v0.1.1 · open-source · MIT

Trust, but audit — every AI tool call.

Trabecc is the gateway between your AI agent and the MCP servers it calls. Default-deny policy, full audit trail, per-tool rate limits — drop in front of Claude Desktop, Cursor, Claude Code, or your own agent in 60 seconds. No code changes.

Get started on GitHub See how it works
$ npx trabecc@latest init && npx trabecc@latest run ⌘C
Trabecc logo

Built for the agents your team already uses

The problem

Your agent is making decisions you can't see.

MCP gives your agent superpowers — and gives you no way to know which tools it called, on what arguments, or whether the call should have been allowed. Three months in, every team hits the same three walls.

No audit trail

You can't answer "what did my agent do today?" because the protocol doesn't log calls. When something breaks, you have no forensic record.

No deny policy

Every tool the MCP server exposes is callable. The read-only filesystem server can also write, and there's no built-in way to gate specific paths or operations.

Runaway loops cost real money

Agents in production sometimes loop. Without per-tool rate limits, one bad prompt can ship your monthly Perplexity / OpenAI / S3 budget to a stranger.

How it works

One drop-in. Speaks plain MCP on both sides.

Your agent thinks Trabecc is a single MCP server. Internally, Trabecc fans out to all your real upstream servers, namespaces their tools, and intercepts every call. Same wire format. Zero agent code changes.

MCP Client Claude · Cursor · … Trabecc policy · audit · rate limit trust, but audit filesystem github slack your agent upstream MCP servers
What you get

Six features. Day one. No config theater.

No SDK to integrate. No agent code changes. No new infrastructure to run. Trabecc is one binary that speaks plain MCP on both sides.

Default-deny policy

Glob-matched allow/deny rules with optional argument-level predicates. Block fs__write_* when path matches /etc/* with one line of YAML.

Audit log on every call

SQLite-backed, ships with the binary. Records the calling client, redacts credential-shaped args. 90-day cloud retention available.

Per-tool rate limits

Token-bucket per qualified tool. Catch the runaway agent loop before it ships your API budget to a stranger.

Multi-server fan-out

Connect filesystem, GitHub, Slack, Postgres — all behind one MCP endpoint, with namespaced tools (github__search_issues).

Live dashboard

Server-rendered HTML at localhost:4577. Recent calls, outcomes, top tools. Auto-refresh, no JS required.

One file. Zero build.

YAML for servers, rules, and rate limits. One Node binary. Self-host on a laptop or run in your fleet — same code.

Configuration

A YAML file you can grep.

Policy lives where your team can read it: a single config file in git. No DSL, no remote control plane required, no learning curve. Argument-level rules give you fine-grained control without engineering investment.

Read the docs →
~/.trabecc/config.yaml 
# default-deny — opt in to tools, don't opt out
defaultPolicy: deny

servers:
  - name: filesystem
    command: npx
    args: ["-y", "@modelcontextprotocol/server-filesystem", "~/code"]

rules:
  - match: "filesystem__read_*"
    effect: allow

  # argument-level rule — never write under /etc
  - match: "filesystem__write_*"
    effect: deny
    when: { path: "/etc/*" }
    reason: "no writes under /etc"

rateLimits:
  - match: "filesystem__*"
    perMinute: 120
Live dashboard

Every call, observable.

Server-rendered, no SPA, no auth headache. Open localhost:4577 next to your agent and watch the audit log fill in real time.

Trabecc gateway for MCP · default policy: deny · 1 upstream · 14 rules last 60m · refreshing every 5s ACTIVITY (LAST 60M) 1,247 TOTAL CALLS 1,184 ALLOWED 47 DENIED 12 RATE LIMITED 4 ERRORED RECENT CALLS TIME TOOL AGENT ARGS OUTCOME MS 14:32:18.412 filesystem__write_file claude-ai@1.2.4 {"path":"/etc/hosts","content":"…"} DENIED 2 14:32:14.117 filesystem__read_text_file claude-ai@1.2.4 {"path":"~/code/trabecc/README.md"} ALLOWED 14 14:32:09.882 github__search_issues cursor@0.42 {"q":"is:open label:bug"} ALLOWED 187 14:32:03.541 filesystem__list_directory claude-code@1.0 {"path":"~/code"} RATE LIMITED 0 14:31:58.203 filesystem__read_text_file claude-ai@1.2.4 {"path":"~/code/trabecc/package.json"} ALLOWED 8 14:31:51.119 filesystem__write_file claude-ai@1.2.4 {"path":"~/.ssh/authorized_keys",...} DENIED 1 Trabecc v0.1.1 · MIT · /api/audit
Engineered to be invisible

Sub-millisecond overhead. Zero new dependencies for your team.

<1ms
Policy decision overhead per call
68 KB
npm install footprint, unpacked
0
Native dependencies; pure Node
60s
From npm install to first audit row
"
The bug isn't that the LLM made a bad tool call. The bug is that nothing in your stack was watching. Trabecc is what you wire in before that becomes your incident.
Customer testimonial — placeholder
Replace with real quote post-launch
Pricing

Free forever to self-host. Cloud is one config flag.

The OSS works fully without ever phoning home. Cloud retention, alerts, and team dashboards are the same code with one flag flipped.

Self-host

$0
  • Full proxy + audit + policy
  • Local SQLite audit log
  • Single-machine dashboard
  • Community support
Read the docs
Most popular

Pro

$29 / user / month
  • Cloud audit retention (90 days)
  • Multi-host dashboards
  • Anomaly alerts (email + webhook)
  • Email support
Start free trial

Team

$99 / user / month
  • SSO (Google, Okta)
  • 1-year audit retention
  • Policy approval workflow
  • Priority support
Contact us

Enterprise

Custom
  • SOC 2, on-prem option
  • Unlimited retention
  • Dedicated support
  • Custom integrations
Talk to us
FAQ

Questions everyone asks first.

Does Trabecc work with my existing MCP servers?

Yes. Trabecc speaks plain MCP on both sides — it appears as a single MCP server to your client, and connects to your existing upstream servers as their client. No changes to either side. Tested against the official filesystem, github, slack, and postgres servers, plus any community server using the standard SDK.

Will it slow down my agent?

Policy decisions are sub-millisecond. Audit writes are async. The fan-out adds one process hop, which adds about ~1-3ms per tool call. For agents that already wait hundreds of ms on LLM responses, this is unmeasurable.

Does the OSS phone home?

No. Zero telemetry by default. The cloud-sync code is opt-in and only activates when you set cloud.apiKey in your config — that's the wedge between OSS and the paid tier.

What about claims my agent makes after going through Trabecc — can it fool me?

Trabecc records every call's request, response size, duration, and outcome before passing the result back to the agent. The audit log is independent of what the agent claims it did. A useful pattern: have your reviewer compare the agent's narrative against the audit log.

I'm running 50 agents in production. Does Trabecc scale?

Each agent gets its own Trabecc instance — they're cheap to spawn and don't share state. The cloud product centralizes audit logs across all of them so you have one dashboard. For 50 agents, you'd run 50 Trabecc processes (or sidecars if containerized) and one cloud account.

Can I write a policy that needs to call out to my own service?

v0.1 is YAML-only — argument-level globs cover ~80% of real cases. v0.2 will add a webhook hook for arbitrary policy decisions. If you need this now, open an issue with your use case.

Stop hoping. Start governing.

60 seconds to install. Default-deny by default. MIT licensed.

Get started on GitHub → Start Pro free trial