Show HN: Hextrap – Package Firewall with OPA Policies and MCP Support

Hextrap launched a package firewall that proxies pip, npm, go get, and cargo installs through managed allow/deny lists, OPA policies, and safeguards like soak time and typosquatting detection. The tool integrates with LLMs via MCP to check package allow-lists before downloads, and exposes security data for custom Rego policies. Hextrap aims to help teams govern open-source package usage and prevent malicious packages.

We’re building Hextrap https://hextrap.com/products/firewall/ https://hextrap.com/products/firewall/ , a package firewall to make it easier for teams and organizations to govern the packages installed from their favorite NPM, PyPI, Go, and Rust registries using managed allow/deny lists, custom OPA policies, and built-in safeguards like soak time new versions are quarantined for a configurable amount of time - most malicious packages are discovered within 48h and typosquatting detection. Every pip install , npm install , and go get is proxied through Hextrap and evaluated against a target firewall. Hextrap is designed to work with LLMs via MCP so tools like Claude Code will check if a package is allow-listed before downloading or adding it to a project in addition to using the proxy at install time . This bridges the gap between Claude’s planning and execution phases and creates a more collaborative experience with the developer when libraries are being chosen i.e. pyramid is not allow-listed, should I try Django or Flask instead? In addition to the above, security data and package metadata is made available to OPA so teams can use the extra information to craft their own custom Rego policies i.e. package must have had at least n commits in the past 6 months, have at least 1,000 stars, and a Hextrap security score above 75 . We pull in data directly from the public registries and generate security signals that help identify version-level threats within packages. You can try it out without signing up or giving us an email address here: https://hextrap.com/try https://hextrap.com/try We’re actively building this product and are curious what the HN crowd thinks about the proxy-approach, the MCP integration point, and whether OPA was the right choice for policy as code. Comments URL: https://news.ycombinator.com/item?id=48570033 https://news.ycombinator.com/item?id=48570033 Points: 1 Comments: 0