stallion

Stallion

Runtime security guardrails for Claude Code, Codex, and MCP-based coding setups.

Stallion sits between the agent and risky actions so you can:

• block obvious bad shell, git, MCP, and exfiltration flows
• scan a repo or runtime setup before enabling it
• keep a practical security baseline without turning normal coding into sludge

Why Use It

Coding agents can:

• run shell commands
• edit files
• push git changes
• call MCP tools
• touch secrets, browsers, databases, and local services

That is useful, but it is also enough to leak data or damage a machine fast.

Stallion helps reduce that risk with:

• preflight checks before risky actions run
• output inspection after tools return untrusted content
• local trust tracking for tools, hooks, data stores, IPC targets, and approvals
• installable profiles: minimal, balanced, and strict

Fast Start

Claude Code

claude plugin marketplace add efij/stallion
claude plugin install stallion@stallion
claude plugin list

Expected result:

• stallion@stallion
• Status: enabled

Codex

If your Codex supports local bundle install, install this repo as a plugin bundle.

Fallback:

./bin/stallion generate-runtime-config codex balanced

Local CLI Install

git clone https://github.com/efij/stallion.git
cd stallion
./bin/stallion install balanced
./bin/stallion doctor

Profiles

• minimal: lowest friction
• balanced: sensible default
• strict: strongest blocking and review prompts

What It Protects

• shell execution
• git and repo actions
• MCP requests and responses
• plugin and skill trust boundaries
• secrets and local credential stores
• local services, IPC, and browser sessions
• destructive actions and production access

Protection families

• Secrets & Identity
• Supply Chain & Dependencies
• Git & Source Control
• MCP, Plugins & Skills
• Runtime, Network & Egress
• Infra & Production Access
• Trust, Persistence & Evasion
• Quality & Workflow
• Memory & Knowledge
• SaaS & Control Planes
• Fileless & Inline Execution
• Remote Content Promotion
• Local Data Stores
• Local IPC & Helpers
• Publish, Release & Supply Chain
• Destructive Actions & Blast Radius

Full guard inventory: GUARDS.md

Common Commands

./bin/stallion install balanced
./bin/stallion doctor
./bin/stallion audit .
./bin/stallion list protections
./bin/stallion list runtimes
./bin/stallion wrap list-packs
./bin/stallion wrap add postgres-dev --command uvx --arg mcp-server-postgres --pack postgres --context-file ./db-context.md --runtime generic-mcp
./bin/stallion client status --json
./bin/stallion generate-runtime-config codex balanced
./bin/stallion generate-runtime-config cursor balanced
./bin/stallion generate-runtime-config windsurf balanced
./bin/stallion generate-runtime-config claude-desktop balanced

Stallion Managed Client

This OSS plugin can run as a Stallion-managed client. The private Stallion server/admin repo owns policy authoring, RBAC, audit warehousing, and organization governance; this repo only consumes signed or cached policy and enforces it locally.

Client-side support includes:

• managed MCP server and tool allow/deny policy
• required-route blocking when a capability must use an approved MCP instead of direct CLI/API access
• plugin and skill positive authorization
• prompt and policy-decision telemetry queueing when a runtime exposes the prompt/event
• offline policy cache with optional fail-closed behavior

Local commands:

./bin/stallion client status --json
./bin/stallion client policy --json
./bin/stallion client record-prompt --runtime codex --agent-id parent-1 "user prompt text"
./bin/stallion client flush

Default config is disabled at config/stallion-client.json; managed deployments should provision the server URL, policy cache, verification mode, and fail-closed posture.

MCP Wrap Flow

Use the inline gateway when you want to front an upstream MCP server with Stallion policy, context injection, and read-only SQL guardrails.

./bin/stallion wrap list-packs
./bin/stallion wrap add postgres-dev \
  --command uvx \
  --arg mcp-server-postgres \
  --pack postgres \
  --context-file ./db-context.md \
  --sqlite-schema ./local-dev.sqlite3 \
  --runtime generic-mcp
./bin/stallion gateway serve strict --config ./config/gateway.json --api-port 9470
./bin/stallion generate-runtime-config generic-mcp balanced

What this adds: