A security proxy that sits between Claude and any MCP server, scanning every tool call for prompt injection before it reaches the upstream binary. Built in Rust, it runs a four-stage scanner (Aho-Corasick prefilter, regex, Unicode normalization, confusable folding) with p99 latency under 5ms. It strips loader environment variables like LD_PRELOAD from spawned children, verifies Ed25519 manifest signatures with a TOFU keystore, and exports OTLP telemetry. The control plane exposes ten read-only tools for inspecting blocked calls, checking CVE feeds, simulating attacks, and querying the Sigstore Rekor transparency log. Reach for this when you're wrapping untrusted or third-party servers and need runtime defense against injection patterns that the MCP spec leaves out of scope.
claude mcp add --transport stdio io.studiomeyer-armor uvx armor