SentinelGate

Access control for AI agents.
Every MCP tool call intercepted, evaluated, and logged — before it executes.
RBAC · CEL policies · Full audit trail

_{For developers and security teams running AI agents with MCP.}

Get Started · Website · Docs

The problem

AI agents have unrestricted access to your machine — every tool call, shell command, file read, and HTTP request runs with no policy, no authentication, and no audit trail. One prompt injection or one hallucination is all it takes.

How SentinelGate works

SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged — before it reaches anything. Denied actions are blocked at the proxy.

No code changes. No agent modifications. Single binary, zero dependencies, sub-millisecond overhead.

Quick start

Install (macOS / Linux):

curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh

Install (Windows PowerShell):

irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex

tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/

git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gate

git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate; go build -o sentinel-gate.exe ./cmd/sentinel-gate

Start:

$ sentinel-gate start

  SentinelGate 2.0.0
  ─────────────────────────────────────
  Admin UI:      http://localhost:8080/admin
  Proxy:         http://localhost:8080/mcp
  Upstreams:     1 connected / 1 configured
  Tools:         12 discovered
  Rules:         0 active
  ─────────────────────────────────────

Output may vary depending on your configuration.

Open http://localhost:8080/admin to manage policies, upstreams, and identities. The MCP endpoint is http://localhost:8080/mcp — configure your agent to connect there with an API key.

Playground

See SentinelGate block a prompt injection attack — 30 seconds, no setup:

macOS / Linux:

cd examples/playground
./playground.sh

Windows PowerShell:

cd examples\playground
.\playground.ps1

The script creates 3 policies, simulates 4 agent tool calls (1 allowed, 3 blocked), and cleans up after. Only needs bash + curl or PowerShell. Full walkthrough: examples/playground/READMEplayground.md.

Connect your agent

SentinelGate works with any MCP-compatible client. Point your agent to http://localhost:8080/mcp with an API key:

Full setup snippets for each client: Connect Your Agent

Features

Deterministic enforcement — Explicit rules, not AI judgment. deny delete_* means denied. Always.

MCP-native — Built as an MCP proxy. Aggregates multiple upstream servers, applies per-tool policies, exposes a single endpoint.

CEL-powered rules — Common Expression Language, the same engine behind Kubernetes, Firebase, and Envoy:

action_arg_contains(arguments, "secret")                      // block by content
action_name == "bash" && !("admin" in identity_roles)             // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com")             // outbound blocking

Simple tool patterns (read_*, delete_*) cover most cases. CEL handles the rest.

Full audit trail — Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export.

Admin UI — Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.

Identity and access control — API keys, roles, per-identity policies. Each agent gets isolated credentials.

Content scanning — Bidirectional PII, secrets, and IPI detection on tool arguments and responses. Configurable whitelist with contextual exemptions.

Session-aware policies — CEL functions that use session history for context-dependent rules. Detect patterns like read-then-exfiltrate across multiple tool calls: session_call_count, session_write_count, session_sequence, and more.

Red team testing — 30 built-in attack patterns across 6 categories (prompt injection, tool poisoning, exfiltration, privilege escalation, evasion, resource abuse). Interactive report with one-click remediation.

Admin UI

Tools & Rules	Audit Log

Content Scanning	Policy Test

13 pages: Dashboard, Getting Started, Tools & Rules (with Transforms, Policy Test, and Simulation tabs), Access (with Quota management), Audit Log, Sessions, Notifications, Compliance, Permissions, Security, Red Team, FinOps, and Clients (with Agent Health).

Configuration

[!NOTE] Works with zero configuration. Everything is managed from the Admin UI and persisted automatically.

For infrastructure tuning, an optional YAML config is available:

server:
  http_addr: ":8080"
rate_limit:
  enabled: true
  ip_rate: 100

Full reference: Configuration · CLI · API

Limitations

[!CAUTION] SentinelGate is an MCP proxy — it controls what tools and data your agents can access through the MCP protocol. It is effective against mistakes, prompt injection, and overreach. For full OS-level isolation, combine with container or VM sandboxes.

Full threat model.

SentinelGate Pro

Extended retention · SIEM integration · SSO · Multi-tenancy · Advanced FinOps with billing API integration · Cross-agent health export — sentinelgate.co.uk

Contributing

Bug fixes, features, docs, and feedback welcome. See CONTRIBUTING.md. A CLA is required for code contributions — see CLA.md.

License

AGPL-3.0 — free to use, modify, and self-host. For commercial licensing, contact us.

Website · Docs · Releases