MCP Conceal

Privacy-focused MCP proxy that intelligently pseudo-anonymizes PII in real-time before data reaches external AI providers, maintaining semantic relationships for accurate analysis
  • rust

8

GitHub Stars

rust

Language

6 months ago

First Indexed

2 months ago

Catalog Refreshed

Documentation & install

Readme and setup notes from the catalogue, plus a client-ready config you can copy for your MCP host.

Installation

Add the following to your MCP client configuration file.

Configuration

View docs
{
  "mcpServers": {
    "gbrigandi-mcp-server-conceal": {
      "command": "mcp-server-conceal",
      "args": [
        "--target-command",
        "python3",
        "--target-args",
        "database-server.py --host localhost",
        "--config",
        "/path/to/mcp-server-conceal.toml"
      ],
      "env": {
        "DATABASE_URL": "postgresql://localhost/mydb"
      }
    }
  }
}

MCP Conceal is a proxy that analyzes data for PII and replaces sensitive information with consistent, fake equivalents before it reaches external AI providers. It preserves semantic structure and data relationships so AI tools can analyze results effectively while keeping real identifiers protected.

How to use

You run MCP Conceal as a proxy in front of your MCP server. The server detects PII using your chosen strategy, replaces it with consistent fake data, and forwards the sanitized responses to your AI client. You can run with a local target process or point to another MCP server, and you can customize how detection and anonymization are performed.

How to install

Prerequisites are a Rust toolchain and a target language/runtime for your MCP client. You will build from source or use a pre-built binary for your platform.

Configuration and usage details

You can customize how PII is detected and how fake data is generated. The configuration supports detection modes, faker settings, mapping retention, and LLM integration parameters. A minimal example enables regex-based detection with an Ollama-based LLM for remaining cases.

[detection]
mode = "regex_llm"                # Detection strategy: regex, llm, regex_llm
enabled = true                    
confidence_threshold = 0.8        # Detection confidence threshold (0.0-1.0)

[detection.patterns]
e-mail = "\\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\\.[A-Z|a-z]{2,}\\b"
phone = "\\b(?:\\+?1[-\\.\\s]?)?(?:\\(?[0-9]{3}\\)?[-\\.\\s]?)?[0-9]{3}[-\\.\\s]?[0-9]{4}\\b"
ssn = "\\b\\d{3}-\d{2}-\d{4}\\b"
credit_card = "\\b\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}[-\\s]?\\d{4}\\b"
ip_address = "\\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\b"
url = "https?://[^\\s/$.?#].[^\\s]*"

[faker]
locale = "en_US"                  # Locale for generating realistic fake PII data
seed = 12345                      # Seed ensures consistent anonymization across restarts
consistency = true                # Same real PII always maps to same fake data

[mapping]
database_path = "mappings.db"     # SQLite database storing real-to-fake mappings
retention_days = 90               # Delete old mappings after N days

[llm]
model = "llama3.2:3b"             # Ollama model for PII detection
endpoint = "http://localhost:11434"
timeout_seconds = 180
prompt_template = "default"       # Template for PII detection prompts

[llm_cache]
enabled = true                    # Cache LLM detection results for performance
database_path = "llm_cache.db"
max_text_length = 2000

Advanced usage

The example below shows how to wire MCP Conceal to a local server and how to customize prompts for domain-specific PII patterns.

{
  "mcpServers": {
    "database": {
      "command": "mcp-server-conceal",
      "args": [
        "--target-command", "python3",
        "--target-args", "database-server.py --host localhost",
        "--config", "/path/to/mcp-server-conceal.toml"
      ],
      "env": {
        "DATABASE_URL": "postgresql://localhost/mydb"
      }
    }
  }
}

Environment variables

You can pass environment variables to the target process through the MCP Conceal proxy. The following example shows how to set a database URL and an API key for the target server.

mcp-server-conceal \
  --target-command node \
  --target-args "server.js" \
  --target-env "DATABASE_URL=postgresql://localhost/mydb" \
  --target-env "API_KEY=secret123" \
  --config mcp-server-conceal.toml

Troubleshooting

Enable debug logging to diagnose issues. Check common problems like invalid patterns, connectivity to the local LLM service, database permissions, and missing prompt templates.

RUST_LOG=debug mcp-server-conceal \
  --target-command python3 \
  --target-args server.py \
  --config mcp-server-conceal.toml

Security

The mapping database contains real-to-fake data mappings. Protect this file with appropriate permissions. Run LLM-based detection only on trusted infrastructure.

Contributing

Contributions are welcome. Follow these steps to get started.

# Development setup
rustup target add aarch64-unknown-linux-gnu

# Build in development mode
cargo build
cargo test

# Run with debug logging
RUST_LOG=debug cargo run -- --target-command cat --target-args test.txt --config mcp-server-conceal.toml
Built by
VeilStrat
AI signals for GTM teams
© 2026 VeilStrat. All rights reserved.All systems operational