DEV Community

Cover image for Your MCP agents have no guardrails. Here's how to fix that.
Andrea
Andrea

Posted on

Your MCP agents have no guardrails. Here's how to fix that.

#security #ai #mcp #opensource

You give Claude Code access to your company files. It can read everything in that directory. It can write anywhere. It can delete anything.

You connect Cursor to your internal APIs. Every developer on your team gets the same access. There's no way to say "read-only for interns" or "no access to billing endpoints". There's no log of who called what.

This is how MCP is typically used today — powerful, but with no standardised guardrails at the tool-call layer.

What Sentinel Gate does

Sentinel Gate is a proxy that sits between your AI clients and your MCP servers. Every tool call passes through a security chain before it reaches the upstream:

  1. Authentication — which agent is making this request?
  2. Policy evaluation — is this tool call allowed for this identity?
  3. Audit logging — record the decision, the rule that matched, the timestamp

If the policy says deny, the request never reaches the MCP server. The agent gets an error. The upstream doesn't know someone asked.

Your AI clients don't know SentinelGate exists. They see a single MCP endpoint. All enforcement happens transparently.

Deterministic rules

Policies use CEL (Common Expression Language):

tool_name == "write_file" && !("editor" in user_roles)
Enter fullscreen mode Exit fullscreen mode

This blocks write_file for anyone without the editor role. No LLM in the security path. No probabilistic intent detection. The rule either matches or it doesn't.

There's a policy playground in the admin UI where you can test rules before deploying them.

What's included

Admin UI — manage servers, rules, identities, and API keys from the browser. No config files, no restarts.

Multi-server aggregation — connect multiple MCP servers and expose them as a single endpoint. Your agents see one unified tool list.

Audit trail — every call logged with identity, decision, matched rule. Real-time streaming, CSV export.

Rate limiting — per-IP and per-user limits at the proxy level.

Quick start 

curl -L https://github.com/Sentinel-Gate/Sentinelgate/releases/latest/download/sentinel-gate-darwin-arm64 -o sentinel-gate
chmod +x sentinel-gate
./sentinel-gate start
Enter fullscreen mode Exit fullscreen mode

Open http://localhost:8080/admin. Add your MCP servers, create rules, generate an API key, point your AI client to the proxy. Done.

Core vs Pro

Core is open source (AGPL-3.0): policy engine, audit logging, rate limiting, admin UI, multi-server support.

Pro adds: SSO/SAML, SIEM integration, human-in-the-loop approvals, content scanning, compliance reporting. Details at sentinelgate.co.uk.

Looking for feedback

If you're running MCP agents against anything that matters — databases, internal tools, customer data — and you've thought about access control, I'd like to hear what's missing.

GitHub: https://github.com/Sentinel-Gate/Sentinelgate

Top comments (0)