I asked an AI agent to delete an unused folder. It pattern-matched too broadly and removed more than intended. I clicked "yes" too fast. Luckily I had a backup.
That was just files. Now imagine the same mismatch with `kubectl delete` or `terraform apply`.
So I built Evidra — an MCP server that evaluates infrastructure operations against OPA policies before execution. No LLM in the decision loop — just deterministic Rego rules.
What it catches: protected namespace deletions, mass resource removal, public S3 buckets, wildcard IAM, and similar high-impact mistakes.
What it's not: a full compliance engine or admission controller replacement. It's a lightweight pre-execution guardrail — works with AI agents, but also in CI pipelines against Terraform plans.
Every allow/deny decision is logged in a SHA-256 hash-chained evidence trail.
That was just files. Now imagine the same mismatch with `kubectl delete` or `terraform apply`.
So I built Evidra — an MCP server that evaluates infrastructure operations against OPA policies before execution. No LLM in the decision loop — just deterministic Rego rules.
What it catches: protected namespace deletions, mass resource removal, public S3 buckets, wildcard IAM, and similar high-impact mistakes.
What it's not: a full compliance engine or admission controller replacement. It's a lightweight pre-execution guardrail — works with AI agents, but also in CI pipelines against Terraform plans.
Every allow/deny decision is logged in a SHA-256 hash-chained evidence trail.
GitHub: https://github.com/vitas/evidra Security model: https://github.com/vitas/evidra/blob/main/docs/SECURITY_MODE...
Would love feedback from anyone running AI agents against real infrastructure.