v0.3.1 ยท ALPHA ยท 47 TESTS PASSING

๐Ÿ›ก๏ธ mcp-bastion

The open-source security gateway for the Model Context Protocol. Inspects every tool call your AI agent makes. Enforces policy. Logs everything to a post-quantum-signed, tamper-evident audit trail.

View on GitHub โ†’ 60-second demo Become a design partner

Install from source (PyPI publish pending): 

$ git clone https://github.com/OgBops/mcp-bastion.git
$ cd mcp-bastion && pip install -e ".[dev]"
$ mcp-bastion --version
mcp-bastion, version 0.3.1
47/47 tests passing pip-audit clean Apache 2.0 Alpha โ€” not production-ready

Why this exists

01

The Model Context Protocol shipped in November 2024. Adoption is now everywhere โ€” ChatGPT, Gemini, Copilot, Cursor, Claude. The official MCP Registry delegates security scanning to upstream package registries . There is no built-in policy layer.

02

The spec authors themselves named "gateway and proxy patterns" as an open enterprise problem on the 2026 roadmap. The gateway layer is missing on purpose, waiting for someone to build it.

03

Three pure-play AI security startups (Lakera, Protect AI, Robust Intelligence) sold to Check Point, Palo Alto, and Cisco within 12 months. The buyers are paying โ€” but none ship MCP-protocol-native policy. mcp-bastion does.

04

Security middleware always emerges after a protocol standardizes โ€” TCP/IP โ†’ firewalls (8 yrs), HTTP โ†’ WAFs (6 yrs), REST โ†’ API gateways (3 yrs). MCP is in year two. The window is open and short.

What it does

โ†’Wraps stdio MCP servers

Drop-in wrapper for uvx mcp-server-filesystem, npx @modelcontextprotocol/server-github, and any other stdio MCP server. Bidirectional JSON-RPC interception, bounded reads (no DoS).

โ†”Reverse-proxies HTTP MCP

Streamable HTTP transport supported. SSRF block list defends against cloud-metadata + link-local upstreams. Body-size cap and SSE chunk-boundary buffering built in.

โ›”Policy-driven

YAML policy: deny tools by glob, redact arguments by regex, require human approval for destructive calls. Backtracking-safe regex with per-call timeout.

๐Ÿ“ŒPins tool descriptions

SHA256 of every tool description on first sight. Alerts or blocks when a description mutates โ€” the canonical defense against tool poisoning.

๐Ÿค–Prompt-injection classifier

Optional. Lazy-loads ProtectAI's fine-tuned DeBERTa to score tool descriptions. ~50ms inference. Configurable threshold + alert/block modes.

๐Ÿ”PQC-signed audit log

Every audit row signed with NIST ML-DSA-44 (FIPS 204). Hash-chained SQLite + sidecar JSONL anchor file. Public-key fingerprint pinned in the DB.

๐Ÿ”‘OS keychain key custody

Secret signing key lives in macOS Keychain / Linux Secret Service / Windows Credential Locker by default. Root must actively bypass โ€” every read leaves an OS audit trail.

๐ŸฐNitro Enclave attestation

Run inside an AWS Nitro Enclave. Customers verify the running binary by querying /attestation with a fresh nonce and matching the PCRs against published release artifacts.

60-second demo

Real output from mcp-bastion in front of an MCP server, with a deny rule for shell.*:

terminal โ€” mcp-bastion up 
[mcp-bastion #1] c2s tools/list                        โ†’ allow: default allow
[mcp-bastion #2] c2s tools/call tool#3dca4690          โ†’ deny:  tool#3dca4690 matched 'shell.*'
[mcp-bastion #3] c2s tools/call tool#1aa2befd          โ†’ allow: no rule matched

// JSON-RPC error returned to the client (upstream never saw the call):
{"jsonrpc":"2.0","id":2,"error":{"code":-32001,"message":"denied by mcp-bastion: tool#3dca4690 matched deny rule 'shell.*'"}}

$ mcp-bastion inspect-log --verify
chain: OK (ok)

Tool names appear as tool#<hash> in logs and error responses so a tool with a secret-bearing name doesn't leak through verbose output.

Threats it defends against

ThreatDefense
Tool poisoning / description driftโ— SHA256 pinning + classifier
Token exfiltration via tool argsโ— Regex redaction with timeout
Indirect prompt injection in tool descriptionsโ— Optional ProtectAI DeBERTa classifier
Audit log tamperingโ— Hash chain + ML-DSA-44 sigs + sidecar anchor
SSRF via upstream URLโ— Metadata-IP block list + path sanitization
stdio / HTTP DoS via oversized framesโ— Bounded reads + JSON depth cap
ReDoS via policy-supplied regexโ— Pattern length cap + per-call timeout
Tool name leak via logsโ— Hashed labels (tool#xxxxxxxx)
Local secret-key disclosureโ— OS keychain by default
Compromised proxy binary (root attacker)โ— Nitro Enclave attestation

Full threat model + vulnerability disclosure policy in SECURITY.md.

Design partners wanted

We're working with a small group of teams running MCP in production. The deal:

  • You bring: a real MCP-using workload + 30 min/week of honest feedback for 8 weeks.
  • We bring: free deployment help, weekly co-dev calls, direct line to maintainers, a public testimonial after launch.

Best fit:

  • Mid-stage AI-forward companies (Cursor / Claude Code / Codex in production)
  • FinTech or HealthTech orgs with audit/compliance requirements
  • Platform engineering teams running an internal MCP server registry

Open a "Design partner inquiry" issue โ†’

What's next

v0.3.1 is the local data-plane. The commercial cloud control plane โ€” multi-tenant policy management, threat-intel network with differential privacy, S3 Object Lock audit anchoring, SIEM forwarding, and Nitro-attestation verification โ€” lives in a separate repo and ships in phased milestones over the next 6 months. See CONTROL_PLANE.md for the spec.