{"slug": "show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support", "title": "Show HN: Hextrap – Package Firewall with OPA Policies and MCP Support", "summary": "Hextrap launched a package firewall that proxies pip, npm, go get, and cargo installs through managed allow/deny lists, OPA policies, and safeguards like soak time and typosquatting detection. The tool integrates with LLMs via MCP to check package allow-lists before downloads, and exposes security data for custom Rego policies. Hextrap aims to help teams govern open-source package usage and prevent malicious packages.", "body_md": "We’re building Hextrap ([https://hextrap.com/products/firewall/](https://hextrap.com/products/firewall/)), a package firewall to make it easier for teams and organizations to govern the packages installed from their favorite NPM, PyPI, Go, and Rust registries using managed allow/deny lists, custom OPA policies, and built-in safeguards like soak time (new versions are quarantined for a configurable amount of time - most malicious packages are discovered within 48h) and typosquatting detection. Every `pip install`, `npm install`, and `go get` is proxied through Hextrap and evaluated against a target firewall.\n\nHextrap is designed to work with LLMs (via MCP) so tools like Claude Code will check if a package is allow-listed before downloading or adding it to a project (in addition to using the proxy at install time). This bridges the gap between Claude’s planning and execution phases and creates a more collaborative experience with the developer when libraries are being chosen (i.e. pyramid is not allow-listed, should I try Django or Flask instead?)\n\nIn addition to the above, security data and package metadata is made available to OPA so teams can use the extra information to craft their own custom Rego policies (i.e. package must have had at least n commits in the past 6 months, have at least 1,000 stars, and a Hextrap security score above 75). We pull in data directly from the public registries and generate security signals that help identify version-level threats within packages.\n\nYou can try it out without signing up or giving us an email address here: [https://hextrap.com/try](https://hextrap.com/try)\n\nWe’re actively building this product and are curious what the HN crowd thinks about the proxy-approach, the MCP integration point, and whether OPA was the right choice for policy as code.\n\nComments URL: [https://news.ycombinator.com/item?id=48570033](https://news.ycombinator.com/item?id=48570033)\n\nPoints: 1\n\n# Comments: 0", "url": "https://wpnews.pro/news/show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support", "canonical_source": "https://hextrap.com/products/firewall/", "published_at": "2026-06-17 13:11:25+00:00", "updated_at": "2026-06-17 13:23:23.773071+00:00", "lang": "en", "topics": ["ai-tools", "developer-tools", "ai-safety", "ai-agents"], "entities": ["Hextrap", "OPA", "MCP", "Claude Code", "NPM", "PyPI", "Go", "Rust"], "alternates": {"html": "https://wpnews.pro/news/show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support", "markdown": "https://wpnews.pro/news/show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support.md", "text": "https://wpnews.pro/news/show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support.txt", "jsonld": "https://wpnews.pro/news/show-hn-hextrap-package-firewall-with-opa-policies-and-mcp-support.jsonld"}}