\": \"mcp-server-conceal\",\n      \"args\": [\n        \"--target-command\", \"python3\",\n        \"--target-args\", \"database-server.py --host localhost\",\n        \"--config\", \"/path/to/mcp-server-conceal.toml\"\n      ],\n      \"env\": {\n        \"DATABASE_URL\": \"postgresql://localhost/mydb\"\n      }\n    }\n  }\n}\n```\n\n### Custom LLM Prompts\n\nCustomize detection prompts for specific domains:\n\n**Template locations:**\n- Linux: `~/.local/share/mcp-server-conceal/prompts/`\n- macOS: `~/Library/Application Support/com.mcp-server-conceal.mcp-server-conceal/prompts/`\n- Windows: `%LOCALAPPDATA%\\\\com\\\\mcp-server-conceal\\\\mcp-server-conceal\\\\data\\\\prompts\\\\`\n\n**Usage:**\n1. Run MCP Conceal once to auto-generate `default.md` in the prompts directory:\n   ```bash\n   mcp-server-conceal --target-command echo --target-args \"test\" --config mcp-server-conceal.toml\n   ```\n2. Copy: `cp default.md healthcare.md`  \n3. Edit template for domain-specific PII patterns\n4. Configure: `prompt_template = \"healthcare\"`\n\n### Environment Variables\n\nPass environment variables to target process:\n\n```bash\nmcp-server-conceal \\\n  --target-command node \\\n  --target-args \"server.js\" \\\n  --target-cwd \"/path/to/server\" \\\n  --target-env \"DATABASE_URL=postgresql://localhost/mydb\" \\\n  --target-env \"API_KEY=secret123\" \\\n  --config mcp-server-conceal.toml\n```\n\n## Troubleshooting\n\nEnable debug logging:\n\n```bash\nRUST_LOG=debug mcp-server-conceal \\\n  --target-command python3 \\\n  --target-args server.py \\\n  --config mcp-server-conceal.toml\n```\n\n**Common Issues:**\n- Invalid regex patterns in configuration\n- Ollama connectivity problems\n- Database file permissions\n- Missing prompt templates\n\n## Security\n\n**Mapping Database:** Contains sensitive real-to-fake mappings. Secure with appropriate file permissions.\n\n**LLM Integration:** Run Ollama on trusted infrastructure when using LLM-based detection modes.\n\n## Contributing\n\nContributions are welcome! Follow these steps to get started:\n\n### Development Setup\n\n**Prerequisites:**\n- Install Rust: https://rustup.rs/\n- Minimum supported Rust version: 1.70+\n\n1. **Clone and setup:**\n   ```bash\n   git clone https://github.com/gbrigandi/mcp-server-conceal\n   cd mcp-server-conceal\n   ```\n\n2. **Build in development mode:**\n   ```bash\n   cargo build\n   cargo test\n   ```\n\n3. **Install development tools:**\n   ```bash\n   rustup component add clippy rustfmt\n   ```\n\n4. **Run with debug logging:**\n   ```bash\n   RUST_LOG=debug cargo run -- --target-command cat --target-args test.txt --config mcp-server-conceal.toml\n   ```\n\n### Testing\n\n- **Unit tests:** `cargo test`\n- **Integration tests:** `cargo test --test integration_test`\n- **Linting:** `cargo clippy`\n- **Formatting:** `cargo fmt`\n\n### Submitting Changes\n\n1. Fork the repository\n2. Create a feature branch: `git checkout -b feature-name`\n3. Make your changes and add tests\n4. Ensure all tests pass: `cargo test`\n5. Format code: `cargo fmt`\n6. Submit a pull request with a clear description\n\n## License\n\nMIT License - see LICENSE file for details.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgbrigandi%2Fmcp-server-conceal","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgbrigandi%2Fmcp-server-conceal","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgbrigandi%2Fmcp-server-conceal/lists"}