What Happened
Sovereign Labs released @sovereign-labs/mcp-proxy, an open-source governance proxy that sits between AI agents like Claude Code and MCP tool servers. It creates a tamper-evident audit trail of every tool call without requiring changes to either the agent or the server.
The proxy provides three technical guarantees. First, hash-chained receipts: every tool invocation generates a cryptographically-linked record where each receipt references the previous one, similar to blockchain commits. Modify a past receipt and the chain breaks, with verification flagging the exact sequence number that was tampered with.
Second, constraint-based loop prevention. When a tool call fails, the proxy fingerprints that failure and blocks identical subsequent calls within a configurable time window. If receipt #3 fails and receipt #4 is the same call, the proxy blocks it automatically. This prevents the common pattern of agents retrying the same broken operation in a loop.
Third, authority tracking with stable controller IDs and monotonic epoch counters. This lets you verify which controller was active during any execution and whether that authority remained valid throughout.
The receipt ledger distinguishes between successful operations, mutations (writes), blocked calls, and errors. A --verify command performs chain integrity checks across all receipts. The package runs on Node 18+, is MIT licensed, and is currently in public beta.
Why It Matters
As AI agents gain the ability to execute real actions through MCP - creating files, querying databases, calling APIs - the question of accountability becomes critical. Right now, if Claude Code makes an unexpected change via an MCP tool, you have limited forensic capability. You might see the change, but proving exactly what happened, when, and in what sequence requires digging through logs that were never designed for auditing.
The loop prevention feature addresses a practical pain point. Anyone who has watched an AI agent retry a failing database query or API call dozens of times knows this costs real money and sometimes causes real damage. Automatic deduplication of failed calls is a sensible default that should arguably be built into MCP itself.
For teams deploying AI agents in production or regulated environments, the tamper-evident chain provides a verifiable record that no one - not the agent, not an operator - can silently alter after the fact.
Our Take
This is infrastructure that the MCP ecosystem needs but is not getting from Anthropic directly. The Model Context Protocol specification defines how agents talk to tools, but says nothing about auditing, rate limiting, or loop prevention. Those are left as exercises for the deployer.
The hash-chain approach is borrowed from well-understood cryptographic patterns. It is not novel, but applying it to MCP tool calls is smart and timely. The fact that it works as a transparent proxy - requiring zero changes to existing agents or servers - makes adoption realistic.
The loop prevention feature is arguably more immediately useful than the audit trail. Failed tool calls that repeat in a loop are one of the most common and costly failure modes in agentic workflows. Having that blocked at the proxy layer, rather than hoping the agent figures it out, is a meaningful improvement.
If you are running MCP servers in any environment where you need to answer the question "what did the AI agent actually do," this proxy is worth evaluating. It is still in beta, so expect rough edges. But the core design is sound, and the MIT license means you can fork it if needed.