Content
<h1 align="center">SentinelGate</h1>
<p align="center">
<strong>Your AI agent has unrestricted access to your machine.</strong><br>
Every tool call, shell command, and file read — unchecked.<br><br>
SentinelGate intercepts every action before it executes.<br>
Deterministic rules. From bare metal to any container or sandbox.<br><br>
<sub>For developers who give AI agents MCP tool access — and need to control it.</sub>
</p>
<p align="center">
<a href="https://github.com/Sentinel-Gate/Sentinelgate/actions/workflows/ci.yml"><img src="https://img.shields.io/github/actions/workflow/status/Sentinel-Gate/Sentinelgate/ci.yml?style=flat-square&label=CI" alt="CI"></a>
<a href="LICENSE"><img src="https://img.shields.io/badge/License-AGPL--3.0-blue?style=flat-square" alt="License: AGPL-3.0"></a>
<a href="https://go.dev"><img src="https://img.shields.io/badge/Go-1.26+-00ADD8?style=flat-square&logo=go&logoColor=white" alt="Go 1.26+"></a>
<a href="https://github.com/Sentinel-Gate/Sentinelgate/releases"><img src="https://img.shields.io/badge/Release-v2.1-brightgreen?style=flat-square" alt="Release v2.0"></a>
</p>
<p align="center">
<a href="https://e2b.dev"><img src="https://img.shields.io/badge/Works%20with-E2B-ff8800?style=flat-square" alt="Works with E2B"></a>
<a href="https://www.docker.com"><img src="https://img.shields.io/badge/Works%20with-Docker-2496ED?style=flat-square&logo=docker&logoColor=white" alt="Works with Docker"></a>
<a href="https://kubernetes.io"><img src="https://img.shields.io/badge/Works%20with-Kubernetes-326CE5?style=flat-square&logo=kubernetes&logoColor=white" alt="Works with Kubernetes"></a>
<a href="https://modal.com"><img src="https://img.shields.io/badge/Works%20with-Modal-000000?style=flat-square" alt="Works with Modal"></a>
<a href="https://fly.io"><img src="https://img.shields.io/badge/Works%20with-Fly.io-8B5CF6?style=flat-square" alt="Works with Fly.io"></a>
</p>
<details align="center">
<summary><img src="https://img.shields.io/badge/+6%20more-platforms-555555?style=flat-square" alt="+6 more platforms"></summary>
<p>
<a href="https://firecracker-microvm.github.io"><img src="https://img.shields.io/badge/Works%20with-Firecracker-FF9900?style=flat-square" alt="Works with Firecracker"></a>
<a href="https://podman.io"><img src="https://img.shields.io/badge/Works%20with-Podman-892CA0?style=flat-square&logo=podman&logoColor=white" alt="Works with Podman"></a>
<a href="https://daytona.io"><img src="https://img.shields.io/badge/Works%20with-Daytona-000000?style=flat-square" alt="Works with Daytona"></a>
<a href="https://aws.amazon.com/ecs"><img src="https://img.shields.io/badge/Works%20with-ECS%20%2F%20Fargate-FF9900?style=flat-square&logo=amazonaws&logoColor=white" alt="Works with ECS / Fargate"></a>
<a href="https://systemd.io"><img src="https://img.shields.io/badge/Works%20with-systemd-333333?style=flat-square" alt="Works with systemd"></a>
<a href="https://linuxcontainers.org"><img src="https://img.shields.io/badge/Works%20with-LXC%20%2F%20LXD-333333?style=flat-square" alt="Works with LXC / LXD"></a>
</p>
</details>
<p align="center">
<a href="#quick-start">Get Started</a> · <a href="https://www.sentinelgate.co.uk">Website</a> · <a href="docs/Guide.md">Docs</a>
</p>
<p align="center">
<img src="assets/sentinelgate-demo.gif" width="720" alt="SentinelGate demo">
</p>
---
## 🛡️ Why
AI agents don't just chat — they read files, run commands, call APIs, and send data externally. One prompt injection or one hallucinated action is enough to leak credentials, delete data, or exfiltrate sensitive information. And **there's no undo**.
### Why SentinelGate
🏠 **Self-hosted** — your data never leaves your infrastructure.
📦 **Container-native** — one command to bootstrap, ready for orchestrators.
🔓 **Zero lock-in** — one binary, runs anywhere, remove it anytime.
---
## ⚙️ How SentinelGate works
SentinelGate sits between the AI agent and your system. Every action is intercepted, evaluated against your policies, and logged — before it reaches anything. Denied actions are blocked at the proxy.
<p align="center">
<img src="assets/diagram-how-it-works-2.svg" width="720" alt="How SentinelGate works">
</p>
No code changes. No agent modifications. Single binary, zero dependencies, sub-millisecond overhead.
<p align="center">
<img src="assets/screenshot-hero.png" width="820" alt="Tools & Rules with per-tool Allow/Deny enforcement">
</p>
### Works inside any sandbox or container
Your sandbox provides the walls. SentinelGate provides the guard at the gate.
Sandboxes and containers isolate your agent, but they can't control what it does inside. SentinelGate adds deterministic governance — per-tool policies, content scanning, and full audit trail — wherever your agents run.
[Full integration guide →](docs/Guide.md#container--cloud-deployment)
---
## 🚀 Quick start
**Install** (macOS / Linux):
```bash
curl -sSfL https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.sh | sh
```
**Install** (Windows PowerShell):
```powershell
irm https://raw.githubusercontent.com/Sentinel-Gate/Sentinelgate/main/install.ps1 | iex
```
<details>
<summary>Manual download or build from source</summary>
**Download** from [GitHub Releases](https://github.com/Sentinel-Gate/Sentinelgate/releases):
| Platform | Archive |
|----------|---------|
| macOS (Apple Silicon) | `sentinel-gate_darwin_arm64.tar.gz` |
| macOS (Intel) | `sentinel-gate_darwin_amd64.tar.gz` |
| Linux (x86_64) | `sentinel-gate_linux_amd64.tar.gz` |
| Linux (ARM64) | `sentinel-gate_linux_arm64.tar.gz` |
| Windows (x86_64) | `sentinel-gate_windows_amd64.zip` |
| Windows (ARM64) | `sentinel-gate_windows_arm64.zip` |
**macOS / Linux:**
```bash
tar xzf sentinel-gate_*.tar.gz
chmod +x sentinel-gate
sudo mv sentinel-gate /usr/local/bin/
```
**Windows:** extract the `.zip` and add `sentinel-gate.exe` to your `PATH`.
**Build from source** (Go 1.26+):
macOS / Linux:
```bash
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate && go build -o sentinel-gate ./cmd/sentinel-gate
```
Windows:
```powershell
git clone https://github.com/Sentinel-Gate/Sentinelgate.git
cd Sentinelgate; go build -o sentinel-gate.exe ./cmd/sentinel-gate
```
</details>
**Start:**
```bash
$ sentinel-gate start
SentinelGate 2.1.0
─────────────────────────────────────
Admin UI: http://localhost:8080/admin
Proxy: http://localhost:8080/mcp
Upstreams: 1 connected / 1 configured
Tools: 12 discovered
Rules: 0 active
─────────────────────────────────────
```
> Output may vary depending on your configuration.
Open **http://localhost:8080/admin** to manage policies, upstreams, and identities. The MCP endpoint is **http://localhost:8080/mcp** — configure your agent to connect there with an API key.
> [!CAUTION]
> The Admin UI has no built-in authentication — security is delegated to your network. On a public server, always place a firewall or reverse proxy with auth in front of port 8080. See [Production Deployment](docs/Guide.md#production-deployment-tls) and [Admin Security Model](Admin-security-model.md).
<p align="center">
<video src="https://github.com/user-attachments/assets/2cb6864e-f00e-4b9e-9c39-b3523c77d50b" width="720" controls autoplay loop muted></video>
</p>
---
## Container & sandbox quickstart
Bootstrap SentinelGate with a single command — identities, policies, upstreams, everything. Your orchestrator knows when it's ready (`/readyz`), three security profiles cover most use cases out of the box, and a kill switch stops all agents instantly.
[Setup guide →](docs/Guide.md#2-quick-start)
---
## 🎮 Playground
See SentinelGate block a prompt injection attack — 30 seconds, no setup:
**macOS / Linux:**
```bash
cd examples/playground
./playground.sh
```
**Windows PowerShell:**
```powershell
cd examples\playground
.\playground.ps1
```
The script creates 3 policies, simulates 4 agent tool calls (1 allowed, 3 blocked), and cleans up after. Only needs bash + curl or PowerShell. Full walkthrough: [examples/playground/README.md](examples/playground/README.md).
To reset everything and start fresh, run `sentinel-gate reset` or use the Command Palette (`Cmd+K` → "reset") in the Admin UI.
**Want to try inside Docker, E2B, or another sandbox?** See [examples/](examples/) for ready-to-run setups.
---
## 🔌 Connect your agent
SentinelGate works with any MCP-compatible client. Point your agent to `http://localhost:8080/mcp` with an API key:
| Client | Setup |
|--------|-------|
| Claude Code | `claude mcp add --transport http sentinelgate http://localhost:8080/mcp --header "Authorization: Bearer <key>"` |
| Cursor / IDE | Add MCP server in settings with URL `http://localhost:8080/mcp` |
| Gemini CLI | MCP config with `http` transport |
| Codex CLI | MCP config with `http` transport |
| Python / Node.js / cURL | Standard HTTP with `Authorization: Bearer <key>` header |
Full setup snippets for each client: [Connect Your Agent](docs/Guide.md#4-agent-configuration)
> [!TIP]
> **Not using MCP?** SentinelGate also exposes a [Policy Decision Point](docs/Guide.md#14-policy-decision-api-pdp) — same CEL policies, callable from Go/Python/Node SDKs to govern any protocol (REST, SQL, shell, custom agents).
---
## ✨ Features
**Deterministic enforcement** — Explicit rules, not AI judgment. `deny delete_*` means denied. Always.
**Content scanning** — Bidirectional PII, secrets, and IPI detection on tool arguments and responses. Configurable whitelist with contextual exemptions.
```
write_file({ content: "AKIA..." }) → BLOCKED (AWS key detected)
```
**Session-aware policies** — CEL functions that use session history for context-dependent rules. Detect patterns like read-then-exfiltrate across multiple tool calls: `session_call_count`, `session_write_count`, `session_sequence`, and more.
```cel
session_sequence(session_action_history, "read_file", "send_email") // block read-then-exfiltrate
```
**Full audit trail** — Every action logged with identity, decision, timestamp, and arguments. Stream live via SSE, filter, or export.
**Red team testing** — 30 built-in attack patterns across 6 categories (tool misuse, argument manipulation, prompt injection, permission escalation, multi-step attacks). Interactive report with one-click remediation.
**Identity and access control** — API keys, roles, per-identity policies. Each agent gets isolated credentials.
**MCP-native** — Built as an [MCP](https://modelcontextprotocol.io) proxy. Aggregates multiple upstream servers, applies per-tool policies, exposes a single endpoint.
**CEL-powered rules** — [Common Expression Language](https://github.com/google/cel-go), the same engine behind Kubernetes, Firebase, and Envoy:
```cel
action_arg_contains(arguments, "secret") // block by content
action_name == "bash" && !("admin" in identity_roles) // role-based shell control
dest_domain_matches(dest_domain, "*.pastebin.com") // outbound blocking
```
Simple tool patterns (`read_*`, `delete_*`) cover most cases. CEL handles the rest. [More policy examples →](docs/Guide.md#example-policies)
**Admin UI** — Browser-based policy editor, test playground, security settings, audit viewer. No config files, no restarts.
**Kill switch** — One command stops all agents instantly. One command resumes. For incidents, maintenance, or when something looks wrong.
**Bootstrap** — Full configuration — identities, policies, upstreams — in a single command. Designed for containers and sandboxes where environments are created and destroyed continuously.
**Security profiles** — Three pre-built bootstrap profiles: Strict (deny by default, content scanning, human approval for critical ops), Standard (block destructive ops, allow reads, monitor content), Permissive (allow all, log everything). Start strict, relax as you gain confidence.
<details markdown="1">
<summary><strong>More features (16)</strong></summary>
**Policy templates** — Seven pre-built security profiles (Safe Coding, Read Only, Research Mode, Full Lockdown, Audit Only, Data Protection, Anti-Exfiltration). One click to apply, fully customizable after.
**Budget and quota** — Per-identity usage limits: max calls, writes, deletes per session, rate limiting per minute. Deny or warn when limits are reached. Live progress tracking on the dashboard.
**Response transformation** — Five transform types applied to tool responses before they reach the agent: redact (regex-based), truncate (size limits), inject (prepend/append warnings), dry-run (mock responses), mask (partial reveal). Test in the built-in sandbox.
**Session recording** — Record every tool call with full request/response payloads. Timeline replay in the UI, export to JSON or CSV, configurable retention, privacy mode (record metadata only).
**Cryptographic evidence** — Every decision signed with ECDSA P-256 and hash-chained. Tamper-proof audit receipts for compliance. EU AI Act-ready compliance bundles with coverage mapping.
**Tool integrity** — Hash-based baseline for tool definitions, drift detection on schema changes, quarantine for mutated tools, diff viewer.
**Behavioral drift detection** — 14-day baseline vs current behavior comparison. Detects tool distribution shifts, deny rate changes, temporal anomalies, and argument pattern drift.
**Agent health dashboard** — Per-agent health metrics (deny rate, drift score, violations) with 30-day sparklines, baseline comparison, and cross-agent overview. CEL variables for health-based policies.
**Permission health & shadow mode** — Identifies over-privileged agents by comparing granted vs actual tool usage. Auto-tighten suggestions with one-click apply.
**FinOps cost explorer** — Per-tool cost estimation, per-identity budgets with threshold alerts, cost drill-down, budget guardrail creation via Policy Builder.
**Namespace isolation** — Role-based tool visibility with whitelist/blacklist glob patterns.
**OpenTelemetry export** — Stdout span export for every tool call with identity, decision, and latency.
**Human-in-the-loop** — Escrow workflow for sensitive operations. Approve/deny with decision context, session trail, and signed audit note.
**Readyz endpoint** — `/readyz` signals your orchestrator that SentinelGate is configured and ready to protect agents. No gap between container start and protection.
**Custom content patterns** — Add your own detection patterns for company-specific sensitive data: internal codes, proprietary API key formats, customer identifiers. On top of the 22 built-in patterns.
**Policy Decision Point** — For agents that don't speak MCP (REST, SQL, shell, custom). Call `evaluate()` from Go, Python, or Node SDKs to enforce the same CEL policies on any protocol. Same audit trail, cooperative enforcement.
</details>
---
## 🖥️ Admin UI
| Tools & Rules | Audit Log |
|:-:|:-:|
| <img src="assets/screenshot-rules.png" width="410" alt="Tools & Rules with per-tool Allow/Deny enforcement"> | <img src="assets/screenshot-audit.png" width="410" alt="Audit log viewer"> |
| Content Scanning | Policy Test |
|:-:|:-:|
| <img src="assets/screenshot-security.png" width="410" alt="Content scanning with Monitor and Enforce modes"> | <img src="assets/screenshot-policy-test.png" width="410" alt="Policy test playground"> |
14 pages: Dashboard, Onboarding, Getting Started, Tools & Rules (with Transforms, Policy Test, and Simulation tabs), Access (with Quota management), Audit Log, Sessions, Notifications, Compliance, Permissions, Security, Red Team, FinOps, and Clients (with Agent Health).
---
## 📋 Configuration
> [!NOTE]
> Works with **zero configuration**. Everything is managed from the Admin UI and persisted automatically.
For infrastructure tuning, an optional YAML config is available:
```yaml
server:
http_addr: ":8080"
rate_limit:
enabled: true
ip_rate: 100
```
Full reference: [Configuration](docs/Guide.md#7-configuration-reference) · [CLI](docs/Guide.md#8-cli-reference) · [API](docs/Guide.md#9-admin-api-reference)
---
## ⚠️ Limitations
> [!CAUTION]
> SentinelGate is an MCP proxy — it controls what tools and data your agents can access through the MCP protocol. It is effective against mistakes, prompt injection, and overreach. For full OS-level isolation, combine with container or VM sandboxes. For agents that don't use MCP (REST, SQL, shell, custom protocols), see the [Policy Decision Point](docs/Guide.md#14-policy-decision-api-pdp).
Full [threat model](docs/Guide.md#13-threat-model-and-limitations).
---
## 💼 SentinelGate Pro
Extended retention · SIEM integration · SSO · Multi-tenancy · Advanced FinOps with billing API integration · Cross-agent health export — [sentinelgate.co.uk](https://www.sentinelgate.co.uk)
## Security
Found a vulnerability? See [Security.md](Security.md) for responsible disclosure and patch SLA.
## Contributing
Bug fixes, features, docs, and feedback welcome. See [CONTRIBUTING.md](CONTRIBUTING.md). A CLA is required for code contributions — see [CLA.md](CLA.md).
## License
[AGPL-3.0](LICENSE) — free to use, modify, and self-host. For commercial licensing, [contact us](mailto:hello@sentinelgate.co.uk).
---
<p align="center">
<a href="https://www.sentinelgate.co.uk">Website</a> · <a href="docs/Guide.md">Docs</a> · <a href="https://github.com/Sentinel-Gate/Sentinelgate/releases">Releases</a>
</p>
