Quick Start

Zero to governed in under 60 seconds. One command. No config required.

1Install and secure

Terminal

pip install navil
navil secure

That's it. navil secure auto-discovers your MCP configs (Cursor, Claude Desktop, OpenClaw, Continue.dev), wraps every server with the security proxy, generates baseline policies, and shows a before/after coverage score. Your original configs are backed up automatically.

🔍 Discovering MCP configs... Found: ~/.cursor/mcp.json (12 servers) 📊 Scanning current coverage... Current coverage: 23% (4/36 categories protected) 🔒 Wrapping servers with Navil proxy... ✓ Wrapped 12 servers in ~/.cursor/mcp.json 🧠 Generating baseline policies... ✓ 3 deny rules generated ✓ 12 scope profiles created 📊 Re-scanning coverage with Navil active... New coverage: 78% (23/36 categories protected) ✅ Done in 47 seconds. Before: 23% coverage → After: 78% coverage

2Link to Navil Cloud (optional)

Terminal

navil cloud login

Link to your dashboard for analytics, team management, and premium features. Opens a browser window to authenticate, then automatically configures your local instance. The free tier works without it.

3Target a specific config (optional)

Terminal

# Secure a specific config instead of auto-discovering
navil secure --config ~/.cursor/mcp.json

# Preview changes without modifying any files
navil secure --dry-run

4Individual commands (advanced)

navil secure orchestrates these under the hood. Use them directly for fine-grained control:

Terminal

navil wrap mcp_config.json          # wrap servers in a specific config
navil scan config.json               # audit vulnerabilities (static)
navil test                           # fire threat pool, see coverage
navil policy auto-generate           # generate policies from baselines

5Customize policies (optional)

policy.yaml

# navil secure generates this automatically — customize as needed
agents:
  data-agent:
    tools_allowed: ["database_query"]
    tools_denied: ["shell_exec", "write_file"]
    rate_limit_per_hour: 100
    data_clearance: "INTERNAL"

  file-agent:
    tools_allowed: ["read_file"]
    tools_denied: ["delete_file", "exec_command"]
    rate_limit_per_hour: 50
    data_clearance: "PUBLIC"

scopes:
  default:
    description: "Default scope — read-only access"
    tools: ["read_file", "list_tables", "query_db"]

suspicious_patterns:
  - name: "bulk_export"
    tool: "export_data"
    actions: ["export"]

Introduction

Securing OpenClaw

Quick Start

Zero to governed in under 60 seconds. One command. No config required.

1Install and secure

Terminal

pip install navil
navil secure

2Link to Navil Cloud (optional)

Terminal

navil cloud login

Link to your dashboard for analytics, team management, and premium features. Opens a browser window to authenticate, then automatically configures your local instance. The free tier works without it.

3Target a specific config (optional)

Terminal

# Secure a specific config instead of auto-discovering
navil secure --config ~/.cursor/mcp.json

# Preview changes without modifying any files
navil secure --dry-run

4Individual commands (advanced)

navil secure orchestrates these under the hood. Use them directly for fine-grained control:

Terminal

navil wrap mcp_config.json          # wrap servers in a specific config
navil scan config.json               # audit vulnerabilities (static)
navil test                           # fire threat pool, see coverage
navil policy auto-generate           # generate policies from baselines

5Customize policies (optional)

policy.yaml

# navil secure generates this automatically — customize as needed
agents:
  data-agent:
    tools_allowed: ["database_query"]
    tools_denied: ["shell_exec", "write_file"]
    rate_limit_per_hour: 100
    data_clearance: "INTERNAL"

  file-agent:
    tools_allowed: ["read_file"]
    tools_denied: ["delete_file", "exec_command"]
    rate_limit_per_hour: 50
    data_clearance: "PUBLIC"

scopes:
  default:
    description: "Default scope — read-only access"
    tools: ["read_file", "list_tables", "query_db"]

suspicious_patterns:
  - name: "bulk_export"
    tool: "export_data"
    actions: ["export"]