SentinelGate
Open-source MCP proxy for AI agent access control. CEL policies, RBAC, full audit trail, content scanning, Admin UI.
SentinelGate
Access control for AI agents.
Every MCP tool call intercepted, evaluated, and logged — before it executes.
RBAC · CEL policies · Full audit trail
For developers and security teams running AI agents with MCP.
Get Started · Website · Docs
The problem
AI agents have unrestricted access to your machine — every tool call, shell command, file read, and HTTP request runs with no policy, no authentication, and no audit trail. One prompt injection or one hallucination is all it takes.
How SentinelGate works
SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged — before it reaches anything. Denied actions are blocked at the proxy.
No code changes. No agent modifications. Single binary, zero dependencies, sub-millisecond overhead.
Quick start
Install (macOS / Linux):
curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh
Install (Windows PowerShell):
irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex
Manual download or build from source
Download from GitHub Releases:
| Platform | Archive |
|---|---|
| macOS (Apple Silicon) | sentinel-gate_darwin_arm64.tar.gz |
| macOS (Intel) | sentinel-gate_darwin_amd64.tar.gz |
| Linux (x86_64) | sentinel-gate_linux_amd64.tar.gz |
| Linux (ARM64) | sentinel-gate_linux_arm64.tar.gz |
| Windows (x86_64) | sentinel-gate_windows_amd64.zip |
| Windows (ARM64) | sentinel-gate_windows_arm64.zip |
macOS / Linux:
tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/
Windows: extract the .zip and add sentinel-gate.exe to your PATH.
Build from source (Go 1.24+):
macOS / Linux:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gate
Windows:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate; go build -o sentinel-gate.exe ./cmd/sentinel-gate
Start:
$ sentinel-gate start
SentinelGate 2.0.0
─────────────────────────────────────
Admin UI: http://localhost:8080/admin
Proxy: http://localhost:8080/mcp
Upstreams: 1 connected / 1 configured
Tools: 12 discovered
Rules: 0 active
─────────────────────────────────────
Output may vary depending on your configuration.
Open http://localhost:8080/admin to manage policies, upstreams, and identities. The MCP endpoint is http://localhost:8080/mcp — configure your agent to connect there with an API key.
Playground
See SentinelGate block a prompt injection attack — 30 seconds, no setup:
macOS / Linux:
cd examples/playground
./playground.sh
Windows PowerShell:
cd examples\playground
.\playground.ps1
The script creates 3 policies, simulates 4 agent tool calls (1 allowed, 3 blocked), and cleans up after. Only needs bash + curl or PowerShell. Full walkthrough: examples/playground/READMEplayground.md.
Connect your agent
SentinelGate works with any MCP-compatible client. Point your agent to http://localhost:8080/mcp with an API key:
| Client | Setup |
|---|---|
| Claude Code | claude mcp add --transport http sentinelgate http://localhost:8080/mcp --header "Authorization: Bearer <key>" |
| Cursor / IDE | Add MCP server in settings with URL http://localhost:8080/mcp |
| Gemini CLI | MCP config with http transport |
| Codex CLI | MCP config with http transport |
| Python / Node.js / cURL | Standard HTTP with Authorization: Bearer <key> header |
Full setup snippets for each client: Connect Your Agent
Features
Deterministic enforcement — Explicit rules, not AI judgment. deny delete_* means denied. Always.
MCP-native — Built as an MCP proxy. Aggregates multiple upstream servers, applies per-tool policies, exposes a single endpoint.
CEL-powered rules — Common Expression Language, the same engine behind Kubernetes, Firebase, and Envoy:
action_arg_contains(arguments, "secret") // block by content
action_name == "bash" && !("admin" in identity_roles) // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com") // outbound blocking
Simple tool patterns (read_*, delete_*) cover most cases. CEL handles the rest.
Full audit trail — Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export.
Admin UI — Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.
Identity and access control — API keys, roles, per-identity policies. Each agent gets isolated credentials.
Content scanning — Bidirectional PII, secrets, and IPI detection on tool arguments and responses. Configurable whitelist with contextual exemptions.
Session-aware policies — CEL functions that use session history for context-dependent rules. Detect patterns like read-then-exfiltrate across multiple tool calls: session_call_count, session_write_count, session_sequence, and more.
Red team testing — 30 built-in attack patterns across 6 categories (prompt injection, tool poisoning, exfiltration, privilege escalation, evasion, resource abuse). Interactive report with one-click remediation.
More features (13)
Policy templates — Seven pre-built security profiles (Safe Coding, Read Only, Research Mode, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration). One click to apply, fully customizable after.
Budget and quota — Per-identity usage limits: max calls, writes, deletes per session, rate limiting per minute. Deny or warn when limits are reached. Live progress tracking on the dashboard.
Response transformation — Five transform types applied to tool responses before they reach the agent: redact (regex-based), truncate (size limits), inject (prepend/append warnings), dry-run (mock responses), mask (partial reveal). Test in the built-in sandbox.
Session recording — Record every tool call with full request/response payloads. Timeline replay in the UI, export to JSON or CSV, configurable retention, privacy mode (record metadata only).
Cryptographic evidence — Every decision signed with ECDSA P-256 and hash-chained. Tamper-proof audit receipts for compliance. EU AI Act-ready compliance bundles with coverage mapping.
Tool integrity — Hash-based baseline for tool definitions, drift detection on schema changes, quarantine for mutated tools, diff viewer.
Behavioral drift detection — 14-day baseline vs current behavior comparison. Detects tool distribution shifts, deny rate changes, temporal anomalies, and argument pattern drift.
Agent health dashboard — Per-agent health metrics (deny rate, drift score, violations) with 30-day sparklines, baseline comparison, and cross-agent overview. CEL variables for health-based policies.
Permission health & shadow mode — Identifies over-privileged agents by comparing granted vs actual tool usage. Auto-tighten suggestions with one-click apply.
FinOps cost explorer — Per-tool cost estimation, per-identity budgets with threshold alerts, cost drill-down, budget guardrail creation via Policy Builder.
Namespace isolation — Role-based tool visibility with whitelist/blacklist glob patterns.
OpenTelemetry export — Stdout span export for every tool call with identity, decision, and latency.
Human-in-the-loop — Escrow workflow for sensitive operations. Approve/deny with decision context, session trail, and signed audit note.
Admin UI
| Tools & Rules | Audit Log |
|---|---|
 |  |
| Content Scanning | Policy Test |
|---|---|
 |  |
13 pages: Dashboard, Getting Started, Tools & Rules (with Transforms, Policy Test, and Simulation tabs), Access (with Quota management), Audit Log, Sessions, Notifications, Compliance, Permissions, Security, Red Team, FinOps, and Clients (with Agent Health).
Configuration
[!NOTE] Works with zero configuration. Everything is managed from the Admin UI and persisted automatically.
For infrastructure tuning, an optional YAML config is available:
server:
http_addr: ":8080"
rate_limit:
enabled: true
ip_rate: 100
Full reference: Configuration · CLI · API
Limitations
[!CAUTION] SentinelGate is an MCP proxy — it controls what tools and data your agents can access through the MCP protocol. It is effective against mistakes, prompt injection, and overreach. For full OS-level isolation, combine with container or VM sandboxes.
Full threat model.
SentinelGate Pro
Extended retention · SIEM integration · SSO · Multi-tenancy · Advanced FinOps with billing API integration · Cross-agent health export — sentinelgate.co.uk
Contributing
Bug fixes, features, docs, and feedback welcome. See CONTRIBUTING.md. A CLA is required for code contributions — see CLA.md.
License
AGPL-3.0 — free to use, modify, and self-host. For commercial licensing, contact us.
Related Servers
AILibrary MCP Server
API for AI agents to search, license, and download b-roll video clips and voiceovers. Pay-per-request, no human interaction required.
Scrptly Video Generator
An Ai Video Agent that can generate professional and complex videos with simple prompts and context images.
The Agent Times
Agent economy news with 6 tools. Agents can read articles, get stats, and comment. Earn Bitcoin for contributions.
Withings
MCP server for Withings health data integration
Atris MCP for Audius
Access the Audius music platform via LLMs, with 105 tools covering most of the Audius Protocol API.
PostalDataPI MCP Server
Global postal code lookups, validation, and city search for 70+ countries. Sub-10ms responses.
Chainflip Broker as a Service
Cross-chain cryptocurrency swaps via Chainflip. Get quotes, execute swaps, and track progress.
mcp-server-openai-bridge
Bridge to OpenAI API. Access GPT, GPT-o and other OpenAI models through MCP.
Mind Reasoner MCP Server
Mind Reasoner's MCP Server
Swift Tarot
Provides tarot card readings, including single card draws, multi-card spreads, and full deck access.