Your AI agent has unrestricted access to your machine.
Every tool call, shell command, and file read โ unchecked.
SentinelGate intercepts every action before it executes.
Deterministic rules. From bare metal to any container or sandbox.
For developers who give AI agents MCP tool access โ and need to control it.
Get Started ยท Website ยท Docs
AI agents don't just chat โ they read files, run commands, call APIs, and send data externally. One prompt injection or one hallucinated action is enough to leak credentials, delete data, or exfiltrate sensitive information. And there's no undo.
๐ Self-hosted โ your data never leaves your infrastructure.
๐ฆ Container-native โ one command to bootstrap, ready for orchestrators.
๐ Zero lock-in โ one binary, runs anywhere, remove it anytime.
SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged โ before it reaches anything. Denied actions are blocked at the proxy.
No code changes. No agent modifications. Single binary, zero dependencies, sub-millisecond overhead.
Your sandbox provides the walls. SentinelGate provides the guard at the gate.
Sandboxes and containers isolate your agent, but they can't control what it does inside. SentinelGate adds deterministic governance โ per-tool policies, content scanning, and full audit trail โ wherever your agents run.
Install (macOS / Linux):
curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | shInstall (Windows PowerShell):
irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iexManual download or build from source
Download from GitHub Releases:
| Platform | Archive |
|---|---|
| macOS (Apple Silicon) | sentinel-gate_darwin_arm64.tar.gz |
| macOS (Intel) | sentinel-gate_darwin_amd64.tar.gz |
| Linux (x86_64) | sentinel-gate_linux_amd64.tar.gz |
| Linux (ARM64) | sentinel-gate_linux_arm64.tar.gz |
| Windows (x86_64) | sentinel-gate_windows_amd64.zip |
| Windows (ARM64) | sentinel-gate_windows_arm64.zip |
macOS / Linux:
tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/Windows: extract the .zip and add sentinel-gate.exe to your PATH.
Build from source (Go 1.26+):
macOS / Linux:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gateWindows:
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate; go build -o sentinel-gate.exe ./cmd/sentinel-gateStart:
$ sentinel-gate start
SentinelGate 2.1.0
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Admin UI: http://localhost:8080/admin
Proxy: http://localhost:8080/mcp
Upstreams: 1 connected / 1 configured
Tools: 12 discovered
Rules: 0 active
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโOutput may vary depending on your configuration.
Open http://localhost:8080/admin to manage policies, upstreams, and identities. The MCP endpoint is http://localhost:8080/mcp โ configure your agent to connect there with an API key.
Caution
The Admin UI has no built-in authentication โ security is delegated to your network. On a public server, always place a firewall or reverse proxy with auth in front of port 8080. See Production Deployment and Admin Security Model.
sentinelgate-demo.mp4
Bootstrap SentinelGate with a single command โ identities, policies, upstreams, everything. Your orchestrator knows when it's ready (/readyz), three security profiles cover most use cases out of the box, and a kill switch stops all agents instantly.
See SentinelGate block a prompt injection attack โ 30 seconds, no setup:
macOS / Linux:
cd examples/playground
./playground.shWindows PowerShell:
cd examples\playground
.\playground.ps1The script creates 3 policies, simulates 4 agent tool calls (1 allowed, 3 blocked), and cleans up after. Only needs bash + curl or PowerShell. Full walkthrough: examples/playground/README.md.
To reset everything and start fresh, run sentinel-gate reset or use the Command Palette (Cmd+K โ "reset") in the Admin UI.
ย
Want to try inside Docker, E2B, or another sandbox? See examples/ for ready-to-run setups.
SentinelGate works with any MCP-compatible client. Point your agent to http://localhost:8080/mcp with an API key:
| Client | Setup |
|---|---|
| Claude Code | claude mcp add --transport http sentinelgate http://localhost:8080/mcp --header "Authorization: Bearer <key>" |
| Cursor / IDE | Add MCP server in settings with URL http://localhost:8080/mcp |
| Gemini CLI | MCP config with http transport |
| Codex CLI | MCP config with http transport |
| Python / Node.js / cURL | Standard HTTP with Authorization: Bearer <key> header |
Full setup snippets for each client: Connect Your Agent
ย
Tip
Not using MCP? SentinelGate also exposes a Policy Decision Point โ same CEL policies, callable from Go/Python/Node SDKs to govern any protocol (REST, SQL, shell, custom agents).
Deterministic enforcement โ Explicit rules, not AI judgment. deny delete_* means denied. Always.
Content scanning โ Bidirectional PII, secrets, and IPI detection on tool arguments and responses. Configurable whitelist with contextual exemptions.
write_file({ content: "AKIA..." }) โ BLOCKED (AWS key detected)
Session-aware policies โ CEL functions that use session history for context-dependent rules. Detect patterns like read-then-exfiltrate across multiple tool calls: session_call_count, session_write_count, session_sequence, and more.
session_sequence(session_action_history, "read_file", "send_email") // block read-then-exfiltrate
ย
Full audit trail โ Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export.
Red team testing โ 30 built-in attack patterns across 6 categories (tool misuse, argument manipulation, prompt injection, permission escalation, multi-step attacks). Interactive report with one-click remediation.
Identity and access control โ API keys, roles, per-identity policies. Each agent gets isolated credentials.
ย
MCP-native โ Built as an MCP proxy. Aggregates multiple upstream servers, applies per-tool policies, exposes a single endpoint.
CEL-powered rules โ Common Expression Language, the same engine behind Kubernetes, Firebase, and Envoy:
action_arg_contains(arguments, "secret") // block by content
action_name == "bash" && !("admin" in identity_roles) // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com") // outbound blocking
Simple tool patterns (read_*, delete_*) cover most cases. CEL handles the rest. More policy examples โ
Admin UI โ Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.
ย
Kill switch โ One command stops all agents instantly. One command resumes. For incidents, maintenance, or when something looks wrong.
Bootstrap โ Full configuration โ identities, policies, upstreams โ in a single command. Designed for containers and sandboxes where environments are created and destroyed continuously.
Security profiles โ Three pre-built bootstrap profiles: Strict (deny by default, content scanning, human approval for critical ops), Standard (block destructive ops, allow reads, monitor content), Permissive (allow all, log everything). Start strict, relax as you gain confidence.
ย
More features (16)
Policy templates โ Seven pre-built security profiles (Safe Coding, Read Only, Research Mode, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration). One click to apply, fully customizable after.
Budget and quota โ Per-identity usage limits: max calls, writes, deletes per session, rate limiting per minute. Deny or warn when limits are reached. Live progress tracking on the dashboard.
Response transformation โ Five transform types applied to tool responses before they reach the agent: redact (regex-based), truncate (size limits), inject (prepend/append warnings), dry-run (mock responses), mask (partial reveal). Test in the built-in sandbox.
Session recording โ Record every tool call with full request/response payloads. Timeline replay in the UI, export to JSON or CSV, configurable retention, privacy mode (record metadata only).
Cryptographic evidence โ Every decision signed with ECDSA P-256 and hash-chained. Tamper-proof audit receipts for compliance. EU AI Act-ready compliance bundles with coverage mapping.
Tool integrity โ Hash-based baseline for tool definitions, drift detection on schema changes, quarantine for mutated tools, diff viewer.
Behavioral drift detection โ 14-day baseline vs current behavior comparison. Detects tool distribution shifts, deny rate changes, temporal anomalies, and argument pattern drift.
Agent health dashboard โ Per-agent health metrics (deny rate, drift score, violations) with 30-day sparklines, baseline comparison, and cross-agent overview. CEL variables for health-based policies.
Permission health & shadow mode โ Identifies over-privileged agents by comparing granted vs actual tool usage. Auto-tighten suggestions with one-click apply.
FinOps cost explorer โ Per-tool cost estimation, per-identity budgets with threshold alerts, cost drill-down, budget guardrail creation via Policy Builder.
Namespace isolation โ Role-based tool visibility with whitelist/blacklist glob patterns.
OpenTelemetry export โ Stdout span export for every tool call with identity, decision, and latency.
Human-in-the-loop โ Escrow workflow for sensitive operations. Approve/deny with decision context, session trail, and signed audit note.
Readyz endpoint โ /readyz signals your orchestrator that SentinelGate is configured and ready to protect agents. No gap between container start and protection.
Custom content patterns โ Add your own detection patterns for company-specific sensitive data: internal codes, proprietary API key formats, customer identifiers. On top of the 22 built-in patterns.
Policy Decision Point โ For agents that don't speak MCP (REST, SQL, shell, custom). Call evaluate() from Go, Python, or Node SDKs to enforce the same CEL policies on any protocol. Same audit trail, cooperative enforcement.
| Tools & Rules | Audit Log |
|---|---|
 |
 |
| Content Scanning | Policy Test |
|---|---|
 |
 |
14 pages: Dashboard, Onboarding, Getting Started, Tools & Rules (with Transforms, Policy Test, and Simulation tabs), Access (with Quota management), Audit Log, Sessions, Notifications, Compliance, Permissions, Security, Red Team, FinOps, and Clients (with Agent Health).
Note
Works with zero configuration. Everything is managed from the Admin UI and persisted automatically.
For infrastructure tuning, an optional YAML config is available:
server:
http_addr: ":8080"
rate_limit:
enabled: true
ip_rate: 100Full reference: Configuration ยท CLI ยท API
Caution
SentinelGate is an MCP proxy โ it controls what tools and data your agents can access through the MCP protocol. It is effective against mistakes, prompt injection, and overreach. For full OS-level isolation, combine with container or VM sandboxes. For agents that don't use MCP (REST, SQL, shell, custom protocols), see the Policy Decision Point.
Full threat model.
Extended retention ยท SIEM integration ยท SSO ยท Multi-tenancy ยท Advanced FinOps with billing API integration ยท Cross-agent health export โ sentinelgate.co.uk
Found a vulnerability? See Security.md for responsible disclosure and patch SLA.
Bug fixes, features, docs, and feedback welcome. See CONTRIBUTING.md. A CLA is required for code contributions โ see CLA.md.
AGPL-3.0 โ free to use, modify, and self-host. For commercial licensing, contact us.