An MCP server for AI coding agents · built on Cognee

Connect your coding agent to a memory it can trust.

ContextFirewall is a Model Context Protocol server. Point Claude Code, Cursor, or Windsurf at it, and every memory your agent recalls, stores, distils, or forgets flows through Cognee and four firewall checks: staleness, contradiction, secrets and evidence. Only trustworthy memory reaches the model.

connecting…
context-firewall · audit auditing 10 memories
Blocked at the firewall
Stale
0.50

Deploy command superseded by make release.

Secret
0.90

AWS access key found in a worker-config note.

Contradicted
0.45

“Access tokens never expire,” later disproven.

Passed into the pack
Decision
0.99

Deploy with make release (migrations + blue-green).

Config
0.92

Service targets Python 3.12 (asyncpg 0.30).

Lesson
0.77

Run make check before pushing (CI gate).

Connect

One endpoint. Any agent.

ContextFirewall speaks the Model Context Protocol, so it drops into the agent you already use. Connect to the hosted endpoint in one line, or run it locally with uvx. Your agent gets six tools that exercise the full Cognee lifecycle: recall, remember, improve and forget, all governed by the firewall.

Streamable HTTP + stdio Every call audited on Cognee
connect your agentClaude Code · Cursor · Windsurf · Cline
Hosted (one line, no install)
claude mcp add --transport http contextfirewall https://himanshukumarjha-contextfirewall.hf.space/mcp
Or run it locally with uvx
uvx --from "git+https://github.com/himanshu748/ContextFirewall#subdirectory=mcp" contextfirewall-mcp
get_trusted_contextaudit_contextrememberforget_memoryimprove_ruleslist_coding_rules

Runs on real infrastructure

Cognee
Neo4jNeo4j
Postgres · pgvectorPostgres · pgvector
Hugging FaceHugging Face
FastAPIFastAPI
Next.jsNext.js
VercelVercel

The problem

Memory is a new attack surface for agents.

Hand an agent your team's accumulated memory and it will confidently act on a stale deploy command, a fix that was later contradicted, a leaked API key, or a claim nothing ever supported. Plain recall can't tell good memory from dangerous memory, so it serves all of it.

Stale

“Deploy with flyctl deploy.” Retired when the service moved off Fly.io.

Contradicted

“JWT access tokens never expire.” Disproven by the incident postmortem.

Secret

An AWS access key pasted into a worker-config note.

Unsupported

“/search does 1,000,000 req/s, no cache.” Nothing backs it. Trust 0.10.

How it works

A firewall between memory and action.

01
Record

Agent sessions (prompts, tool calls, terminal output, decisions, errors and fixes) are captured as a timeline.

02
Cognify

Cognee extracts entities and relationships into a knowledge graph, with temporal links between facts.

03
Audit

Every candidate memory is scored against four checks and given a plain-language verdict and trust score.

04
Pack

Only memories that pass every check are assembled into a trusted context pack for the next agent.

The four checks

Four checks stand between a memory and your agent.

Each memory gets a verdict and a trust score in plain language, so a human can see exactly why something was blocked, and forget it for good.

temporal

Staleness

Facts have a shelf life. When a newer memory supersedes an old one, the stale fact decays and is held back from the pack.

graph reasoning

Contradiction

The graph surfaces memories that conflict. The better-supported fact wins; the contradicted one is flagged, never silently served.

leak prevention

Secrets

API keys, tokens and connection strings are detected and blocked before they can ever be packed into an agent's context.

provenance

Evidence & trust

Claims with no supporting events score low. Unsupported “facts” fall below the trust threshold and don't make the cut.

Built on Cognee

The full memory lifecycle, including forget().

ContextFirewall doesn't just read from Cognee; it exercises the whole lifecycle. Governance lives in the loop: nothing is permanent until it has earned trust, and anything unsafe can be forgotten.

remember()
add + cognify

Sessions are ingested and cognified into the knowledge graph.

recall()
search

Relevant memories are retrieved for the agent's current task.

improve()
memify

Recurring lessons and coding rules are distilled and reinforced.

forget()
governed delete

Rejected, stale or unsafe memories are removed under human review.

Same question. Two very different answers.

“What should a new agent know before working on taskflow-api?” Asked of raw recall, then of the firewall.

Ungoverned recall
  • Deploy with flyctl deploy · stale
  • Use AWS key AKIA•••••• for uploads · leaked secret
  • Access tokens never expire · contradicted
  • /search does 1M req/s, no cache · unsupported

A flat vector store hands all of this to the next agent.

Trusted context pack
  • Deploy with make release (migrations + blue-green) · trust 0.99
  • Access tokens expire after 15 min; use the refresh flow · trust 0.99
  • Rate-limit 100 req/min per key in Redis · trust 0.77

Only audited, current, evidence-backed facts. No secrets.

Why a knowledge graph? Because trust is relational and temporal. Cognee lets the firewall see when a fact was superseded and which memories contradict each other. These are judgments a flat vector store can't make.

Put a firewall in front of your agent's memory.

Connect your agent over MCP in one line, or open the console and watch every memory get audited live on Cognee before it reaches the model.