Project / MCP Sentinel

The Security Control Plane for MCP Tool Execution

MCP Sentinel is not another MCP server. It is the zero-trust security boundary that sits between MCP clients and MCP servers, turning raw tool traffic into an enforceable, observable, auditable control surface.

Start with Community Edition to block dangerous tool calls inline with static policy and near-zero friction. Move to Enterprise Edition when your organization needs bidirectional inspection, dynamic governance, identity-aware enforcement, and audit-grade telemetry across fleets.

Community & Enterprise Zero-Trust MCP Inline stdio Proxy Policy Enforcement Audit Telemetry
Start with Community Enterprise coming soon

Enterprise capabilities are in active refinement for governed production rollout. Request early access to hear when availability opens.

MCP boundary enforcement in motion

Inspect inbound calls → stop violations inline → stream trusted telemetry
Community starts with Immediate inline blocking
Enterprise adds Governance + DLP + identity
Business outcome Safer MCP adoption at scale

Why Sentinel

MCP becomes safer when the transport itself is treated as the enforcement boundary

Sentinel wraps the target MCP server as a child process and mediates the stdio channel without forcing the client or server to change behavior. That placement gives teams a deterministic place to inspect, deny, audit, and operationalize tool use before damage reaches the backend.

Inline stdio boundary

Sentinel sits transparently between the MCP client and server, preserving the workflow while making stdio itself the security checkpoint.

Deterministic policy enforcement

Tool names, serialized arguments, blocked paths, and policy violations are evaluated before execution, not after cleanup.

Operational visibility

Live telemetry, local monitoring, and durable audit logs turn agent tool use into something security teams can actually observe and trust.

Community Edition

Everything technical teams need to put a zero-trust guardrail in front of MCP today

Community Edition is the immediate-value layer: fast to deploy, easy to reason about, auditable through static policy, and built to protect real developer workflows without asking teams to rebuild their stack.

Static rules.json Blocked tools + paths Fail-closed startup Sub-ms latency Live Monitor audit.log

Zero-friction inline deployment

Point Claude Code, Gemini CLI, Cursor, or VS Code at mcp-sentinel and place the proxy in front of the real MCP server without changing the downstream tool.

Static policy engine

~/.sentinel/rules.json lets teams block dangerous tool names and regex-match sensitive paths or payload markers in serialized arguments.

Fail-closed protection

If the policy file is missing, malformed, or unsafe, Sentinel refuses to start instead of running unprotected.

Pre-execution denial

Blocked tools/call requests never reach the backend. Sentinel answers directly with a JSON-RPC policy error and preserves the system boundary.

Live Monitor and SSE telemetry

Security-relevant events stream locally through the monitor so operators can see invocations, blocks, and runtime activity while sessions are still live.

Durable local evidence trail

~/.sentinel/audit.log keeps an append-only JSONL record that remains useful after the agent session has ended.

Why teams start here

Community gives security and platform teams an adoption path that feels practical, not theoretical

  • Protects existing workflows Sentinel wraps the server teams already use, so developers keep their MCP tools while security gains an enforceable checkpoint.
  • Easy to audit Static JSON policy, explicit block conditions, and direct JSON-RPC errors make the security model easy to inspect and explain.
  • Safe by default Missing or invalid policy is treated as unacceptable risk, which prevents silent drift into unprotected operation.
  • Fast enough for real development Go-based transport handling keeps latency low enough for day-to-day agent usage instead of turning protection into developer friction.

Enterprise Edition

When MCP moves into regulated, identity-aware, business-critical environments, Enterprise adds the missing control layer

Enterprise Edition turns Sentinel from a strong local guardrail into a fleet-wide governance system with bidirectional inspection, redaction, centralized policy distribution, and operational resilience for security-sensitive organizations.

Bidirectional inspection

Enterprise inspects both inbound requests and outbound server responses, creating a real security boundary in both directions of the JSON-RPC flow.

DLP-style response redaction

Secrets, API keys, JWTs, private keys, PII, and organization-specific patterns can be redacted before they ever reach the MCP client.

Dynamic policy from Hub

Instead of managing local JSON files machine by machine, administrators can distribute contextual policy from Aether Hub across the fleet.

Identity-aware enforcement

Hub-connected permissions make it possible to authorize specific tools by user, role, project, or organizational context.

Central audit and SIEM routing

Structured security events can be exported into enterprise logging and SIEM systems so Sentinel fits regulated monitoring programs.

Resilient offline posture

If Hub connectivity is interrupted, Sentinel keeps operating with the last valid cached policy instead of dropping the security boundary.

Choose your rollout path

Community accelerates safe adoption. Enterprise operationalizes MCP security at organizational scale.

Both editions share the same core principle: the model is never trusted by default. Community gives you a practical boundary today. Enterprise adds the governance, identity, and compliance layer required for larger or more regulated deployments.

Community Edition

Best for developer adoption, local protection, and proving security value fast

  • Transparent inline stdio proxy
  • Static rules.json policy engine
  • Blocked tools and blocked paths
  • Fail-closed startup posture
  • Live Monitor + local SSE telemetry
  • Append-only local audit trail
Explore Community

Enterprise Edition

Best for governed fleets, sensitive data environments, and enterprise-grade auditability

  • Inbound and outbound JSON-RPC inspection
  • DLP-style response redaction
  • Centralized policy distribution from Hub
  • Identity and role-aware enforcement
  • Audit relay into SIEM and security tooling
  • Cached-policy resilience during Hub outages
Request early access

The next step

Put an enforceable zero-trust boundary in front of every MCP workflow you care about

Start with Community to secure real agent workflows now. Move to Enterprise when you need bidirectional inspection, identity-aware control, centralized governance, and audit readiness across teams or fleets.

Explore on GitHub Request early access