mcp-bastion-python 1.0.13__tar.gz → 1.0.15__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (45) hide show
  1. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/.gitignore +13 -0
  2. mcp_bastion_python-1.0.15/CHANGELOG.md +24 -0
  3. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/PKG-INFO +179 -72
  4. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/README.md +175 -68
  5. mcp_bastion_python-1.0.15/dashboard/README.md +68 -0
  6. mcp_bastion_python-1.0.15/dashboard/app.py +1559 -0
  7. mcp_bastion_python-1.0.15/dashboard/static/chart.umd.min.js +20 -0
  8. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/pyproject.toml +10 -6
  9. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/__init__.py +1 -1
  10. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/cli.py +54 -0
  11. mcp_bastion_python-1.0.15/src/mcp_bastion/config.py +494 -0
  12. mcp_bastion_python-1.0.15/src/mcp_bastion/doctor.py +97 -0
  13. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/errors.py +49 -0
  14. mcp_bastion_python-1.0.15/src/mcp_bastion/governance_beacon.py +56 -0
  15. mcp_bastion_python-1.0.15/src/mcp_bastion/middleware.py +870 -0
  16. mcp_bastion_python-1.0.15/src/mcp_bastion/otel.py +171 -0
  17. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/__init__.py +4 -0
  18. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/alerts.py +72 -2
  19. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/audit_hash_chain.py +141 -0
  20. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/audit_log.py +21 -0
  21. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/circuit_breaker.py +2 -0
  22. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/content_filter.py +23 -0
  23. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/cost_tracker.py +25 -18
  24. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/external_policy.py +144 -0
  25. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/metrics.py +263 -3
  26. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/pricing.py +73 -0
  27. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/rate_limit.py +23 -16
  28. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/replay_guard.py +1 -1
  29. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/semantic_cache.py +13 -7
  30. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/semantic_firewall.py +71 -0
  31. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/sensitive_classifier.py +107 -0
  32. mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/telemetry_sinks.py +194 -0
  33. mcp_bastion_python-1.0.15/src/mcp_bastion/policy_simulator.py +171 -0
  34. mcp_bastion_python-1.0.15/src/mcp_bastion/redteam.py +168 -0
  35. mcp_bastion_python-1.0.15/src/mcp_bastion/tenant.py +44 -0
  36. mcp_bastion_python-1.0.13/src/mcp_bastion/config.py +0 -274
  37. mcp_bastion_python-1.0.13/src/mcp_bastion/middleware.py +0 -336
  38. mcp_bastion_python-1.0.13/src/mcp_bastion/otel.py +0 -78
  39. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/LICENSE +0 -0
  40. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/NOTICE +0 -0
  41. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/base.py +0 -0
  42. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/pii_redaction.py +0 -0
  43. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/prompt_guard.py +0 -0
  44. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/rbac.py +0 -0
  45. {mcp_bastion_python-1.0.13 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/schema_validation.py +0 -0
@@ -13,12 +13,25 @@ node_modules/
13
13
  .venv/
14
14
  venv/
15
15
  .DS_Store
16
+ Thumbs.db
16
17
  *.tsbuildinfo
17
18
  .coverage
18
19
  htmlcov/
19
20
  coverage.xml
20
21
  .pytest_cache/
21
22
  .mypy_cache/
23
+ .ruff_cache/
24
+ .hypothesis/
25
+ *.sqlite3
26
+ .terraform/
27
+ *.tfstate
28
+ *.tfstate.*
29
+
30
+ # Editor and local tooling
31
+ .idea/
32
+ # Cursor IDE local project state (do not ignore `.cursor/rules/` if you commit team rules)
33
+ .cursor/projects/
34
+
22
35
  # Local config (optional: remove to track bastion.yaml)
23
36
  # bastion.yaml
24
37
 
@@ -0,0 +1,24 @@
1
+ # Changelog
2
+
3
+ All notable changes to this project are documented in this file.
4
+
5
+ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
+ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
+
8
+ ## [1.0.15] - 2026-04-21
9
+
10
+ ### Added
11
+
12
+ - [docs/ERRORS.md](docs/ERRORS.md): reference for JSON-RPC error codes `-32001` through `-32016` and matching Python exceptions.
13
+ - Tests: `tests/test_release_metadata.py` (version alignment across `pyproject.toml`, `__version__`, `server.json`, `CITATION.cff`); expanded `tests/test_errors.py` for all policy error codes.
14
+
15
+ ### Release notes
16
+
17
+ - PyPI package `mcp-bastion-python` and npm `@mcp-bastion/core` versions are aligned on **1.0.15** with this repository. Install with `pip install mcp-bastion-python==1.0.15`.
18
+
19
+ ## [1.0.14] - prior
20
+
21
+ See git history and [README](README.md) for features shipped in the 1.0.x line (middleware pillars, dashboard, policy-as-code, observability).
22
+
23
+ [1.0.15]: https://github.com/vaquarkhan/MCP-Bastion/compare/v1.0.14...v1.0.15
24
+ [1.0.14]: https://github.com/vaquarkhan/MCP-Bastion/releases
@@ -1,10 +1,10 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: mcp-bastion-python
3
- Version: 1.0.13
3
+ Version: 1.0.15
4
4
  Summary: Security middleware for MCP servers protecting LLM agents from prompt injection, resource exhaustion, and PII leakage
5
- Project-URL: Homepage, https://github.com/mcp-bastion/mcp-bastion
6
- Project-URL: Repository, https://github.com/mcp-bastion/mcp-bastion
7
- Project-URL: Documentation, https://github.com/mcp-bastion/mcp-bastion#readme
5
+ Project-URL: Homepage, https://github.com/vaquarkhan/MCP-Bastion
6
+ Project-URL: Repository, https://github.com/vaquarkhan/MCP-Bastion
7
+ Project-URL: Documentation, https://github.com/vaquarkhan/MCP-Bastion#readme
8
8
  Author: Viquar Khan
9
9
  License: MCP-Bastion Community and Commercial License
10
10
  Version 1.0
@@ -101,64 +101,108 @@ Description-Content-Type: text/markdown
101
101
 
102
102
  <!-- mcp-name: io.github.vaquarkhan/mcp-bastion -->
103
103
 
104
- [![Total Downloads](https://img.shields.io/badge/total%20downloads-565-brightgreen)](https://pepy.tech/projects/mcp-bastion-python)
105
- [![PyPI Total Downloads](https://img.shields.io/pypi/dd/mcp-bastion-python?label=daily)](https://pypi.org/project/mcp-bastion-python/)
106
- [![PyPI Monthly Downloads](https://img.shields.io/pypi/dm/mcp-bastion-python?label=monthly)](https://pypi.org/project/mcp-bastion-python/)
107
- [![PyPI Version](https://img.shields.io/pypi/v/mcp-bastion-python)](https://pypi.org/project/mcp-bastion-python/)
108
- [![npm Version](https://img.shields.io/npm/v/@mcp-bastion/core)](https://www.npmjs.com/package/@mcp-bastion/core)
109
- [![License: Source Available](https://img.shields.io/badge/license-Source%20Available-orange.svg)](LICENSE)
110
- [![PyPI Downloads](https://static.pepy.tech/personalized-badge/mcp-bastion-python?period=total&units=INTERNATIONAL_SYSTEM&left_color=BLACK&right_color=GREEN&left_text=downloads)](https://pepy.tech/projects/mcp-bastion-python)
111
-
112
- **Enterprise-Grade Security Middleware for the Model Context Protocol**
113
-
114
- > Releases are published to npm and PyPI via GitHub Actions on tag push.
115
-
116
- The Model Context Protocol (MCP) has rapidly become the universally accepted standard for connecting AI agents to enterprise databases and APIs. However, this connectivity introduces a massive new attack surface: unpredictable, non-deterministic agentic behavior.
117
-
118
- MCP-Bastion is a lightweight, drop-in security middleware designed to wrap around any existing Python or TypeScript MCP server. Instead of relying on passive logging, human-in-the-loop approvals, or third-party APIs, MCP-Bastion provides an active, 100% local defense layer. It intercepts standard JSON-RPC traffic to stop threats before they cross the enterprise boundary.
119
-
120
- Under 5ms proxy overhead. MCP-Bastion provides:
104
+ <p align="center">
105
+ <img src="images/mcp-bastian.png" alt="MCP-Bastion: secure MCP middleware" width="220" />
106
+ </p>
107
+
108
+ <p align="center">
109
+ <a href="https://pepy.tech/projects/mcp-bastion-python"><img src="https://img.shields.io/pepy/dt/mcp-bastion-python?label=PyPI%20Downloads" alt="PyPI Downloads" /></a>
110
+ <a href="https://pypi.org/project/mcp-bastion-python/"><img src="https://img.shields.io/pypi/v/mcp-bastion-python?label=PyPI%20Version" alt="PyPI Version" /></a>
111
+ <a href="https://github.com/vaquarkhan/MCP-Bastion/tree/main/packages/core"><img src="https://img.shields.io/github/package-json/v/vaquarkhan/MCP-Bastion?filename=packages%2Fcore%2Fpackage.json&label=npm%20Version&logo=npm" alt="npm Version (@mcp-bastion/core)" /></a>
112
+ <a href="LICENSE"><img src="https://img.shields.io/badge/license-Source%20Available-orange.svg" alt="License: Source Available" /></a>
113
+ </p>
114
+
115
+ <p align="center"><strong>One gateway; every tool call screened, metered, and proven.</strong></p>
116
+
117
+ > **Scope:** Policy runs on MCP JSON-RPC (`tools/list`, `tools/call`, resources) before your handlers execute. Use it together with transport security, identity, and least-privilege access outside this library.
118
+
119
+ ## Contents
120
+
121
+ | Link | What you will find |
122
+ |------|---------------------|
123
+ | [Overview](#overview) | Product summary, request-flow diagram, release channels |
124
+ | [Security](#security-context-and-controls) | OWASP MCP Top 10 alignment, layered defense diagram, risk context, observability |
125
+ | [Core features](#core-features) | Pillars, feature matrix, dashboard layout diagram |
126
+ | [Documentation](#documentation-use-cases-attacks-metrics-tutorials) | Tutorials, policy, metrics, attacks |
127
+ | [Installation](#installation) | PyPI, npm, prerequisites, integrations |
128
+ | [Repository layout](#structure) | Directories and example files |
129
+ | [Citing MCP-Bastion](#citing-mcp-bastion) | Citation file, BibTeX, and acknowledgements |
130
+ | [Changelog](CHANGELOG.md) | Version history and release notes |
131
+ | [Error codes](docs/ERRORS.md) | JSON-RPC codes `-32001`–`-32016` and Python exceptions |
132
+
133
+ ## Overview
134
+
135
+ MCP-Bastion is **policy-as-code middleware** for the Model Context Protocol: prompt and content checks, PII handling, rate and cost limits, RBAC, optional OPA/Cedar, audit and hash chains, multi-tenant routing, red-team reporting, and an optional **dashboard** for metrics and forensics. Run it on your own hosts or in your VPC.
136
+
137
+ **Packages:** [PyPI `mcp-bastion-python`](https://pypi.org/project/mcp-bastion-python/), [npm `@mcp-bastion/core`](https://www.npmjs.com/package/@mcp-bastion/core). Releases are published via GitHub Actions on tag push.
138
+
139
+ ### Request flow
140
+
141
+ Policy runs on MCP JSON-RPC before your handlers. Both `tools/list` and `tools/call` should traverse the same middleware when you enable list-side guards (for example `tool_metadata_guard`).
142
+
143
+ ```mermaid
144
+ flowchart LR
145
+ subgraph client["MCP client"]
146
+ H["LLM / IDE / agent host"]
147
+ end
148
+ subgraph proc["Your MCP server process"]
149
+ B["MCP-Bastion\n(policy)"]
150
+ T["Tool & resource\nhandlers"]
151
+ end
152
+ H -->|"tools/list, tools/call, …"| B
153
+ B -->|allowed| T
154
+ B -.->|"blocked · audited"| H
155
+ ```
121
156
 
122
- - **Prompt Injection Defense:** Meta PromptGuard runs locally to block adversarial payloads and jailbreaks.
123
- - **PII Redaction:** Uses Microsoft Presidio to detect and mask PII before it reaches the LLM context.
124
- - **Infinite Loop Protection:** Token buckets and cycle detection stop runaway agents from burning API budget.
157
+ ## Security context and controls
125
158
 
126
- Secure your MCP server without changing business logic.
159
+ Industry discussion of MCP incidents (tool metadata abuse, over-privileged service accounts, supply chain) lines up with the **[OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/)**. Bastion maps product features to those categories in [docs/OWASP_MCP_TOP10.md](docs/OWASP_MCP_TOP10.md). For narrative context and **suggested documentation wording**, see [docs/MCP_SECURITY_LANDSCAPE.md](docs/MCP_SECURITY_LANDSCAPE.md). **Corrections and discussion:** [open a GitHub issue](https://github.com/vaquarkhan/MCP-Bastion/issues/new?labels=documentation%2Csecurity).
127
160
 
128
- ---
161
+ **Defense in depth:** MCP-Bastion sits in the MCP server process; pair it with strong transport and identity at the edge. Telemetry and audit hooks connect to your existing observability stack.
129
162
 
130
- ## Core Features
163
+ ```mermaid
164
+ flowchart LR
165
+ E["Edge: TLS · JWT · mTLS"] --> M["MCP-Bastion\n(YAML policy)"]
166
+ M --> T["Your tool handlers"]
167
+ M -.-> O["Audit · OTEL ·\ntelemetry.sinks"]
168
+ ```
131
169
 
132
- **Zero-Click Prompt Injection Prevention**
170
+ With policy enabled and both `tools/list` and `tools/call` flowing through this middleware, many common abuse classes (including poisoned tool descriptions when `tool_metadata_guard` is enabled) are blocked or stripped before tools run; structured audit can go to your SIEM via `telemetry.sinks` ([bastion.yaml.example](bastion.yaml.example)).
133
171
 
134
- Integrates Meta's PromptGuard model locally to detect and block malicious payloads, jailbreaks, and adversarial tokenization before they reach your external tools.
172
+ **Out of scope for middleware alone:** Third-party RCE bugs, stolen build tokens, and organization-wide IAM still need vendor patches, sandboxes, vaults, and least privilege outside this library.
135
173
 
136
- **PII Redaction**
174
+ **Observability:** `telemetry.sinks` in `bastion.yaml` POST JSON to Datadog, New Relic, Splunk HEC, or any HTTPS intake (for example API Gateway, Azure Logic Apps, or GCP). For traces, see [docs/OTEL.md](docs/OTEL.md).
137
175
 
138
- Microsoft Presidio scans outbound tool results and masks PII (redaction, substitution, generalization).
176
+ MCP is JSON-RPC over stdio or HTTP. Install Bastion as middleware around your existing Python or TypeScript server so checks run in the same process as your tool handlers (typical overhead is on the order of a few milliseconds; see [docs/METRICS.md](docs/METRICS.md)). You keep business logic in your server; policy lives in `bastion.yaml` and optional code hooks.
139
177
 
140
- **Infinite Loop and Denial of Wallet Protection**
178
+ ---
141
179
 
142
- Implements stateful cycle detection and configurable FinOps token-bucket algorithms to automatically terminate runaway agents and prevent massive API bill overruns.
180
+ ## Core features
143
181
 
144
- **100% Local Execution (Data Privacy)**
182
+ **Prompt injection (optional PromptGuard)**
183
+ Local classifier on tool-related payloads when enabled; blocks many jailbreak-style patterns before tools run.
145
184
 
146
- All security classification and data redaction happen entirely within the local memory space of your server. Sensitive data never leaves your enterprise network for third-party safety evaluations.
185
+ **PII handling (optional Presidio)**
186
+ Entity detection and masking on outbound tool results (redaction, substitution, or generalization).
147
187
 
148
- **Low Latency**
188
+ **Rate, circuit, and cost controls**
189
+ Per-session iteration limits, timeouts, token budgets, circuit breaker, and cost tracker to cap runaway sessions.
149
190
 
150
- Drop-in middleware, under 5ms overhead.
191
+ **Local execution**
192
+ With local classifiers enabled, classification and redaction stay in-process; remote sinks are opt-in via `telemetry.sinks`.
151
193
 
152
- **Framework Integration**
194
+ **Latency**
195
+ Middleware-only path is designed for low overhead (see [docs/METRICS.md](docs/METRICS.md)).
153
196
 
154
- Hooks into MCP SDKs (TypeScript, Python) and FastMCP via standard middleware. No business logic changes.
197
+ **SDK integration**
198
+ Python and TypeScript MCP SDK patterns, including FastMCP-style stacks, without rewriting tool implementations.
155
199
 
156
200
  ### All Features
157
201
 
158
202
  | Feature | Description |
159
203
  |---------|-------------|
160
204
  | Prompt injection | Block jailbreaks via Meta PromptGuard |
161
- | PII redaction | Mask many entity types via Presidio (e.g. SSN, email, phone, credit card, passport, IBAN, medical license, and more—see Presidio docs) |
205
+ | PII redaction | Mask many entity types via Presidio (e.g. SSN, email, phone, credit card, passport, IBAN, medical license; see Presidio docs) |
162
206
  | Rate limiting | Max iterations, timeout, token budget |
163
207
  | Audit logging | Log who, what, when, blocked/allowed |
164
208
  | Content filter | Block paths/code/URLs, plus allowlist and denylist patterns |
@@ -168,6 +212,17 @@ Hooks into MCP SDKs (TypeScript, Python) and FastMCP via standard middleware. No
168
212
  | Replay guard | Block duplicate nonces |
169
213
  | Cost tracker | Per-session cost budget |
170
214
  | Semantic cache | Cache similar queries |
215
+ | Semantic firewall | MCP-aware tool intent / dangerous-chain detection |
216
+ | Tool metadata guard | Scan **`tools/list`** responses (name, description, `inputSchema`) for poisoning; strip or block (`tool_metadata_guard`) |
217
+ | Sensitive classifier | Model-weighted detection of sensitive business content (beyond PII regex) |
218
+ | Tamper-evident audit | SHA-256 hash chain on forensic/audit exports; optional anchor webhooks |
219
+ | Behavior fingerprint | Per-session tool-sequence drift anomalies |
220
+ | FinOps attribution | Cost rollups by user, LLM provider, model, tool, dataset (`BASTION_PRICING_OVERRIDES`) |
221
+ | External policy | Optional OPA (Rego) or Cedar evaluation alongside YAML RBAC |
222
+ | Multi-tenant | One process; per-tenant `bastion.yaml` under `multi_tenant.config_dir` |
223
+ | Red-team CLI | `mcp-bastion redteam`: OWASP LLM plus **MCP Top 10** tags and JSON report (`mcp_top10_summary`) |
224
+ | Telemetry sinks | `telemetry.sinks`: POST audits to Datadog, New Relic, Splunk, or any HTTPS intake (cloud and SIEM) |
225
+ | Zero-config OTEL | Auto-detect Grafana OTLP, Datadog agent, or AWS CloudWatch fallback ([OTEL.md](docs/OTEL.md)) |
171
226
 
172
227
  ### Real-Time Dashboard and Alerts
173
228
 
@@ -180,14 +235,25 @@ mcp-bastion dashboard --port 7000
180
235
 
181
236
  | URL | What it returns |
182
237
  |-----|-----------------|
183
- | [http://localhost:7000/](http://localhost:7000/) | Visual dashboard with charts (requests, blocked by reason, top tools, cost by user, recent alerts) |
184
- | [http://localhost:7000/api/metrics](http://localhost:7000/api/metrics) | JSON: `requests_total`, `blocked_total`, `blocked_pct`, `pii_redacted_total`, `cost_total`, `blocked_by_reason`, `top_tools`, `cost_by_user`, `alerts` |
238
+ | [http://localhost:7000/](http://localhost:7000/) | Command-center UI: KPIs, pillar health, traffic, FinOps charts (user / provider / model), tamper-evident audit head, tenant chips & filter, forensics + replay, auto-tune anomalies |
239
+ | [http://localhost:7000/api/metrics](http://localhost:7000/api/metrics) | JSON metrics plus `cost_attribution`, `tenants`, `audit_chain`, `auto_tune`, `tenant_view?tenant_id=` |
240
+ | [http://localhost:7000/api/audit/verify](http://localhost:7000/api/audit/verify) | `POST` body `{ "events": [...] }` to verify exported audit hash chain |
185
241
  | [http://localhost:7000/api/health](http://localhost:7000/api/health) | `{"status": "ok"}` |
186
242
  | [http://localhost:7000/metrics](http://localhost:7000/metrics) | Prometheus text format for Grafana/Datadog |
187
243
 
188
- ![MCP-Bastion Dashboard](docs/images/dashboard.png)
244
+ **Dashboard layout (conceptual)**
189
245
 
190
- *Dashboard: total requests, blocked count and %, PII redacted, cost; blocked-by-reason bars; top tools; cost by user; recent alerts.*
246
+ ```mermaid
247
+ flowchart TB
248
+ subgraph dash["MCP-Bastion dashboard · localhost:7000"]
249
+ K["KPIs · requests · blocked % · cost"]
250
+ P["Pillar health · latency · traffic"]
251
+ F["FinOps · provider · model · tenant"]
252
+ A["Audit chain head · forensics · replay"]
253
+ end
254
+ ```
255
+
256
+ *Run the server to see the live UI: KPIs, blocked-by-reason bars, top tools, cost by user, tenant filter, tamper-evident audit head, and recent alerts.*
191
257
 
192
258
  - **Alerts:** Slack webhook and cost-threshold alerts. See [dashboard/README.md](dashboard/README.md).
193
259
 
@@ -202,6 +268,8 @@ mcp-bastion dashboard --port 7000
202
268
  | [docs/METRICS.md](docs/METRICS.md) | Performance overhead (&lt;5ms) and effectiveness metrics (dashboard, Prometheus, OTEL) |
203
269
  | [docs/TUTORIALS.md](docs/TUTORIALS.md) | Tutorials: integrating with FastMCP, TypeScript, GitHub MCP, and open-source MCP servers |
204
270
  | [docs/GITHUB_PAGES.md](docs/GITHUB_PAGES.md) | Publish docs as a GitHub Pages website from this same repo |
271
+ | [docs/FEATURES.md](docs/FEATURES.md) | Consolidated enterprise & security feature matrix |
272
+ | [docs/ERRORS.md](docs/ERRORS.md) | JSON-RPC error codes (`-32001`–`-32016`) and Python exceptions |
205
273
 
206
274
  ### One-Line Docker
207
275
 
@@ -210,12 +278,25 @@ docker build -t mcp-bastion/proxy .
210
278
  docker run -p 8080:8080 mcp-bastion/proxy
211
279
  ```
212
280
 
213
- MCP endpoint: `http://localhost:8080/mcp`. Use `docker-compose up -d` for proxy; add `--profile with-dashboard` for the dashboard. See [DOCKER.md](DOCKER.md).
281
+ ```mermaid
282
+ flowchart LR
283
+ H["Host :8080"] --> C["Container\n(Bastion + MCP)"]
284
+ C --> E["/mcp JSON-RPC"]
285
+ CFG["Mounted bastion.yaml"] -.-> C
286
+ ```
287
+
288
+ MCP endpoint: `http://localhost:8080/mcp`. The image defaults to `BASTION_CONFIG=/app/bastion.yaml.example` (bundled). For production, mount your `bastion.yaml` and set `BASTION_CONFIG` to its path inside the container. Use `docker compose up -d` for the bundled [docker-compose.yml](docker-compose.yml); add `--profile with-dashboard` for the dashboard. See [DOCKER.md](DOCKER.md).
214
289
 
215
290
  ### Policy-as-Code (bastion.yaml)
216
291
 
217
292
  Single config file controls all pillars. Copy `bastion.yaml.example` to `bastion.yaml`, then:
218
293
 
294
+ ```mermaid
295
+ flowchart LR
296
+ Y["bastion.yaml\n(or BASTION_CONFIG)"] --> B["build_middleware_from_config()"]
297
+ B --> MW["MCPBastionMiddleware"]
298
+ ```
299
+
219
300
  ```python
220
301
  from mcp_bastion import build_middleware_from_config
221
302
  middleware = build_middleware_from_config()
@@ -231,13 +312,14 @@ Tip: set `hot_reload.enabled: true` in `bastion.yaml` to apply policy changes wi
231
312
  mcp-bastion validate # validate bastion.yaml
232
313
  mcp-bastion serve --http 8080 # run MCP server with config
233
314
  mcp-bastion dashboard --port 7000 # run metrics dashboard
315
+ mcp-bastion redteam -c bastion.yaml -o redteam-report.json # security scorecard
234
316
  ```
235
317
 
236
318
  See [docs/CLI.md](docs/CLI.md).
237
319
 
238
- ### OpenTelemetry
320
+ ### OpenTelemetry and observability
239
321
 
240
- Set `OTEL_EXPORTER_OTLP_ENDPOINT` to export tool-call spans to OTLP. Install optional deps: `pip install mcp-bastion-python[otel]`. See [docs/OTEL.md](docs/OTEL.md).
322
+ Explicit `OTEL_EXPORTER_OTLP_ENDPOINT` still works. **Zero-config mode** also picks up Grafana Cloud OTLP (`GRAFANA_CLOUD_OTLP_*`), probes the Datadog agent OTLP port, or emits **AWS CloudWatch** custom metrics when OTLP is unavailable. Install optional deps: `pip install mcp-bastion-python[otel]` (+ `boto3` on AWS). See [docs/OTEL.md](docs/OTEL.md).
241
323
 
242
324
  ### Webhook alerts
243
325
 
@@ -245,33 +327,22 @@ Use Slack webhook, a single generic webhook (`webhook_url` or `BASTION_WEBHOOK_U
245
327
 
246
328
  ---
247
329
 
248
- ## Why MCP-Bastion (Competitive Comparison)
249
-
250
- Early security packages (mcp-guardian, mcp-shield) focus on logging or static scanning. MCP-Bastion adds an active defense layer.
251
-
252
- ### 1. Active Defense vs. Passive Logging
330
+ ## Architectural notes
253
331
 
254
- | The Competition | MCP-Bastion |
255
- |-----------------|-------------|
256
- | Tools like mcp-guardian focus on tracing, logging, human-in-the-loop approvals. | Automated interception. MCP-Bastion scrubs PII before it leaves the server. |
257
-
258
- ### 2. Local Inference vs. Third-Party APIs
259
-
260
- | The Competition | MCP-Bastion |
261
- |-----------------|-------------|
262
- | Many guardrail proxies send prompts to external APIs to check for malice. | PromptGuard-86M and Presidio run locally. Data stays on your network. |
263
-
264
- ### 3. Stateful Denial of Wallet Protection
265
-
266
- | The Competition | MCP-Bastion |
267
- |-----------------|-------------|
268
- | Most tools focus on static vulns or basic rate limits. | Tracks tool call history per session. Stops runaway loops before they burn API budget. |
269
-
270
- ### 4. Drop-in Middleware vs. Standalone Gateway
332
+ ```mermaid
333
+ flowchart TB
334
+ subgraph local["Typical: in-process"]
335
+ MW["MCP-Bastion"] --> H["Handlers"]
336
+ end
337
+ subgraph alt["Optional: sidecar / proxy"]
338
+ TS["@mcp-bastion/core"] --> PG["Prompt / PII sidecar\n(MCP_BASTION_URL)"]
339
+ end
340
+ ```
271
341
 
272
- | The Competition | MCP-Bastion |
273
- |-----------------|-------------|
274
- | Some solutions need standalone proxy servers. | Library hooks into `server.setRequestHandler` (TS) or middleware (Python). No extra infra. |
342
+ - **In-process default:** wrap MCP handlers in Python or TypeScript so policy runs before your tool code, without an extra network hop unless you deploy a proxy on purpose.
343
+ - **Optional local models:** PromptGuard and Presidio run on the host when those pillars are enabled and dependencies are installed.
344
+ - **Session-scoped state:** rate limits, replay nonces, and cost counters are keyed per session as defined in configuration.
345
+ - **Policy surface:** most controls are declared in `bastion.yaml`; OPA, Cedar, and webhooks extend that for pipelines that already use those systems.
275
346
 
276
347
  ---
277
348
 
@@ -295,6 +366,11 @@ Early security packages (mcp-guardian, mcp-shield) focus on logging or static sc
295
366
  |------|---------|
296
367
  | `examples/python_server_example.py` | Minimal middleware chain |
297
368
  | `examples/full_demo.py` | All 11 features (rate limit, PII, RBAC, etc.) |
369
+ | `examples/advanced_features_demo.py` | Semantic firewall, sensitive classifier, session limits, tool metadata guard |
370
+ | `examples/owasp_security_showcase.py` | OWASP MCP Top 10–style controls (secrets, allowlist, edge auth, replay) |
371
+ | `examples/connect_any_mcp_tool_example.py` | Arbitrary tool names via `await bastion(ctx, downstream)` |
372
+ | `examples/policy_simulator_example.py` | Shadow policy replay (`simulate_policy`) |
373
+ | `examples/bastion.advanced.example.yaml` | Sample YAML for newer pillars |
298
374
  | `examples/llm_server.py` | Shared MCP server for LLM clients |
299
375
  | `examples/llm_openai_example.py` | OpenAI |
300
376
  | `examples/llm_claude_example.py` | Claude |
@@ -311,6 +387,8 @@ Early security packages (mcp-guardian, mcp-shield) focus on logging or static sc
311
387
  uv add mcp-bastion-python
312
388
  # or
313
389
  pip install mcp-bastion-python
390
+ # pinned latest
391
+ pip install mcp-bastion-python==1.0.15
314
392
  ```
315
393
 
316
394
  **Prerequisites (recommended)**
@@ -410,6 +488,12 @@ middleware = compose_middleware(bastion)
410
488
  # (integration depends on your server framework)
411
489
  ```
412
490
 
491
+ ```mermaid
492
+ flowchart LR
493
+ B["MCPBastionMiddleware\n(outer: runs first)"] --> O["Other middleware"]
494
+ O --> S["Your MCP server"]
495
+ ```
496
+
413
497
  **Examples:**
414
498
 
415
499
  | Example | Description |
@@ -783,6 +867,29 @@ npx -y @modelcontextprotocol/inspector
783
867
 
784
868
  See `NOTICE` for licenses. MCP-Bastion uses Meta Llama Prompt Guard 2 (Llama 4 Community License) and Microsoft Presidio. For OWASP-relevant mitigations, dependency audit, and reporting vulnerabilities, see [docs/SECURITY.md](docs/SECURITY.md).
785
869
 
870
+ ## Citing MCP-Bastion
871
+
872
+ Use the repository [CITATION.cff](CITATION.cff) (Citation File Format). On GitHub, open the **Cite this repository** control on the repo home page to copy **APA**, **BibTeX**, or other formats derived from that file.
873
+
874
+ **Plain text (example):**
875
+
876
+ Khan, V. (2026). *MCP-Bastion* (Version 1.0.15) [Computer software]. https://github.com/vaquarkhan/MCP-Bastion
877
+
878
+ **BibTeX (software entry; adjust `version` / `year` if you cite a specific release):**
879
+
880
+ ```bibtex
881
+ @software{khan_mcp_bastion_2026,
882
+ author = {Khan, Viquar},
883
+ title = {MCP-Bastion: Security middleware for the {Model Context Protocol}},
884
+ year = {2026},
885
+ version = {1.0.15},
886
+ url = {https://github.com/vaquarkhan/MCP-Bastion},
887
+ note = {Python package \texttt{mcp-bastion-python}; npm scope \texttt{@mcp-bastion/core}}
888
+ }
889
+ ```
890
+
891
+ Non-commercial use of this project requires attribution consistent with [LICENSE](LICENSE), including citation metadata when you publish work that builds on the software.
892
+
786
893
  ## License
787
894
 
788
895
  MCP-Bastion is distributed under the **MCP-Bastion Community and Commercial License**.