No AI decides what's allowed — your CEL policies do.
MCP proxy with CEL policies — single binary, full control.
Single binary · Zero config · Full audit trail
Benchmarked on M4 Pro MacBook · full interceptor chain
SentinelGate sits between AI agents and upstream MCP servers. Every action passes through a deterministic policy engine before reaching anything.
Aggregates multiple upstream MCP servers into a single endpoint. Hot-pluggable — add or remove upstreams without restart. Connected clients are notified automatically.
CEL-powered deterministic enforcement. deny delete_* means denied. Always. No probabilistic filtering, no drift. Same engine as Kubernetes and Envoy.
Content scanning, outbound control, response scanning for prompt injection, and tool drift detection with quarantine. Defense in depth without runtime hacks.
Watch the 11-step interceptor chain evaluate tool calls in real time. Allowed actions reach the upstream. Denied actions are blocked at the gate.
Built for security teams and developers who need deterministic control over AI agent actions.
Aggregates multiple upstream MCP servers. Per-tool policies. Single endpoint for your agent. Hot-pluggable upstreams.
Common Expression Language — the same engine behind Kubernetes, Firebase, and Envoy. Simple patterns for simple rules. CEL for the rest.
Safe Coding, Read Only, Research, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration. One click to apply.
Every action logged with identity, decision, timestamp, and arguments. Live SSE stream, filters, CSV export.
8-page browser interface. Policy editor, test playground, security settings, audit viewer, session replay. No config files.
API keys, roles, per-identity policies. Each agent session gets isolated credentials and separate audit trails.
Per-identity limits: max calls, writes, deletes per session. Rate limiting per minute. Deny or warn when reached.
5 types: redact, truncate, inject, dry-run, mask. Applied to responses before they reach the agent. Test in built-in sandbox.
Record every tool call with full payloads. Timeline replay in the UI, JSON/CSV export, configurable retention, privacy mode.
CEL functions using session history: call counts, write counts, action sequences, time windows. Detect read-then-exfiltrate patterns.
Detect secrets, credentials, API keys in payloads. Monitor or enforce mode. Response scanning for prompt injection.
Baseline snapshots of tool definitions. Alert on unexpected changes. Quarantine suspicious tools until resolved.
Simple tool patterns for common cases. CEL expressions when you need full power. Same engine as Kubernetes, Firebase, and Envoy.
# Tool pattern — matches all delete tools
tool_match: "delete_*"
action: "deny"
# CEL — block by content
action_arg_contains(arguments, "secret")# Only admins can run shell commands
action_name == "bash"
&& !("admin" in identity_roles)
# Block outbound to exfiltration services
dest_domain_matches(dest_domain, "*.ngrok.io")# Deny send after read (anti-exfiltration)
session_sequence("read_file", action_name)
# Rate-limit within session window
session_count_window("write_file", 60) > 10Install, configure, connect. Your agents are protected in minutes.
Single binary, zero dependencies. Install with one command, start with another.
# Install (macOS / Linux)
$ curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh
# Start the server
$ sentinel-gate start
SentinelGate v1.1.0 started
Admin UI: http://localhost:8080/admin
MCP proxy: http://localhost:8080/mcpAdd upstream MCP servers, create identities and API keys, set policies or apply templates. Everything from the browser.
Configure SentinelGate as an MCP server in your agent's settings. Every agent connects the same way.
$ claude mcp add -s user sentinelgate \
--transport http http://localhost:8080/mcp \
-H "Authorization: Bearer <your-api-key>"{
"mcpServers": {
"sentinelgate": {
"uri": "http://localhost:8080/mcp",
"headers": {
"Authorization": "Bearer <your-api-key>"
}
}
}
}[mcp_servers.sentinelgate]
type = "http"
url = "http://localhost:8080/mcp"
[mcp_servers.sentinelgate.headers]
Authorization = "Bearer <your-api-key>"{
"mcpServers": {
"sentinelgate": {
"url": "http://localhost:8080/mcp",
"headers": {
"Authorization": "Bearer <your-api-key>"
}
}
}
}from mcp import ClientSession
from mcp.client.streamable_http import streamablehttp_client
async with streamablehttp_client(
"http://localhost:8080/mcp",
headers={"Authorization": "Bearer <your-api-key>"}
) as (read, write, _):
async with ClientSession(read, write) as session:
await session.initialize()
tools = await session.list_tools()
result = await session.call_tool("read_file", {"path": "/tmp/test.txt"})import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";
const transport = new StreamableHTTPClientTransport(
new URL("http://localhost:8080/mcp"),
{ requestInit: { headers: { "Authorization": "Bearer <your-api-key>" } } }
);
const client = new Client({ name: "my-agent", version: "1.0" });
await client.connect(transport);
const tools = await client.listTools();
const result = await client.callTool({ name: "read_file", arguments: { path: "/tmp/test.txt" } });# List available tools
$ curl -X POST http://localhost:8080/mcp \
-H "Authorization: Bearer <your-api-key>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'
# Call a tool
$ curl -X POST http://localhost:8080/mcp \
-H "Authorization: Bearer <your-api-key>" \
-H "Content-Type: application/json" \
-d '{"jsonrpc": "2.0", "id": 2, "method": "tools/call",
"params": {"name": "read_file", "arguments": {"path": "/tmp/test.txt"}}}'One proxy, every agent. Configure SentinelGate as an MCP server — your agent doesn't need to know it's there.
Everything you need to secure AI agents. Free forever. Enterprise features when you need them.