Architecture
How SpiderShield intercepts tool calls and enforces security policies.
Request Flow
AI Agent
LangChain / OpenAI / CrewAI / AutoGen
SpiderShield Guard1. Policy CheckALLOW / DENY / ESCALATE
2. DLP Scan (post)PII / Secrets / Injection
3. Audit LogJSONL event stream
Tool Execution
MCP Servers / APIs / Shell / Filesystem
Core Components
Policy Engine
YAML-based rules evaluated before every tool call. Three presets (permissive, balanced, strict) or custom rules.
- Pattern matching on tool names and arguments
- ALLOW / DENY / ESCALATE decisions
- Configurable per-tool overrides
- Custom rule authoring with regex patterns
DLP Scanner
Post-execution scanning of tool outputs for sensitive data leakage.
- PII detection (emails, phones, SSNs, credit cards)
- Secret scanning (API keys, tokens, passwords)
- Prompt injection detection in tool outputs
- Configurable: log, redact, or block modes
Audit Logger
Complete audit trail for every tool call, policy decision, and DLP event.
- JSONL format for easy parsing and SIEM integration
- Queryable via CLI (audit show, audit stats)
- Session-based grouping
- Timestamps, tool names, arguments, decisions
Deployment Modes
SDK Mode
Import SpiderGuard directly into your Python application. Full programmatic control.
from spidershield import SpiderGuard- ✓Custom agent frameworks
- ✓Fine-grained control
- ✓Programmatic policy
Guard Mode
Wrap any stdio-based MCP server. Zero code changes to the server.
spidershield guard --preset balanced -- npx server- ✓MCP stdio servers
- ✓Quick setup
- ✓Claude Desktop
Proxy Mode
Transparent HTTP proxy for MCP servers. Intercepts all tool calls.
spidershield proxy --policy strict -- python server.py- ✓HTTP MCP servers
- ✓Multi-server setups
- ✓Network-level interception