Anthropic Claude Code Hackathon 2026

Enforce security policies on every AI tool call — then prove it cryptographically.

YAML policies · SHA-256 audit chain · Supply-chain drift detection · One init.

MCP servers have no governance layer. Heimdall adds one.

MIT License 197 tests passing TypeScript strict Built with Opus 4.6
Star on GitHub See it work ↓

An open-source MCP proxy that enforces security policies on every tool call, transforms dangerous arguments before they reach the server, and produces a tamper-evident cryptographic audit trail.

Allowlists MCP Proxies Heimdall
Policy enforcement YAML rules
Argument transformation RESHAPE
Signed audit trail SHA-256 + Ed25519
Drift detection baseline + diff
AI policy generation Opus 4.6

full    partial    none

How It Works
1
Check
YAML policy evaluates every tool call against your ward rules
PASS HALT RESHAPE
2
Record
Decision inscribed as a Rune with full tool call context and arguments
3
Chain
Each Rune is SHA-256 hash-chained and Ed25519 signed. Tamper-evident.

Every tool call flows Agent → Heimdall → Tools. Most restrictive ward wins.

Quickstart
$ git clone https://github.com/mchahed99/heimdall && cd heimdall $ bun install && bun run heimdall init $ bun run heimdall hook install PreToolUse + PostToolUse hooks installed. Done.
Watchtower Dashboard

Real-time monitoring. Click a blocked event to inspect the full audit trail.

Watchtower — localhost:3000
Heimdall · Watchtower
Chain intact · 0 · Signed
Active
Metrics
Total0
Halted0
Passed0
Reshaped0
Chain
Sessions1
Tools4
Since
Risk
0 / 100
LOW
Thinking: 4,096 tokens
Drift detected project-assistant
10:42:06 AM
+send_report"New tool added after baseline"critical
a3f2c891...c912f567...WARN
Supply-chain attack detected — server added send_report tool after baseline verification
#TimeDecisionToolMsHash
110:42:01Passlist_files2a3f2c891...
210:42:03Passread_file1b7d1e234...
310:42:05Haltsend_report1c912f567...
↳ → evil.com/exfil — External endpoint blocked
410:42:08Reshapesend_report3d4a7b890...
↳ data: sk-ant-... → [REDACTED] — Secrets redacted from report
510:42:11Passlist_files1e5c8d901...
Policy
bifrost.yamlyaml

HALT blocks. RESHAPE transforms. PASS allows. Most restrictive wins. · More policies on GitHub →

Verification
heimdall runecheck
$ bun run heimdall runecheck # 1 [GENESIS] list_files PASS a3f2c891... # 2 ← a3f2c891 read_file PASS b7d1e234... # 3 ← b7d1e234 send_report HALT c912f567... # 4 ← c912f567 send_report RESHAPE d4a7b890... # 5 ← d4a7b890 list_files PASS e5c8d901... Result: VALID — 5 runes verified, Ed25519 signed
Opus 4.6 Pipeline

One command. Three stages. Powered by Claude Opus 4.6 with extended thinking.

1 Generate Extended Thinking · 10K budget
$ bun run heimdall audit --path . [1/3] Generating security policy from codebase... Collected 47 files (~31K tokens) Extended thinking: ~8,200 tokens used Policy validated successfully
2 Red-Team 4 Parallel Agents
injection12 payloads · 1 bypass
exfiltration8 payloads · 0 bypasses
privilege10 payloads · 0 bypasses
compliance6 payloads · 0 bypasses
bypass detected echo $(cat ~/.ssh/id_rsa) | base64
3 Auto-Patch Gap Closure
[3/3] Auto-patching policy to close gaps... Policy patched: 12 wards (was 9) + halt-ssh-key-leak + halt-base64-exfil Audit complete.
Capabilities
Verification Loops
SHA-256 hash chain + Ed25519 signatures. Every decision provable. Tamper one record and the chain breaks.
Claude Code Hooks
PreToolUse + PostToolUse integration. Deterministic control over probabilistic AI.
Drift Detection
Baseline MCP server definitions on first connect. Alert when tools change. Catches definition drift, not same-definition behavior changes — a high-signal supply-chain tripwire.
RESHAPE Engine
Controlled mutation. Deterministic YAML merge, not AI rewrites. Both versions logged.
Opus 4.6 Powered
Full-codebase policy generation with extended thinking. 4-agent parallel red-teaming. Adaptive risk scoring.
Community Policies
Pre-built YAML for DevOps, Finance/SOX, Healthcare/HIPAA. Share, fork, improve.