README
¶
SentinelGate
Universal firewall for AI agents.
Intercepts MCP tool calls, shell commands, file access, and HTTP requests.
RBAC · CEL policies · Full audit trail
Get Started · Website · Docs
The problem
AI agents have unrestricted access to your machine — every tool call, shell command, file read, and HTTP request runs with no policy, no authentication, and no audit trail. One prompt injection or one hallucination is all it takes.
How SentinelGate works
SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged — before it reaches anything. Denied actions are blocked at the proxy.
sequenceDiagram
participant Agent as AI Agent
participant SG as SentinelGate
participant Upstream as System / MCP Server
Agent->>SG: tools/call "delete_file"
Note over SG: Validate · Rate limit · Auth
Note over SG: Policy: "block-deletes" → DENY
SG-->>Agent: Access denied by policy
Note over Upstream: Never reached
No code changes. No agent modifications.
Quick start
Install (macOS / Linux):
curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh
Manual download or build from source
Download from GitHub Releases:
| Platform | Archive |
|---|---|
| macOS (Apple Silicon) | sentinel-gate_darwin_arm64.tar.gz |
| macOS (Intel) | sentinel-gate_darwin_amd64.tar.gz |
| Linux (x86_64) | sentinel-gate_linux_amd64.tar.gz |
| Linux (ARM64) | sentinel-gate_linux_arm64.tar.gz |
| Windows (x86_64) | sentinel-gate_windows_amd64.zip |
macOS / Linux:
tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/
Windows: extract the .zip and add sentinel-gate.exe to your PATH.
Build from source (Go 1.24+):
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gate
Run:
sentinel-gate run -- claude # Claude Code
sentinel-gate run -- gemini # Gemini CLI
sentinel-gate run -- python agent.py # Python agent
sentinel-gate run -- node agent.js # Node.js agent
Open http://localhost:8080/admin to manage policies, upstreams, and identities from the browser.
runhandles everything: starts the server, configures runtime hooks and HTTP proxy for your agent, generates a per-session API key, and cleans up on exit. To give your agent access to external MCP tools, add upstream servers in the Admin UI.
MCP server mode
run wraps an agent process. To run SentinelGate as a standalone MCP proxy — without wrapping an agent — use start:
sentinel-gate start
The MCP endpoint is available at http://localhost:8080/mcp. Point your client there and add the API key from the Admin UI.
Add upstream MCP servers through the Admin UI — your client sees all their tools through a single endpoint, with policies applied.
Features
Deterministic enforcement — Explicit rules, not AI judgment. deny delete_* means denied. Always. No probabilistic filtering, no drift.
MCP-native — Built as an MCP proxy from the ground up. Aggregates multiple upstream MCP servers, applies per-tool policies, and exposes a single endpoint to your client. Also intercepts shell commands, file access, and HTTP requests through runtime hooks.
CEL-powered rules — Common Expression Language, the same engine behind Kubernetes, Firebase, and Envoy:
action_arg_contains(arguments, "secret") // block by content
action_type == "command_exec" && !("admin" in identity_roles) // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com") // outbound blocking
Simple tool patterns (read_*, delete_*) cover most cases. CEL handles the rest.
Full audit trail — Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export to CSV.
Admin UI — Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.
Identity and access control — API keys, roles, per-identity policies. Each agent session gets isolated credentials.
Admin UI
| Policy Rules | Audit Log |
|---|---|
 |
 |
| Security | Policy Test |
|---|---|
 |
 |
Configuration
Works with zero configuration. Everything is managed from the Admin UI and persisted automatically. For infrastructure tuning, an optional YAML config is available:
server:
http_addr: ":8080"
rate_limit:
enabled: true
ip_rate: 100
Full reference: Configuration · CLI · API
Limitations
SentinelGate is not an OS-level sandbox. A deliberately malicious process could bypass runtime hooks or ignore proxy settings. AI agents use standard libraries and respect these conventions, making SentinelGate effective against mistakes, prompt injection, and overreach. For adversarial isolation, combine with container or VM sandboxes. Full threat model.
SentinelGate Pro
SSO · SIEM integration · Human-in-the-loop approval · Multi-tenancy · Compliance reports — sentinelgate.co.uk
Contributing
Bug fixes, features, docs, and feedback welcome. See CONTRIBUTING.md. A CLA is required for code contributions — see CLA.md.
License
AGPL-3.0 — free to use, modify, and self-host. For commercial licensing, contact us.
Website · Docs · Discussions
Directories
¶
| Path | Synopsis |
|---|---|
|
cmd
|
|
|
sentinel-gate
command
Package main is the entry point for the Sentinel Gate CLI.
|
Package main is the entry point for the Sentinel Gate CLI. |
|
sentinel-gate/cmd
Package cmd provides the CLI commands for Sentinel Gate.
|
Package cmd provides the CLI commands for Sentinel Gate. |
|
internal
|
|
|
adapter/inbound/admin
Package admin provides web UI and JSON API handlers for Sentinel Gate.
|
Package admin provides web UI and JSON API handlers for Sentinel Gate. |
|
adapter/inbound/http
Package http provides HTTP/Streamable HTTP transport for Sentinel Gate.
|
Package http provides HTTP/Streamable HTTP transport for Sentinel Gate. |
|
adapter/inbound/httpgw
Package httpgw provides the HTTP Gateway forward proxy handler.
|
Package httpgw provides the HTTP Gateway forward proxy handler. |
|
adapter/inbound/stdio
Package stdio provides the stdio transport adapter for the proxy.
|
Package stdio provides the stdio transport adapter for the proxy. |
|
adapter/outbound/audit
Package audit provides file-based audit persistence with JSON Lines format, daily rotation, size caps, retention cleanup, and an in-memory cache.
|
Package audit provides file-based audit persistence with JSON Lines format, daily rotation, size caps, retention cleanup, and an in-memory cache. |
|
adapter/outbound/cel
Package cel provides a CEL-based policy expression evaluator.
|
Package cel provides a CEL-based policy expression evaluator. |
|
adapter/outbound/mcp
Package mcp provides MCP client adapters for connecting to upstream servers.
|
Package mcp provides MCP client adapters for connecting to upstream servers. |
|
adapter/outbound/memory
Package memory provides in-memory implementations of outbound ports.
|
Package memory provides in-memory implementations of outbound ports. |
|
adapter/outbound/state
Package state provides file-based persistence for SentinelGate runtime state.
|
Package state provides file-based persistence for SentinelGate runtime state. |
|
config
Package config provides configuration types for Sentinel Gate OSS.
|
Package config provides configuration types for Sentinel Gate OSS. |
|
ctxkey
Package ctxkey defines shared context key types used across multiple packages.
|
Package ctxkey defines shared context key types used across multiple packages. |
|
domain/action
Package action defines the CanonicalAction type system: a protocol-agnostic representation of any agent action flowing through SentinelGate.
|
Package action defines the CanonicalAction type system: a protocol-agnostic representation of any agent action flowing through SentinelGate. |
|
domain/audit
Package audit contains domain types for audit logging.
|
Package audit contains domain types for audit logging. |
|
domain/auth
Package auth contains the domain types and logic for authentication.
|
Package auth contains the domain types and logic for authentication. |
|
domain/policy
Package policy contains domain types for RBAC policy evaluation.
|
Package policy contains domain types for RBAC policy evaluation. |
|
domain/proxy
Package proxy contains the core domain logic for the MCP proxy.
|
Package proxy contains the core domain logic for the MCP proxy. |
|
domain/ratelimit
Package ratelimit provides rate limiting domain types.
|
Package ratelimit provides rate limiting domain types. |
|
domain/runtime
Package runtime provides bootstrap infrastructure for the sentinel-gate run command.
|
Package runtime provides bootstrap infrastructure for the sentinel-gate run command. |
|
domain/session
Package session manages user sessions across MCP tool calls.
|
Package session manages user sessions across MCP tool calls. |
|
domain/tool
Package tool contains domain types for tool discovery and risk classification.
|
Package tool contains domain types for tool discovery and risk classification. |
|
domain/upstream
Package upstream contains domain types for MCP upstream server configuration.
|
Package upstream contains domain types for MCP upstream server configuration. |
|
domain/validation
Package validation provides MCP message validation logic.
|
Package validation provides MCP message validation logic. |
|
port/inbound
Package inbound defines the inbound port interfaces for the proxy core.
|
Package inbound defines the inbound port interfaces for the proxy core. |
|
port/outbound
Package outbound defines the outbound port interfaces for connecting to upstream MCP servers.
|
Package outbound defines the outbound port interfaces for connecting to upstream MCP servers. |
|
service
Package service provides business logic services for SentinelGate.
|
Package service provides business logic services for SentinelGate. |
|
pkg
|
|
|
mcp
Package mcp provides MCP message types and JSON-RPC codec utilities for the sentinel-gate proxy.
|
Package mcp provides MCP message types and JSON-RPC codec utilities for the sentinel-gate proxy. |