The Secure MCP Control Panel
Connect AI to your data/software with additional security controls to help reduce data exfiltration risks. Gain visibility, monitor potential threats, and get alerts on the data your agent is reading/writing.
OpenEdison helps address the lethal trifecta problem, which can increase risks of agent hijacking & data exfiltration by malicious actors.
Join our Discord for feedback, feature requests, and to discuss MCP security for your use case: discord.gg/tXjATaKgTV
π§ To get visibility, control and exfiltration blocker into AI's interaction with your company software, systems of record, DBs, Contact us to discuss.
- π Data leak monitoring - Edison detects and blocks potential data leaks through configurable security controls
- π°οΈ Controlled execution - Provides structured execution controls to reduce data exfiltration risks.
- ποΈ Easily configurable - Easy to configure and manage your MCP servers
- π Visibility into agent interactions - Track and monitor your agents and their interactions with connected software/data via MCP calls
- π Simple API - REST API for managing MCP servers and proxying requests
- π³ Docker support - Run in a container for easy deployment
π€ Quick integration with LangGraph and other agent frameworks
Open-Edison integrates with LangGraph, LangChain, and plain Python agents by decorating your tools/functions with @edison.track(). This provides immediate observability and policy enforcement without invasive changes.
Just add @edison.track() to your tools/functions to enable Open-Edison controls and observability.
Read more in docs/langgraph_quickstart.md
Edison helps you gain observability, control, and policy enforcement for AI interactions with systems of records, existing company software and data. Reduce risks of AI-caused data leakage with streamlined setup for cross-system governance.
The fastest way to get started:
# Installs uv (via Astral installer) and launches open-edison with uvx.
# Note: This does NOT install Node/npx. Install Node if you plan to use npx-based tools like mcp-remote.
curl -fsSL https://raw.githubusercontent.com/Edison-Watch/open-edison/main/curl_pipe_bash.sh | bashRun locally with uvx: uvx open-edison
That will run the setup wizard if necessary.
β¬οΈ Install Node.js/npm (optional for MCP tools)
If you need npx (for Node-based MCP tools like mcp-remote), install Node.js as well:
- uv:
curl -fsSL https://astral.sh/uv/install.sh | sh - Node/npx:
brew install node
- uv:
curl -fsSL https://astral.sh/uv/install.sh | sh - Node/npx:
sudo apt-get update && sudo apt-get install -y nodejs npm
- uv:
powershell -ExecutionPolicy ByPass -c "irm https://astral.sh/uv/install.ps1 | iex" - Node/npx:
winget install -e --id OpenJS.NodeJS
After installation, ensure that npx is available on PATH.
Install from PyPI
- Pipx/uvx
# Using uvx
uvx open-edison
# Using pipx
pipx install open-edison
open-edisonRun with a custom config directory:
open-edison run --config-dir ~/edison-config
# or via environment variable
OPEN_EDISON_CONFIG_DIR=~/edison-config open-edison run
Run with Docker
There is a dockerfile for simple local setup.
# Single-line:
git clone https://github.com/Edison-Watch/open-edison.git && cd open-edison && make docker_run
# Or
# Clone repo
git clone https://github.com/Edison-Watch/open-edison.git
# Enter repo
cd open-edison
# Build and run
make docker_runThe MCP server will be available at http://localhost:3000 and the api + frontend at http://localhost:3001. π
βοΈ Run from source
- Clone the repository:
git clone https://github.com/Edison-Watch/open-edison.git
cd open-edison- Set up the project:
make setup- Edit
config.jsonto configure your MCP servers. See the full file: config.json, it looks like:
{
"server": { "host": "0.0.0.0", "port": 3000, "api_key": "..." },
"logging": { "level": "INFO"},
"mcp_servers": [
{ "name": "filesystem", "command": "uvx", "args": ["mcp-server-filesystem", "/tmp"], "enabled": true },
{ "name": "github", "enabled": false, "env": { "GITHUB_PERSONAL_ACCESS_TOKEN": "..." } }
]
}- Run the server:
make run
# or, from the installed package
open-edison runThe server will be available at http://localhost:3000. π
π MCP Connection
Connect any MCP client to Open Edison (requires Node.js/npm for npx):
npx -y mcp-remote http://localhost:3000/mcp/ --http-only --header "Authorization: Bearer your-api-key"Or add to your MCP client config:
{
"mcpServers": {
"open-edison": {
"command": "npx",
"args": ["-y", "mcp-remote", "http://localhost:3000/mcp/", "--http-only", "--header", "Authorization: Bearer your-api-key"]
}
}
}π€ Connect to ChatGPT (Plus/Pro)
Open-Edison comes preconfigured with ngrok for easy ChatGPT integration. Follow these steps to connect:
- Visit https://dashboard.ngrok.com to sign up for a free account
- Get your authtoken from the "Your Authtoken" page
- Create a domain name in the "Domains" page
- Set these values in your
ngrok.ymlfile:
version: 3
agent:
authtoken: YOUR_NGROK_AUTH_TOKEN
endpoints:
- name: open-edison-mcp
url: https://YOUR_DOMAIN.ngrok-free.app
upstream:
url: http://localhost:3000
protocol: http1make ngrok-startThis will start the ngrok tunnel and make Open-Edison accessible via your custom domain.
- Click on your profile icon in ChatGPT
- Select Settings
- Go to "Connectors" in the settings menu
- Select "Advanced Settings"
- Enable "Developer Mode (beta)"
- Click on your profile icon in ChatGPT
- Select Settings
- Go to "Connectors" in the settings menu
- Select "Create" next to "Browse connections"
- Set a name (e.g., "Open-Edison")
- Use your ngrok URL as the MCP Server URL (e.g.,
https://your-domain.ngrok-free.app/mcp/) - Select "No authentication" in the Authentication menu
- Tick the "I trust this application" checkbox
- Press Create
Every time you start a new chat:
- Click on the plus sign in the prompt text box ("Ask anything")
- Hover over "... More"
- Click on "Developer Mode"
- "Developer Mode" and your connector name (e.g., "Open-Edison") will appear at the bottom of the prompt textbox
You can now use Open-Edison's MCP tools directly in your ChatGPT conversations! Do not forget to repeat step 5 everytime you start a new chat.
π§ Usage
See API Reference for full API documentation.
π οΈ Development
Setup from source as above.
Server doesn't have any auto-reload at the moment, so you'll need to run & ctrl-c this during development.
make runWe expect make ci to return cleanly.
make ciβοΈ Configuration (config.json)
The config.json file contains all configuration:
server.host- Server host (default: localhost)server.port- Server port (default: 3000)server.api_key- API key for authenticationlogging.level- Log level (DEBUG, INFO, WARNING, ERROR)mcp_servers- Array of MCP server configurations
Each MCP server configuration includes:
name- Unique name for the servercommand- Command to run the MCP serverargs- Arguments for the commandenv- Environment variables (optional)enabled- Whether to auto-start this server
π± The lethal trifecta, agent lifecycle management
Open Edison includes a comprehensive security monitoring system that tracks the "lethal trifecta" of AI agent risks, as described in Simon Willison's blog post:
- Private data access - Access to sensitive local files/data
- Untrusted content exposure - Exposure to external/web content
- External communication - Ability to write/send data externally
The configuration allows you to classify these risks across tools, resources, and prompts using separate configuration files.
In addition to trifecta, we track Access Control Level (ACL) for each tool call, that is, each tool has an ACL level (one of PUBLIC, PRIVATE, or SECRET), and we track the highest ACL level for each session. If a write operation is attempted to a lower ACL level, it can be blocked based on your configuration.
Defines security classifications for MCP tools. See full file: tool_permissions.json, it looks like:
{
"_metadata": { "last_updated": "2025-08-07" },
"builtin": {
"get_security_status": { "enabled": true, "write_operation": false, "read_private_data": false, "read_untrusted_public_data": false, "acl": "PUBLIC" }
},
"filesystem": {
"read_file": { "enabled": true, "write_operation": false, "read_private_data": true, "read_untrusted_public_data": false, "acl": "PRIVATE" },
"write_file": { "enabled": true, "write_operation": true, "read_private_data": true, "read_untrusted_public_data": false, "acl": "PRIVATE" }
}
}π Resource Permissions (`resource_permissions.json`)
Defines security classifications for resource access patterns. See full file: resource_permissions.json, it looks like:
{
"_metadata": { "last_updated": "2025-08-07" },
"builtin": { "config://app": { "enabled": true, "write_operation": false, "read_private_data": false, "read_untrusted_public_data": false } }
}π¬ Prompt Permissions (`prompt_permissions.json`)
Defines security classifications for prompt types. See full file: prompt_permissions.json, it looks like:
{
"_metadata": { "last_updated": "2025-08-07" },
"builtin": { "summarize_text": { "enabled": true, "write_operation": false, "read_private_data": false, "read_untrusted_public_data": false } }
}All permission types support wildcard patterns:
- Tools:
server_name/*(e.g.,filesystem/*matches all filesystem tools) - Resources:
scheme:*(e.g.,file:*matches all file resources) - Prompts:
type:*(e.g.,template:*matches all template prompts)
All items must be explicitly configured - unknown tools/resources/prompts will be rejected for security.
Use the get_security_status tool to monitor your session's current risk level and see which capabilities have been accessed. When the lethal trifecta is achieved (all three risk flags set), further potentially dangerous operations are blocked.
π Complete documentation available in docs/
- π Getting Started - Quick setup guide
- βοΈ Configuration - Complete configuration reference
- π‘ API Reference - REST API documentation
- π§βπ» Development Guide - Contributing and development
π License
GPL-3.0 License - see LICENSE for details.