Open Source · AGPL-3.0

Your agent has unrestricted access to your machine.

No AI decides what's allowed — your CEL policies do.

MCP proxy with CEL policies — single binary, full control.

Single binary · Zero config · Full audit trail · Any container or sandbox

0ms Policy eval p50
0ms Policy eval p99

Benchmarked p50/p99 on M4 Pro · full interceptor chain · go test -bench

View on GitHub Enterprise
Architecture

One proxy. Total control.

SentinelGate sits between AI agents and upstream MCP servers. Every action passes through a deterministic policy engine before reaching anything.

MCP Proxy

Aggregates multiple upstream MCP servers into a single endpoint. Hot-pluggable — add or remove upstreams without restart. Connected clients are notified automatically.

Policy Engine

CEL-powered deterministic enforcement. deny delete_* means denied. Always. No probabilistic filtering, no drift. Same engine as Kubernetes and Envoy.

Security Suite

Content scanning, outbound control, response scanning for prompt injection, and tool drift detection with quarantine. Defense in depth without runtime hacks.

Inspection Pipeline

Every call. Every time.

Watch the 14-step interceptor chain evaluate tool calls in real time. Allowed actions reach the upstream. Denied actions are blocked at the gate.

Tool call: "read_file"
Processing...
Agent
Validate
Auth
Policy
Audit
Upstream
Audit Log
Features

Everything you need. Nothing you don't.

Built for security teams and developers who need deterministic control over AI agent actions.

MCP-Native Proxy

Aggregates multiple upstream MCP servers. Per-tool policies. Single endpoint for your agent. Hot-pluggable upstreams.

CEL Policy Engine

Common Expression Language — the same engine behind Kubernetes, Firebase, and Envoy. 35 variables, 13 custom functions. Simple patterns for simple rules. CEL for the rest.

7 Policy Templates

Safe Coding, Read Only, Research, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration. One click to apply.

Full Audit Trail

Every action logged with identity, decision, timestamp, and arguments. Live SSE stream, filters, CSV export.

Admin UI

14-page browser interface. Policy editor, test playground, security settings, audit viewer, session replay. No config files.

Identity & RBAC

API keys, roles, per-identity policies. Each agent session gets isolated credentials and separate audit trails.

Budget & Quota

Per-identity limits: max calls, writes, deletes per session. Rate limiting per minute. Deny or warn when reached.

Response Transforms

5 types: redact, truncate, inject, dry_run, mask. Applied to responses before they reach the agent. Test in built-in sandbox.

Session Recording

Record every tool call with full request/response payloads. Timeline replay in the UI, JSON/CSV export, configurable retention, privacy mode.

Session-Aware Policies

CEL functions using session history: call counts, write counts, action sequences, time windows. Detect read-then-exfiltrate patterns.

Content Scanning

11 input patterns, 11 output patterns. Detect PII, secrets, and credentials in payloads. Monitor or enforce mode. Response scanning for prompt injection.

Tool Drift Detection

Baseline snapshots of tool definitions. Alert on unexpected changes. Quarantine suspicious tools until resolved.

Red Team Testing

30 built-in attack patterns across 6 categories. Tool misuse, argument manipulation, prompt injection, permission escalation, multi-step attacks. One-click CEL remediation.

Policy Decision Point

Same CEL policies for non-MCP agents. Call evaluate() from Go, Python, or Node SDKs to govern any protocol — REST, SQL, shell, custom.

Learn more →
Containers & Sandboxes

Your sandbox provides the walls. SentinelGate guards the gate.

Sandboxes and containers isolate your agent — but they can't control what it does inside. SentinelGate adds per-tool policies, content scanning, and a full audit trail to any isolated environment.

Kill Switch

One command stops all agents. One command resumes. For incidents, maintenance, or when something looks wrong.

Bootstrap

Full configuration — identities, policies, upstreams — in a single command. Built for ephemeral environments where containers are created and destroyed continuously.

Security Profiles

Three pre-built profiles: Strict (deny by default, content scanning, human approval), Standard (block destructive, allow reads), Permissive (allow all, log everything).

Ready Signal (/readyz)

Your orchestrator knows when SentinelGate is configured and protecting agents. No gap between container start and enforcement.

E2B
Docker
Kubernetes
Modal
Fly.io
Firecracker
Daytona
Podman
ECS / Fargate
systemd
LXC / LXD

Single binary. Zero dependencies. Sub-millisecond overhead. Runs anywhere your agents run.

Get Started Integration guide
Policy Decision Point

Any agent. Any protocol.

For agents that don't speak MCP — REST, SQL, shell, custom protocols — SentinelGate operates as a Policy Decision Point. Same CEL policies, same audit trail, any language.

MCP Proxy mode
Agent
SentinelGate
MCP Server
The closed gate. All traffic flows through SentinelGate. The agent cannot bypass it. Full security stack: policies, content scanning, rate limiting, kill switch.
PDP mode
Agent — "can I?"
SentinelGate — "yes / no"
Any tool (REST, SQL, shell…)
The guard you ask. Traffic never flows through SentinelGate. The agent asks permission before each action. Cooperative enforcement — policy evaluation and audit only.

Same CEL policies

Every rule you write for the MCP Proxy works with the PDP. One policy engine, two modes.

Unified audit trail

PDP decisions appear in the same audit log as MCP Proxy events. One view for everything.

Approval workflow

The PDP supports human-in-the-loop. The agent can wait for human approval before proceeding.

Standard pattern

PDP is a well-established security architecture used by OPA, AWS Verified Permissions, and NIST Zero Trust.

Python 
from sentinelgate import SentinelGateClient, PolicyDeniedError

client = SentinelGateClient()  # reads env vars

try:
    client.evaluate("api_call", "delete_user",
                    arguments={"user_id": "123"},
                    destination={"domain": "api.myapp.com"})
    requests.delete("https://api.myapp.com/users/123")
except PolicyDeniedError as e:
    print(f"Blocked: {e.rule_name}")
See all SDKs (Go, Python, Node.js) →
Admin Dashboard

See everything. Control everything.

14 pages. Zero config files. Everything from the browser.

Dashboard

Dashboard — live stats, upstream health, recent activity

Tools & Rules

Tools & Rules — policy builder, transforms, simulation

Connect Agent

Connections — connect any agent in one line

Security Posture

Security Posture — onboarding wizard, insights, suggestions

Policy Language

Explicit rules. Not AI judgment.

Simple tool patterns for common cases. CEL expressions when you need full power. Same engine as Kubernetes, Firebase, and Envoy.

DENY Block destructive operations 
# Tool pattern — matches all delete tools
tool_match: "delete_*"
action: "deny"

# CEL — block by content
action_arg_contains(arguments, "secret")
ALLOW Role-based access control 
# Only admins can run shell commands
action_name == "bash"
  && !("admin" in identity_roles)

# Block outbound to exfiltration services
dest_domain_matches(dest_domain, "*.ngrok.io")
SESSION Session-aware detection 
# Deny send after read (anti-exfiltration)
session_sequence(session_action_history, "read_file", action_name)

# Rate-limit within session window
session_count_window(session_action_history, "write_file", 60) > 10
Compliance

August 2026 is coming. Be ready.

AI agents are coming under regulation. If you deploy AI in the EU, handle healthcare data, or need to prove how your agents operate — you need auditable access control with verifiable evidence.

SentinelGate maps directly to regulatory requirements. Cryptographic evidence, audit trails, and human oversight — built in, not bolted on.

Core

EU AI Act

Articles 13–15: transparency, human oversight, accuracy, robustness & cybersecurity. Full coverage map with evidence checks and exportable compliance bundles.

Pro

SOC 2 Type II

Access control, monitoring, change management, risk mitigation. Signed evidence bundles mapped to CC6, CC7, CC8, CC9 controls.

Pro

ISO/IEC 42001

AI management system standard. Risk assessment, operational control, monitoring, and human oversight. Clause-level coverage mapping.

Pro

HIPAA Security Rule

Access control, audit logging, data integrity, authentication, transmission security. Section-level evidence mapping to §164.312.

Every decision signed with ECDSA P-256 and hash-chained. Tamper-proof audit receipts you can verify independently.

Get Started Read the Docs
Getting Started

Three steps. Zero friction.

Install, configure, connect. Your agents are protected in minutes.

Install and start SentinelGate

Single binary, zero dependencies. Install with one command, start with another.

Terminal 
# Install (macOS / Linux)
$ curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh

# Install (Windows PowerShell)
> irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex

# Install (Windows CMD)
> powershell -Command "irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex"

# Start the server
$ sentinel-gate start

Admin UI:  http://localhost:8080/admin
Proxy:     http://localhost:8080/mcp

Also available via Docker and manual downloadsee all install options

Configure in the Admin UI

Add upstream MCP servers, create identities and API keys, set policies or apply templates. Everything from the browser.

1
Add Upstream MCP Servers Tools & Rules → Add Upstream. Stdio or HTTP servers.
2
Create Identity & API Key Connections → Create identity with roles, generate API key.
3
Set Policies Use a template (one click) or write custom CEL rules.

Connect your AI agent

Configure SentinelGate as an MCP server in your agent's settings. Every agent connects the same way.

Terminal 
$ claude mcp add --transport http sentinelgate \
    http://localhost:8080/mcp \
    --header "Authorization: Bearer <your-api-key>"
Terminal 
$ gemini mcp add --transport http -s user \
    --header "Authorization: Bearer <your-api-key>" \
    sentinelgate http://localhost:8080/mcp
Terminal 
# Add SentinelGate as MCP server
$ export SG_KEY="<your-api-key>"
$ codex mcp add sentinelgate \
    --url http://localhost:8080/mcp \
    --bearer-token-env-var SG_KEY

# NOTE: Codex does NOT persist the API key.
# The env var must be set each session.
# To make permanent: echo 'export SG_KEY="..."' >> ~/.zshrc
IDE MCP Settings 
{
  "mcpServers": {
    "sentinelgate": {
      "type": "http",
      "url": "http://localhost:8080/mcp",
      "headers": {
        "Authorization": "Bearer <your-api-key>"
      }
    }
  }
}
Python MCP Client 
import httpx
from mcp import ClientSession
from mcp.client.streamable_http import streamable_http_client

http_client = httpx.AsyncClient(
    headers={"Authorization": "Bearer <your-api-key>"}
)
async with streamable_http_client(
    "http://localhost:8080/mcp", http_client=http_client
) as (read, write, _):
    async with ClientSession(read, write) as session:
        await session.initialize()
        tools = await session.list_tools()
        result = await session.call_tool("read_file", {"path": "/tmp/test.txt"})
Node.js MCP Client 
import { Client } from "@modelcontextprotocol/sdk/client/index.js";
import { StreamableHTTPClientTransport } from "@modelcontextprotocol/sdk/client/streamableHttp.js";

const transport = new StreamableHTTPClientTransport(
  new URL("http://localhost:8080/mcp"),
  { requestInit: { headers: { "Authorization": "Bearer <your-api-key>" } } }
);
const client = new Client({ name: "my-client", version: "1.0.0" });
await client.connect(transport);

const { tools } = await client.listTools();
const result = await client.callTool({ name: "read_file", arguments: { path: "/tmp/test.txt" } });
Terminal 
# List available tools
$ curl -X POST http://localhost:8080/mcp \
  -H "Authorization: Bearer <your-api-key>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 1, "method": "tools/list"}'

# Call a tool
$ curl -X POST http://localhost:8080/mcp \
  -H "Authorization: Bearer <your-api-key>" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc": "2.0", "id": 2, "method": "tools/call",
    "params": {"name": "read_file", "arguments": {"path": "/tmp/test.txt"}}}'
Python — Policy Decision Point 
# pip install sentinelgate
from sentinelgate import SentinelGateClient, PolicyDeniedError

# Reads SENTINELGATE_SERVER_ADDR + SENTINELGATE_API_KEY from env
client = SentinelGateClient()

# Ask SentinelGate before each action
try:
    client.evaluate("api_call", "delete_user",
                    arguments={"user_id": "123"},
                    destination={"domain": "api.myapp.com"})
    requests.delete("https://api.myapp.com/users/123")
except PolicyDeniedError as e:
    print(f"Blocked: {e.rule_name} — {e.reason}")
Compatibility

Connect any MCP client.

One proxy, every agent. Configure SentinelGate as an MCP server — your agent doesn't need to know it's there.

CCursor
CCodex
GGemini CLI
CClaude Code
WWindsurf
CCursor
CCodex
GGemini CLI
CClaude Code
WWindsurf
PPython SDK
NNode.js SDK
HcURL / HTTP
CClaude Code
PPython SDK
NNode.js SDK
HcURL / HTTP
CClaude Code
Pricing

Open source at the core.

Everything you need to secure AI agents. Free forever. Enterprise features when you need them.

Core

Free forever · AGPL-3.0
  • MCP Proxy & Tool Discovery
  • CEL Policy Engine (34 vars, 13 functions)
  • 7 Policy Templates
  • Visual Policy Builder
  • Policy Test Playground & Simulation
  • Session-Aware Policies
  • Full Audit Trail & CSV Export
  • Cryptographic Evidence (ECDSA P-256)
  • Admin UI (14 pages)
  • Identity & RBAC
  • Budget & Quota
  • Response Transforms
  • Session Recording & Replay
  • Content & Response Scanning
  • Tool Drift Detection & Quarantine
  • Behavioral Drift Detection
  • Permission Health & Shadow Mode
  • Namespace Isolation
  • Human-in-the-Loop Approval
  • Red Team Testing (30 patterns)
  • Agent Health Dashboard
  • FinOps Cost Explorer
  • Notification Center
  • Webhook Notifications
  • EU AI Act Compliance Pack
  • Multi-Agent Sessions
  • Policy Decision Point — Go/Python/Node SDKs
  • OpenTelemetry (stdout)
  • Multi-Upstream Aggregation
  • Container & Sandbox Support
Get Started
Enterprise

Pro Coming soon

Contact us custom licensing
  • Everything in Core, plus:
  • Enterprise SSO, OAuth 2.0, SCIM Provisioning
  • Multi-Tenancy & Team Budgets
  • SIEM & ITSM (Splunk, Datadog, ServiceNow, Jira)
  • Notifications (Slack, Teams, PagerDuty, Email)
  • Compliance Packs (SOC 2, ISO 42001, HIPAA)
  • PostgreSQL, Redis & OTLP Telemetry
  • Encryption, IP Filtering, Tamper Detection
  • Escalation Chains & Auto-Tighten
  • CI/CD Gate, Red Team Pro (70 patterns)
  • Vault Keys, Legal Hold, Dashboards
  • Priority Support & SLA

Coming soon

Contact Sales

Secure your AI agents today.

Single binary. Zero config. Full control.

Get Started Read the Docs