Runtime security guardrails for Claude Code, Codex, and MCP-based coding setups.
Stallion sits between the agent and risky actions so you can:
- block obvious bad shell, git, MCP, and exfiltration flows
- scan a repo or runtime setup before enabling it
- keep a practical security baseline without turning normal coding into sludge
Coding agents can:
- run shell commands
- edit files
- push git changes
- call MCP tools
- touch secrets, browsers, databases, and local services
That is useful, but it is also enough to leak data or damage a machine fast.
Stallion helps reduce that risk with:
- preflight checks before risky actions run
- output inspection after tools return untrusted content
- local trust tracking for tools, hooks, data stores, IPC targets, and approvals
- installable profiles:
minimal,balanced, andstrict
claude plugin marketplace add efij/stallion claude plugin install stallion@stallion claude plugin list
Expected result:
stallion@stallionStatus: enabled
If your Codex supports local bundle install, install this repo as a plugin bundle.
Fallback:
./bin/stallion generate-runtime-config codex balanced
git clone https://github.com/efij/stallion.git
cd stallion
./bin/stallion install balanced
./bin/stallion doctorminimal: lowest frictionbalanced: sensible defaultstrict: strongest blocking and review prompts
- shell execution
- git and repo actions
- MCP requests and responses
- plugin and skill trust boundaries
- secrets and local credential stores
- local services, IPC, and browser sessions
- destructive actions and production access
Protection families
Secrets & IdentitySupply Chain & DependenciesGit & Source ControlMCP, Plugins & SkillsRuntime, Network & EgressInfra & Production AccessTrust, Persistence & EvasionQuality & WorkflowMemory & KnowledgeSaaS & Control PlanesFileless & Inline ExecutionRemote Content PromotionLocal Data StoresLocal IPC & HelpersPublish, Release & Supply ChainDestructive Actions & Blast Radius
Full guard inventory: GUARDS.md
./bin/stallion install balanced
./bin/stallion doctor
./bin/stallion audit .
./bin/stallion list protections
./bin/stallion list runtimes
./bin/stallion wrap list-packs
./bin/stallion wrap add postgres-dev --command uvx --arg mcp-server-postgres --pack postgres --context-file ./db-context.md --runtime generic-mcp
./bin/stallion client status --json
./bin/stallion generate-runtime-config codex balanced
./bin/stallion generate-runtime-config cursor balanced
./bin/stallion generate-runtime-config windsurf balanced
./bin/stallion generate-runtime-config claude-desktop balancedThis OSS plugin can run as a Stallion-managed client. The private Stallion server/admin repo owns policy authoring, RBAC, audit warehousing, and organization governance; this repo only consumes signed or cached policy and enforces it locally.
Client-side support includes:
- managed MCP server and tool allow/deny policy
- required-route blocking when a capability must use an approved MCP instead of direct CLI/API access
- plugin and skill positive authorization
- prompt and policy-decision telemetry queueing when a runtime exposes the prompt/event
- offline policy cache with optional fail-closed behavior
Local commands:
./bin/stallion client status --json
./bin/stallion client policy --json
./bin/stallion client record-prompt --runtime codex --agent-id parent-1 "user prompt text"
./bin/stallion client flushDefault config is disabled at config/stallion-client.json; managed deployments should provision the server URL, policy cache, verification mode, and fail-closed posture.
Use the inline gateway when you want to front an upstream MCP server with Stallion policy, context injection, and read-only SQL guardrails.
./bin/stallion wrap list-packs ./bin/stallion wrap add postgres-dev \ --command uvx \ --arg mcp-server-postgres \ --pack postgres \ --context-file ./db-context.md \ --sqlite-schema ./local-dev.sqlite3 \ --runtime generic-mcp ./bin/stallion gateway serve strict --config ./config/gateway.json --api-port 9470 ./bin/stallion generate-runtime-config generic-mcp balanced
What this adds:
- built-in service packs for common MCP surfaces like
postgres,supabase,github, andfilesystem - schema or operator context injected into matching tool descriptions during
tools/list - read-only SQL enforcement for configured MCP query tools before the request reaches the upstream server
Advanced trust-plane commands
./bin/stallion tools list --json ./bin/stallion tools approve <name-or-path> ./bin/stallion hooks list --json ./bin/stallion hooks diff <path-or-key> ./bin/stallion approvals list --json ./bin/stallion services list --json ./bin/stallion data list --json ./bin/stallion ipc list --json ./bin/stallion browser sessions --json ./bin/stallion flow list --json ./bin/stallion agents graph --json ./bin/stallion memory list --json ./bin/stallion knowledge list --json ./bin/stallion review list --json ./bin/stallion artifacts list --json ./bin/stallion release list --json ./bin/stallion destructive list --json ./bin/stallion handoff graph --json ./bin/stallion auth list --json ./bin/stallion apps list --json ./bin/stallion safety list --json
| Runtime | Status | How |
|---|---|---|
| Claude Code | First-class | native plugin hooks |
| Codex | Supported | plugin bundle or generated MCP config |
| Cursor | Supported | generated mcp.json |
| Windsurf | Supported | generated mcp_config.json |
| Claude Desktop | Supported | generated claude_desktop_config.json |
| Generic MCP clients | Supported | inline MCP gateway |
| CI | Supported | CLI policy checks |
More detail: RUNTIMES.md
If you want to inspect before enabling:
./bin/stallion audit . ./bin/stallion audit . --format html --output stallion-audit.html ./bin/stallion audit . --format sarif --output stallion-audit.sarif
Run:
claude plugin uninstall stallion@stallion claude plugin marketplace remove stallion claude plugin marketplace add efij/stallion claude plugin install stallion@stallion claude plugin list
You want:
Status: enabled
If GitHub still serves an older broken marketplace state, install from a local checkout until the fix is pushed:
cd ..
git clone https://github.com/efij/stallion.git
claude plugin marketplace add ./stallion
claude plugin install stallion@stallionRun the local smoke checks:
bash tests/smoke.sh
If you only want the quick sanity path:
bash -n bin/shield install.sh update.sh uninstall.sh hooks/lib/patterns.sh tests/smoke.sh
python3 -m py_compile scripts/stallion_tools.py
./bin/stallion generate-plugin-hooks balanced /tmp/stallion-hooks.json
claude plugin validate .More install options
curl -fsSL https://raw.githubusercontent.com/efij/stallion/main/scripts/bootstrap.sh | bash -s -- --repo efij/stallion --ref main --profile balancedirm https://raw.githubusercontent.com/efij/stallion/main/scripts/bootstrap.ps1 | iex; Install-Stallion -Repo "efij/stallion" -Ref "main" -Profile "balanced"
install.shupdate.shuninstall.sh
They forward to ./bin/stallion.
GUARDS.md: guard inventoryRUNTIMES.md: runtime adaptersSECURITY_MODEL.md: model and assumptionsCHANGELOG.md: release notesCONTRIBUTING.md: contributor notes
MIT