SentinelGate
Open-source MCP proxy for AI agent access control. CEL policies, RBAC, full audit trail, content scanning, Admin UI.
SentinelGate
Access control for AI agents.
Every MCP tool call intercepted, evaluated, and logged — before it executes.
RBAC · CEL policies · Full audit trail
For developers and security teams running AI agents with MCP.
Get Started · Website · Docs
The problem
AI agents have unrestricted access to your machine — every tool call, shell command, file read, and HTTP request runs with no policy, no authentication, and no audit trail. One prompt injection or one hallucination is all it takes.
How SentinelGate works
SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged — before it reaches anything. Denied actions are blocked at the proxy.
No code changes. No agent modifications. Single binary, zero dependencies, sub-millisecond overhead.
Quick start
Install (macOS / Linux):
curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh
Install (Windows PowerShell):
irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex
Manual download or build from source
Download from GitHub Releases:
| Platform | Archive |
|---|---|
| macOS (Apple Silicon) | sentinel-gate_darwin_arm64.tar.gz |
| macOS (Intel) | sentinel-gate_darwin_amd64.tar.gz |
| Linux (x86_64) | sentinel-gate_linux_amd64.tar.gz |
| Linux (ARM64) | sentinel-gate_linux_arm64.tar.gz |
| Windows (x86_64) | sentinel-gate_windows_amd64.zip |
| Windows (ARM64) | sentinel-gate_windows_arm64.zip |
macOS / Linux:
tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/
Windows: extract the .zip and add sentinel-gate.exe to your PATH.
Build from source (Go 1.24+):
macOS / Linux:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gate
Windows:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate; go build -o sentinel-gate.exe ./cmd/sentinel-gate
Start:
$ sentinel-gate start
SentinelGate 2.0.0
─────────────────────────────────────
Admin UI: http://localhost:8080/admin
Proxy: http://localhost:8080/mcp
Upstreams: 1 connected / 1 configured
Tools: 12 discovered
Rules: 0 active
─────────────────────────────────────
Output may vary depending on your configuration.
Open http://localhost:8080/admin to manage policies, upstreams, and identities. The MCP endpoint is http://localhost:8080/mcp — configure your agent to connect there with an API key.
Playground
See SentinelGate block a prompt injection attack — 30 seconds, no setup:
macOS / Linux:
cd examples/playground
./playground.sh
Windows PowerShell:
cd examples\playground
.\playground.ps1
The script creates 3 policies, simulates 4 agent tool calls (1 allowed, 3 blocked), and cleans up after. Only needs bash + curl or PowerShell. Full walkthrough: examples/playground/READMEplayground.md.
Connect your agent
SentinelGate works with any MCP-compatible client. Point your agent to http://localhost:8080/mcp with an API key:
| Client | Setup |
|---|---|
| Claude Code | claude mcp add --transport http sentinelgate http://localhost:8080/mcp --header "Authorization: Bearer <key>" |
| Cursor / IDE | Add MCP server in settings with URL http://localhost:8080/mcp |
| Gemini CLI | MCP config with http transport |
| Codex CLI | MCP config with http transport |
| Python / Node.js / cURL | Standard HTTP with Authorization: Bearer <key> header |
Full setup snippets for each client: Connect Your Agent
Features
Deterministic enforcement — Explicit rules, not AI judgment. deny delete_* means denied. Always.
MCP-native — Built as an MCP proxy. Aggregates multiple upstream servers, applies per-tool policies, exposes a single endpoint.
CEL-powered rules — Common Expression Language, the same engine behind Kubernetes, Firebase, and Envoy:
action_arg_contains(arguments, "secret") // block by content
action_name == "bash" && !("admin" in identity_roles) // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com") // outbound blocking
Simple tool patterns (read_*, delete_*) cover most cases. CEL handles the rest.
Full audit trail — Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export.
Admin UI — Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.
Identity and access control — API keys, roles, per-identity policies. Each agent gets isolated credentials.
Content scanning — Bidirectional PII, secrets, and IPI detection on tool arguments and responses. Configurable whitelist with contextual exemptions.
Session-aware policies — CEL functions that use session history for context-dependent rules. Detect patterns like read-then-exfiltrate across multiple tool calls: session_call_count, session_write_count, session_sequence, and more.
Red team testing — 30 built-in attack patterns across 6 categories (prompt injection, tool poisoning, exfiltration, privilege escalation, evasion, resource abuse). Interactive report with one-click remediation.
More features (13)
Policy templates — Seven pre-built security profiles (Safe Coding, Read Only, Research Mode, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration). One click to apply, fully customizable after.
Budget and quota — Per-identity usage limits: max calls, writes, deletes per session, rate limiting per minute. Deny or warn when limits are reached. Live progress tracking on the dashboard.
Response transformation — Five transform types applied to tool responses before they reach the agent: redact (regex-based), truncate (size limits), inject (prepend/append warnings), dry-run (mock responses), mask (partial reveal). Test in the built-in sandbox.
Session recording — Record every tool call with full request/response payloads. Timeline replay in the UI, export to JSON or CSV, configurable retention, privacy mode (record metadata only).
Cryptographic evidence — Every decision signed with ECDSA P-256 and hash-chained. Tamper-proof audit receipts for compliance. EU AI Act-ready compliance bundles with coverage mapping.
Tool integrity — Hash-based baseline for tool definitions, drift detection on schema changes, quarantine for mutated tools, diff viewer.
Behavioral drift detection — 14-day baseline vs current behavior comparison. Detects tool distribution shifts, deny rate changes, temporal anomalies, and argument pattern drift.
Agent health dashboard — Per-agent health metrics (deny rate, drift score, violations) with 30-day sparklines, baseline comparison, and cross-agent overview. CEL variables for health-based policies.
Permission health & shadow mode — Identifies over-privileged agents by comparing granted vs actual tool usage. Auto-tighten suggestions with one-click apply.
FinOps cost explorer — Per-tool cost estimation, per-identity budgets with threshold alerts, cost drill-down, budget guardrail creation via Policy Builder.
Namespace isolation — Role-based tool visibility with whitelist/blacklist glob patterns.
OpenTelemetry export — Stdout span export for every tool call with identity, decision, and latency.
Human-in-the-loop — Escrow workflow for sensitive operations. Approve/deny with decision context, session trail, and signed audit note.
Admin UI
| Tools & Rules | Audit Log |
|---|---|
 |  |
| Content Scanning | Policy Test |
|---|---|
 |  |
13 pages: Dashboard, Getting Started, Tools & Rules (with Transforms, Policy Test, and Simulation tabs), Access (with Quota management), Audit Log, Sessions, Notifications, Compliance, Permissions, Security, Red Team, FinOps, and Clients (with Agent Health).
Configuration
[!NOTE] Works with zero configuration. Everything is managed from the Admin UI and persisted automatically.
For infrastructure tuning, an optional YAML config is available:
server:
http_addr: ":8080"
rate_limit:
enabled: true
ip_rate: 100
Full reference: Configuration · CLI · API
Limitations
[!CAUTION] SentinelGate is an MCP proxy — it controls what tools and data your agents can access through the MCP protocol. It is effective against mistakes, prompt injection, and overreach. For full OS-level isolation, combine with container or VM sandboxes.
Full threat model.
SentinelGate Pro
Extended retention · SIEM integration · SSO · Multi-tenancy · Advanced FinOps with billing API integration · Cross-agent health export — sentinelgate.co.uk
Contributing
Bug fixes, features, docs, and feedback welcome. See CONTRIBUTING.md. A CLA is required for code contributions — see CLA.md.
License
AGPL-3.0 — free to use, modify, and self-host. For commercial licensing, contact us.
관련 서버
SettlementWitness MCP
SettlementWitness is a stateless MCP verification tool that returns replay-stable settlement receipts (PASS/FAIL) by forwarding task_id, spec, and output to the Default Settlement Verifier. Designed for agent execution gating and x402 settlement flows.
Trading MCP Server
An intelligent trading assistant that fetches live stock prices using the Yahoo Finance API.
WoWok
A server for the WoWok platform, designed for co-creation, transactions, and empowering potential.
Current Time JST
Provides the current time in Japan Standard Time (JST, UTC+9).
Vintage Chocolate Recipes (1914)
146 historic chocolate recipes from 1914. Search cakes, candies, and beverages from Maria Parloa's classic cookbook.
Memory Bank MCP
A production-ready Model Context Protocol (MCP) server that provides a powerful, vector-native memory bank for AI agents. Built with the Protocol-Lattice Go Agent Framework, this server offers persistent, searchable, and shareable memory with multiple database backends.
Meme MCP Server
Generate memes using the ImgFlip API. Requires ImgFlip account credentials.
Chess UCI
Connect to UCI-compatible chess engines like Stockfish to play and analyze games. Requires a local chess engine binary.
Word Orb
The language layer for AI agents. One call returns IPA, definitions, etymology, translations in 47 languages, and ethics guidance — in 3ms.
AFL (Australian Football League)
Provides Australian Football League (AFL) data, including games, standings, and team information, from the Squiggle API.