mcp-bastion-python 1.0.14__tar.gz → 1.0.15__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/.gitignore +13 -0
- mcp_bastion_python-1.0.15/CHANGELOG.md +24 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/PKG-INFO +178 -73
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/README.md +174 -69
- mcp_bastion_python-1.0.15/dashboard/README.md +68 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/dashboard/app.py +582 -17
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/pyproject.toml +7 -6
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/__init__.py +1 -1
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/cli.py +54 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/config.py +494 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/doctor.py +97 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/errors.py +49 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/governance_beacon.py +56 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/middleware.py +870 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/otel.py +171 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/__init__.py +4 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/alerts.py +72 -2
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/audit_hash_chain.py +141 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/audit_log.py +21 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/content_filter.py +23 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/external_policy.py +144 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/metrics.py +263 -3
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/pricing.py +73 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/semantic_cache.py +13 -7
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/semantic_firewall.py +71 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/sensitive_classifier.py +107 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/pillars/telemetry_sinks.py +194 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/policy_simulator.py +171 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/redteam.py +168 -0
- mcp_bastion_python-1.0.15/src/mcp_bastion/tenant.py +44 -0
- mcp_bastion_python-1.0.14/dashboard/README.md +0 -49
- mcp_bastion_python-1.0.14/src/mcp_bastion/config.py +0 -274
- mcp_bastion_python-1.0.14/src/mcp_bastion/middleware.py +0 -336
- mcp_bastion_python-1.0.14/src/mcp_bastion/otel.py +0 -78
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/LICENSE +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/NOTICE +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/dashboard/static/chart.umd.min.js +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/base.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/circuit_breaker.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/cost_tracker.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/pii_redaction.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/prompt_guard.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/rate_limit.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/rbac.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/replay_guard.py +0 -0
- {mcp_bastion_python-1.0.14 → mcp_bastion_python-1.0.15}/src/mcp_bastion/pillars/schema_validation.py +0 -0
|
@@ -13,12 +13,25 @@ node_modules/
|
|
|
13
13
|
.venv/
|
|
14
14
|
venv/
|
|
15
15
|
.DS_Store
|
|
16
|
+
Thumbs.db
|
|
16
17
|
*.tsbuildinfo
|
|
17
18
|
.coverage
|
|
18
19
|
htmlcov/
|
|
19
20
|
coverage.xml
|
|
20
21
|
.pytest_cache/
|
|
21
22
|
.mypy_cache/
|
|
23
|
+
.ruff_cache/
|
|
24
|
+
.hypothesis/
|
|
25
|
+
*.sqlite3
|
|
26
|
+
.terraform/
|
|
27
|
+
*.tfstate
|
|
28
|
+
*.tfstate.*
|
|
29
|
+
|
|
30
|
+
# Editor and local tooling
|
|
31
|
+
.idea/
|
|
32
|
+
# Cursor IDE local project state (do not ignore `.cursor/rules/` if you commit team rules)
|
|
33
|
+
.cursor/projects/
|
|
34
|
+
|
|
22
35
|
# Local config (optional: remove to track bastion.yaml)
|
|
23
36
|
# bastion.yaml
|
|
24
37
|
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to this project are documented in this file.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [1.0.15] - 2026-04-21
|
|
9
|
+
|
|
10
|
+
### Added
|
|
11
|
+
|
|
12
|
+
- [docs/ERRORS.md](docs/ERRORS.md): reference for JSON-RPC error codes `-32001` through `-32016` and matching Python exceptions.
|
|
13
|
+
- Tests: `tests/test_release_metadata.py` (version alignment across `pyproject.toml`, `__version__`, `server.json`, `CITATION.cff`); expanded `tests/test_errors.py` for all policy error codes.
|
|
14
|
+
|
|
15
|
+
### Release notes
|
|
16
|
+
|
|
17
|
+
- PyPI package `mcp-bastion-python` and npm `@mcp-bastion/core` versions are aligned on **1.0.15** with this repository. Install with `pip install mcp-bastion-python==1.0.15`.
|
|
18
|
+
|
|
19
|
+
## [1.0.14] - prior
|
|
20
|
+
|
|
21
|
+
See git history and [README](README.md) for features shipped in the 1.0.x line (middleware pillars, dashboard, policy-as-code, observability).
|
|
22
|
+
|
|
23
|
+
[1.0.15]: https://github.com/vaquarkhan/MCP-Bastion/compare/v1.0.14...v1.0.15
|
|
24
|
+
[1.0.14]: https://github.com/vaquarkhan/MCP-Bastion/releases
|
|
@@ -1,10 +1,10 @@
|
|
|
1
1
|
Metadata-Version: 2.4
|
|
2
2
|
Name: mcp-bastion-python
|
|
3
|
-
Version: 1.0.
|
|
3
|
+
Version: 1.0.15
|
|
4
4
|
Summary: Security middleware for MCP servers protecting LLM agents from prompt injection, resource exhaustion, and PII leakage
|
|
5
|
-
Project-URL: Homepage, https://github.com/
|
|
6
|
-
Project-URL: Repository, https://github.com/
|
|
7
|
-
Project-URL: Documentation, https://github.com/
|
|
5
|
+
Project-URL: Homepage, https://github.com/vaquarkhan/MCP-Bastion
|
|
6
|
+
Project-URL: Repository, https://github.com/vaquarkhan/MCP-Bastion
|
|
7
|
+
Project-URL: Documentation, https://github.com/vaquarkhan/MCP-Bastion#readme
|
|
8
8
|
Author: Viquar Khan
|
|
9
9
|
License: MCP-Bastion Community and Commercial License
|
|
10
10
|
Version 1.0
|
|
@@ -101,64 +101,108 @@ Description-Content-Type: text/markdown
|
|
|
101
101
|
|
|
102
102
|
<!-- mcp-name: io.github.vaquarkhan/mcp-bastion -->
|
|
103
103
|
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
104
|
+
<p align="center">
|
|
105
|
+
<img src="images/mcp-bastian.png" alt="MCP-Bastion: secure MCP middleware" width="220" />
|
|
106
|
+
</p>
|
|
107
|
+
|
|
108
|
+
<p align="center">
|
|
109
|
+
<a href="https://pepy.tech/projects/mcp-bastion-python"><img src="https://img.shields.io/pepy/dt/mcp-bastion-python?label=PyPI%20Downloads" alt="PyPI Downloads" /></a>
|
|
110
|
+
<a href="https://pypi.org/project/mcp-bastion-python/"><img src="https://img.shields.io/pypi/v/mcp-bastion-python?label=PyPI%20Version" alt="PyPI Version" /></a>
|
|
111
|
+
<a href="https://github.com/vaquarkhan/MCP-Bastion/tree/main/packages/core"><img src="https://img.shields.io/github/package-json/v/vaquarkhan/MCP-Bastion?filename=packages%2Fcore%2Fpackage.json&label=npm%20Version&logo=npm" alt="npm Version (@mcp-bastion/core)" /></a>
|
|
112
|
+
<a href="LICENSE"><img src="https://img.shields.io/badge/license-Source%20Available-orange.svg" alt="License: Source Available" /></a>
|
|
113
|
+
</p>
|
|
114
|
+
|
|
115
|
+
<p align="center"><strong>One gateway; every tool call screened, metered, and proven.</strong></p>
|
|
116
|
+
|
|
117
|
+
> **Scope:** Policy runs on MCP JSON-RPC (`tools/list`, `tools/call`, resources) before your handlers execute. Use it together with transport security, identity, and least-privilege access outside this library.
|
|
118
|
+
|
|
119
|
+
## Contents
|
|
120
|
+
|
|
121
|
+
| Link | What you will find |
|
|
122
|
+
|------|---------------------|
|
|
123
|
+
| [Overview](#overview) | Product summary, request-flow diagram, release channels |
|
|
124
|
+
| [Security](#security-context-and-controls) | OWASP MCP Top 10 alignment, layered defense diagram, risk context, observability |
|
|
125
|
+
| [Core features](#core-features) | Pillars, feature matrix, dashboard layout diagram |
|
|
126
|
+
| [Documentation](#documentation-use-cases-attacks-metrics-tutorials) | Tutorials, policy, metrics, attacks |
|
|
127
|
+
| [Installation](#installation) | PyPI, npm, prerequisites, integrations |
|
|
128
|
+
| [Repository layout](#structure) | Directories and example files |
|
|
129
|
+
| [Citing MCP-Bastion](#citing-mcp-bastion) | Citation file, BibTeX, and acknowledgements |
|
|
130
|
+
| [Changelog](CHANGELOG.md) | Version history and release notes |
|
|
131
|
+
| [Error codes](docs/ERRORS.md) | JSON-RPC codes `-32001`–`-32016` and Python exceptions |
|
|
132
|
+
|
|
133
|
+
## Overview
|
|
134
|
+
|
|
135
|
+
MCP-Bastion is **policy-as-code middleware** for the Model Context Protocol: prompt and content checks, PII handling, rate and cost limits, RBAC, optional OPA/Cedar, audit and hash chains, multi-tenant routing, red-team reporting, and an optional **dashboard** for metrics and forensics. Run it on your own hosts or in your VPC.
|
|
136
|
+
|
|
137
|
+
**Packages:** [PyPI `mcp-bastion-python`](https://pypi.org/project/mcp-bastion-python/), [npm `@mcp-bastion/core`](https://www.npmjs.com/package/@mcp-bastion/core). Releases are published via GitHub Actions on tag push.
|
|
138
|
+
|
|
139
|
+
### Request flow
|
|
140
|
+
|
|
141
|
+
Policy runs on MCP JSON-RPC before your handlers. Both `tools/list` and `tools/call` should traverse the same middleware when you enable list-side guards (for example `tool_metadata_guard`).
|
|
142
|
+
|
|
143
|
+
```mermaid
|
|
144
|
+
flowchart LR
|
|
145
|
+
subgraph client["MCP client"]
|
|
146
|
+
H["LLM / IDE / agent host"]
|
|
147
|
+
end
|
|
148
|
+
subgraph proc["Your MCP server process"]
|
|
149
|
+
B["MCP-Bastion\n(policy)"]
|
|
150
|
+
T["Tool & resource\nhandlers"]
|
|
151
|
+
end
|
|
152
|
+
H -->|"tools/list, tools/call, …"| B
|
|
153
|
+
B -->|allowed| T
|
|
154
|
+
B -.->|"blocked · audited"| H
|
|
155
|
+
```
|
|
121
156
|
|
|
122
|
-
|
|
123
|
-
- **PII Redaction:** Uses Microsoft Presidio to detect and mask PII before it reaches the LLM context.
|
|
124
|
-
- **Infinite Loop Protection:** Token buckets and cycle detection stop runaway agents from burning API budget.
|
|
157
|
+
## Security context and controls
|
|
125
158
|
|
|
126
|
-
|
|
159
|
+
Industry discussion of MCP incidents (tool metadata abuse, over-privileged service accounts, supply chain) lines up with the **[OWASP MCP Top 10](https://owasp.org/www-project-mcp-top-10/)**. Bastion maps product features to those categories in [docs/OWASP_MCP_TOP10.md](docs/OWASP_MCP_TOP10.md). For narrative context and **suggested documentation wording**, see [docs/MCP_SECURITY_LANDSCAPE.md](docs/MCP_SECURITY_LANDSCAPE.md). **Corrections and discussion:** [open a GitHub issue](https://github.com/vaquarkhan/MCP-Bastion/issues/new?labels=documentation%2Csecurity).
|
|
127
160
|
|
|
128
|
-
|
|
161
|
+
**Defense in depth:** MCP-Bastion sits in the MCP server process; pair it with strong transport and identity at the edge. Telemetry and audit hooks connect to your existing observability stack.
|
|
129
162
|
|
|
130
|
-
|
|
163
|
+
```mermaid
|
|
164
|
+
flowchart LR
|
|
165
|
+
E["Edge: TLS · JWT · mTLS"] --> M["MCP-Bastion\n(YAML policy)"]
|
|
166
|
+
M --> T["Your tool handlers"]
|
|
167
|
+
M -.-> O["Audit · OTEL ·\ntelemetry.sinks"]
|
|
168
|
+
```
|
|
131
169
|
|
|
132
|
-
|
|
170
|
+
With policy enabled and both `tools/list` and `tools/call` flowing through this middleware, many common abuse classes (including poisoned tool descriptions when `tool_metadata_guard` is enabled) are blocked or stripped before tools run; structured audit can go to your SIEM via `telemetry.sinks` ([bastion.yaml.example](bastion.yaml.example)).
|
|
133
171
|
|
|
134
|
-
|
|
172
|
+
**Out of scope for middleware alone:** Third-party RCE bugs, stolen build tokens, and organization-wide IAM still need vendor patches, sandboxes, vaults, and least privilege outside this library.
|
|
135
173
|
|
|
136
|
-
**
|
|
174
|
+
**Observability:** `telemetry.sinks` in `bastion.yaml` POST JSON to Datadog, New Relic, Splunk HEC, or any HTTPS intake (for example API Gateway, Azure Logic Apps, or GCP). For traces, see [docs/OTEL.md](docs/OTEL.md).
|
|
137
175
|
|
|
138
|
-
|
|
176
|
+
MCP is JSON-RPC over stdio or HTTP. Install Bastion as middleware around your existing Python or TypeScript server so checks run in the same process as your tool handlers (typical overhead is on the order of a few milliseconds; see [docs/METRICS.md](docs/METRICS.md)). You keep business logic in your server; policy lives in `bastion.yaml` and optional code hooks.
|
|
139
177
|
|
|
140
|
-
|
|
178
|
+
---
|
|
141
179
|
|
|
142
|
-
|
|
180
|
+
## Core features
|
|
143
181
|
|
|
144
|
-
**
|
|
182
|
+
**Prompt injection (optional PromptGuard)**
|
|
183
|
+
Local classifier on tool-related payloads when enabled; blocks many jailbreak-style patterns before tools run.
|
|
145
184
|
|
|
146
|
-
|
|
185
|
+
**PII handling (optional Presidio)**
|
|
186
|
+
Entity detection and masking on outbound tool results (redaction, substitution, or generalization).
|
|
147
187
|
|
|
148
|
-
**
|
|
188
|
+
**Rate, circuit, and cost controls**
|
|
189
|
+
Per-session iteration limits, timeouts, token budgets, circuit breaker, and cost tracker to cap runaway sessions.
|
|
149
190
|
|
|
150
|
-
|
|
191
|
+
**Local execution**
|
|
192
|
+
With local classifiers enabled, classification and redaction stay in-process; remote sinks are opt-in via `telemetry.sinks`.
|
|
151
193
|
|
|
152
|
-
**
|
|
194
|
+
**Latency**
|
|
195
|
+
Middleware-only path is designed for low overhead (see [docs/METRICS.md](docs/METRICS.md)).
|
|
153
196
|
|
|
154
|
-
|
|
197
|
+
**SDK integration**
|
|
198
|
+
Python and TypeScript MCP SDK patterns, including FastMCP-style stacks, without rewriting tool implementations.
|
|
155
199
|
|
|
156
200
|
### All Features
|
|
157
201
|
|
|
158
202
|
| Feature | Description |
|
|
159
203
|
|---------|-------------|
|
|
160
204
|
| Prompt injection | Block jailbreaks via Meta PromptGuard |
|
|
161
|
-
| PII redaction | Mask many entity types via Presidio (e.g. SSN, email, phone, credit card, passport, IBAN, medical license
|
|
205
|
+
| PII redaction | Mask many entity types via Presidio (e.g. SSN, email, phone, credit card, passport, IBAN, medical license; see Presidio docs) |
|
|
162
206
|
| Rate limiting | Max iterations, timeout, token budget |
|
|
163
207
|
| Audit logging | Log who, what, when, blocked/allowed |
|
|
164
208
|
| Content filter | Block paths/code/URLs, plus allowlist and denylist patterns |
|
|
@@ -168,6 +212,17 @@ Hooks into MCP SDKs (TypeScript, Python) and FastMCP via standard middleware. No
|
|
|
168
212
|
| Replay guard | Block duplicate nonces |
|
|
169
213
|
| Cost tracker | Per-session cost budget |
|
|
170
214
|
| Semantic cache | Cache similar queries |
|
|
215
|
+
| Semantic firewall | MCP-aware tool intent / dangerous-chain detection |
|
|
216
|
+
| Tool metadata guard | Scan **`tools/list`** responses (name, description, `inputSchema`) for poisoning; strip or block (`tool_metadata_guard`) |
|
|
217
|
+
| Sensitive classifier | Model-weighted detection of sensitive business content (beyond PII regex) |
|
|
218
|
+
| Tamper-evident audit | SHA-256 hash chain on forensic/audit exports; optional anchor webhooks |
|
|
219
|
+
| Behavior fingerprint | Per-session tool-sequence drift anomalies |
|
|
220
|
+
| FinOps attribution | Cost rollups by user, LLM provider, model, tool, dataset (`BASTION_PRICING_OVERRIDES`) |
|
|
221
|
+
| External policy | Optional OPA (Rego) or Cedar evaluation alongside YAML RBAC |
|
|
222
|
+
| Multi-tenant | One process; per-tenant `bastion.yaml` under `multi_tenant.config_dir` |
|
|
223
|
+
| Red-team CLI | `mcp-bastion redteam`: OWASP LLM plus **MCP Top 10** tags and JSON report (`mcp_top10_summary`) |
|
|
224
|
+
| Telemetry sinks | `telemetry.sinks`: POST audits to Datadog, New Relic, Splunk, or any HTTPS intake (cloud and SIEM) |
|
|
225
|
+
| Zero-config OTEL | Auto-detect Grafana OTLP, Datadog agent, or AWS CloudWatch fallback ([OTEL.md](docs/OTEL.md)) |
|
|
171
226
|
|
|
172
227
|
### Real-Time Dashboard and Alerts
|
|
173
228
|
|
|
@@ -180,14 +235,25 @@ mcp-bastion dashboard --port 7000
|
|
|
180
235
|
|
|
181
236
|
| URL | What it returns |
|
|
182
237
|
|-----|-----------------|
|
|
183
|
-
| [http://localhost:7000/](http://localhost:7000/) |
|
|
184
|
-
| [http://localhost:7000/api/metrics](http://localhost:7000/api/metrics) | JSON
|
|
238
|
+
| [http://localhost:7000/](http://localhost:7000/) | Command-center UI: KPIs, pillar health, traffic, FinOps charts (user / provider / model), tamper-evident audit head, tenant chips & filter, forensics + replay, auto-tune anomalies |
|
|
239
|
+
| [http://localhost:7000/api/metrics](http://localhost:7000/api/metrics) | JSON metrics plus `cost_attribution`, `tenants`, `audit_chain`, `auto_tune`, `tenant_view?tenant_id=` |
|
|
240
|
+
| [http://localhost:7000/api/audit/verify](http://localhost:7000/api/audit/verify) | `POST` body `{ "events": [...] }` to verify exported audit hash chain |
|
|
185
241
|
| [http://localhost:7000/api/health](http://localhost:7000/api/health) | `{"status": "ok"}` |
|
|
186
242
|
| [http://localhost:7000/metrics](http://localhost:7000/metrics) | Prometheus text format for Grafana/Datadog |
|
|
187
243
|
|
|
188
|
-
|
|
244
|
+
**Dashboard layout (conceptual)**
|
|
189
245
|
|
|
190
|
-
|
|
246
|
+
```mermaid
|
|
247
|
+
flowchart TB
|
|
248
|
+
subgraph dash["MCP-Bastion dashboard · localhost:7000"]
|
|
249
|
+
K["KPIs · requests · blocked % · cost"]
|
|
250
|
+
P["Pillar health · latency · traffic"]
|
|
251
|
+
F["FinOps · provider · model · tenant"]
|
|
252
|
+
A["Audit chain head · forensics · replay"]
|
|
253
|
+
end
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
*Run the server to see the live UI: KPIs, blocked-by-reason bars, top tools, cost by user, tenant filter, tamper-evident audit head, and recent alerts.*
|
|
191
257
|
|
|
192
258
|
- **Alerts:** Slack webhook and cost-threshold alerts. See [dashboard/README.md](dashboard/README.md).
|
|
193
259
|
|
|
@@ -202,6 +268,8 @@ mcp-bastion dashboard --port 7000
|
|
|
202
268
|
| [docs/METRICS.md](docs/METRICS.md) | Performance overhead (<5ms) and effectiveness metrics (dashboard, Prometheus, OTEL) |
|
|
203
269
|
| [docs/TUTORIALS.md](docs/TUTORIALS.md) | Tutorials: integrating with FastMCP, TypeScript, GitHub MCP, and open-source MCP servers |
|
|
204
270
|
| [docs/GITHUB_PAGES.md](docs/GITHUB_PAGES.md) | Publish docs as a GitHub Pages website from this same repo |
|
|
271
|
+
| [docs/FEATURES.md](docs/FEATURES.md) | Consolidated enterprise & security feature matrix |
|
|
272
|
+
| [docs/ERRORS.md](docs/ERRORS.md) | JSON-RPC error codes (`-32001`–`-32016`) and Python exceptions |
|
|
205
273
|
|
|
206
274
|
### One-Line Docker
|
|
207
275
|
|
|
@@ -210,12 +278,25 @@ docker build -t mcp-bastion/proxy .
|
|
|
210
278
|
docker run -p 8080:8080 mcp-bastion/proxy
|
|
211
279
|
```
|
|
212
280
|
|
|
213
|
-
|
|
281
|
+
```mermaid
|
|
282
|
+
flowchart LR
|
|
283
|
+
H["Host :8080"] --> C["Container\n(Bastion + MCP)"]
|
|
284
|
+
C --> E["/mcp JSON-RPC"]
|
|
285
|
+
CFG["Mounted bastion.yaml"] -.-> C
|
|
286
|
+
```
|
|
287
|
+
|
|
288
|
+
MCP endpoint: `http://localhost:8080/mcp`. The image defaults to `BASTION_CONFIG=/app/bastion.yaml.example` (bundled). For production, mount your `bastion.yaml` and set `BASTION_CONFIG` to its path inside the container. Use `docker compose up -d` for the bundled [docker-compose.yml](docker-compose.yml); add `--profile with-dashboard` for the dashboard. See [DOCKER.md](DOCKER.md).
|
|
214
289
|
|
|
215
290
|
### Policy-as-Code (bastion.yaml)
|
|
216
291
|
|
|
217
292
|
Single config file controls all pillars. Copy `bastion.yaml.example` to `bastion.yaml`, then:
|
|
218
293
|
|
|
294
|
+
```mermaid
|
|
295
|
+
flowchart LR
|
|
296
|
+
Y["bastion.yaml\n(or BASTION_CONFIG)"] --> B["build_middleware_from_config()"]
|
|
297
|
+
B --> MW["MCPBastionMiddleware"]
|
|
298
|
+
```
|
|
299
|
+
|
|
219
300
|
```python
|
|
220
301
|
from mcp_bastion import build_middleware_from_config
|
|
221
302
|
middleware = build_middleware_from_config()
|
|
@@ -231,13 +312,14 @@ Tip: set `hot_reload.enabled: true` in `bastion.yaml` to apply policy changes wi
|
|
|
231
312
|
mcp-bastion validate # validate bastion.yaml
|
|
232
313
|
mcp-bastion serve --http 8080 # run MCP server with config
|
|
233
314
|
mcp-bastion dashboard --port 7000 # run metrics dashboard
|
|
315
|
+
mcp-bastion redteam -c bastion.yaml -o redteam-report.json # security scorecard
|
|
234
316
|
```
|
|
235
317
|
|
|
236
318
|
See [docs/CLI.md](docs/CLI.md).
|
|
237
319
|
|
|
238
|
-
### OpenTelemetry
|
|
320
|
+
### OpenTelemetry and observability
|
|
239
321
|
|
|
240
|
-
|
|
322
|
+
Explicit `OTEL_EXPORTER_OTLP_ENDPOINT` still works. **Zero-config mode** also picks up Grafana Cloud OTLP (`GRAFANA_CLOUD_OTLP_*`), probes the Datadog agent OTLP port, or emits **AWS CloudWatch** custom metrics when OTLP is unavailable. Install optional deps: `pip install mcp-bastion-python[otel]` (+ `boto3` on AWS). See [docs/OTEL.md](docs/OTEL.md).
|
|
241
323
|
|
|
242
324
|
### Webhook alerts
|
|
243
325
|
|
|
@@ -245,33 +327,22 @@ Use Slack webhook, a single generic webhook (`webhook_url` or `BASTION_WEBHOOK_U
|
|
|
245
327
|
|
|
246
328
|
---
|
|
247
329
|
|
|
248
|
-
##
|
|
249
|
-
|
|
250
|
-
Early security packages (mcp-guardian, mcp-shield) focus on logging or static scanning. MCP-Bastion adds an active defense layer.
|
|
251
|
-
|
|
252
|
-
### 1. Active Defense vs. Passive Logging
|
|
330
|
+
## Architectural notes
|
|
253
331
|
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
258
|
-
|
|
259
|
-
|
|
260
|
-
|
|
261
|
-
|
|
262
|
-
|
|
263
|
-
|
|
264
|
-
### 3. Stateful Denial of Wallet Protection
|
|
265
|
-
|
|
266
|
-
| The Competition | MCP-Bastion |
|
|
267
|
-
|-----------------|-------------|
|
|
268
|
-
| Most tools focus on static vulns or basic rate limits. | Tracks tool call history per session. Stops runaway loops before they burn API budget. |
|
|
269
|
-
|
|
270
|
-
### 4. Drop-in Middleware vs. Standalone Gateway
|
|
332
|
+
```mermaid
|
|
333
|
+
flowchart TB
|
|
334
|
+
subgraph local["Typical: in-process"]
|
|
335
|
+
MW["MCP-Bastion"] --> H["Handlers"]
|
|
336
|
+
end
|
|
337
|
+
subgraph alt["Optional: sidecar / proxy"]
|
|
338
|
+
TS["@mcp-bastion/core"] --> PG["Prompt / PII sidecar\n(MCP_BASTION_URL)"]
|
|
339
|
+
end
|
|
340
|
+
```
|
|
271
341
|
|
|
272
|
-
|
|
273
|
-
|
|
274
|
-
|
|
342
|
+
- **In-process default:** wrap MCP handlers in Python or TypeScript so policy runs before your tool code, without an extra network hop unless you deploy a proxy on purpose.
|
|
343
|
+
- **Optional local models:** PromptGuard and Presidio run on the host when those pillars are enabled and dependencies are installed.
|
|
344
|
+
- **Session-scoped state:** rate limits, replay nonces, and cost counters are keyed per session as defined in configuration.
|
|
345
|
+
- **Policy surface:** most controls are declared in `bastion.yaml`; OPA, Cedar, and webhooks extend that for pipelines that already use those systems.
|
|
275
346
|
|
|
276
347
|
---
|
|
277
348
|
|
|
@@ -295,6 +366,11 @@ Early security packages (mcp-guardian, mcp-shield) focus on logging or static sc
|
|
|
295
366
|
|------|---------|
|
|
296
367
|
| `examples/python_server_example.py` | Minimal middleware chain |
|
|
297
368
|
| `examples/full_demo.py` | All 11 features (rate limit, PII, RBAC, etc.) |
|
|
369
|
+
| `examples/advanced_features_demo.py` | Semantic firewall, sensitive classifier, session limits, tool metadata guard |
|
|
370
|
+
| `examples/owasp_security_showcase.py` | OWASP MCP Top 10–style controls (secrets, allowlist, edge auth, replay) |
|
|
371
|
+
| `examples/connect_any_mcp_tool_example.py` | Arbitrary tool names via `await bastion(ctx, downstream)` |
|
|
372
|
+
| `examples/policy_simulator_example.py` | Shadow policy replay (`simulate_policy`) |
|
|
373
|
+
| `examples/bastion.advanced.example.yaml` | Sample YAML for newer pillars |
|
|
298
374
|
| `examples/llm_server.py` | Shared MCP server for LLM clients |
|
|
299
375
|
| `examples/llm_openai_example.py` | OpenAI |
|
|
300
376
|
| `examples/llm_claude_example.py` | Claude |
|
|
@@ -312,7 +388,7 @@ uv add mcp-bastion-python
|
|
|
312
388
|
# or
|
|
313
389
|
pip install mcp-bastion-python
|
|
314
390
|
# pinned latest
|
|
315
|
-
pip install mcp-bastion-python==1.0.
|
|
391
|
+
pip install mcp-bastion-python==1.0.15
|
|
316
392
|
```
|
|
317
393
|
|
|
318
394
|
**Prerequisites (recommended)**
|
|
@@ -412,6 +488,12 @@ middleware = compose_middleware(bastion)
|
|
|
412
488
|
# (integration depends on your server framework)
|
|
413
489
|
```
|
|
414
490
|
|
|
491
|
+
```mermaid
|
|
492
|
+
flowchart LR
|
|
493
|
+
B["MCPBastionMiddleware\n(outer: runs first)"] --> O["Other middleware"]
|
|
494
|
+
O --> S["Your MCP server"]
|
|
495
|
+
```
|
|
496
|
+
|
|
415
497
|
**Examples:**
|
|
416
498
|
|
|
417
499
|
| Example | Description |
|
|
@@ -785,6 +867,29 @@ npx -y @modelcontextprotocol/inspector
|
|
|
785
867
|
|
|
786
868
|
See `NOTICE` for licenses. MCP-Bastion uses Meta Llama Prompt Guard 2 (Llama 4 Community License) and Microsoft Presidio. For OWASP-relevant mitigations, dependency audit, and reporting vulnerabilities, see [docs/SECURITY.md](docs/SECURITY.md).
|
|
787
869
|
|
|
870
|
+
## Citing MCP-Bastion
|
|
871
|
+
|
|
872
|
+
Use the repository [CITATION.cff](CITATION.cff) (Citation File Format). On GitHub, open the **Cite this repository** control on the repo home page to copy **APA**, **BibTeX**, or other formats derived from that file.
|
|
873
|
+
|
|
874
|
+
**Plain text (example):**
|
|
875
|
+
|
|
876
|
+
Khan, V. (2026). *MCP-Bastion* (Version 1.0.15) [Computer software]. https://github.com/vaquarkhan/MCP-Bastion
|
|
877
|
+
|
|
878
|
+
**BibTeX (software entry; adjust `version` / `year` if you cite a specific release):**
|
|
879
|
+
|
|
880
|
+
```bibtex
|
|
881
|
+
@software{khan_mcp_bastion_2026,
|
|
882
|
+
author = {Khan, Viquar},
|
|
883
|
+
title = {MCP-Bastion: Security middleware for the {Model Context Protocol}},
|
|
884
|
+
year = {2026},
|
|
885
|
+
version = {1.0.15},
|
|
886
|
+
url = {https://github.com/vaquarkhan/MCP-Bastion},
|
|
887
|
+
note = {Python package \texttt{mcp-bastion-python}; npm scope \texttt{@mcp-bastion/core}}
|
|
888
|
+
}
|
|
889
|
+
```
|
|
890
|
+
|
|
891
|
+
Non-commercial use of this project requires attribution consistent with [LICENSE](LICENSE), including citation metadata when you publish work that builds on the software.
|
|
892
|
+
|
|
788
893
|
## License
|
|
789
894
|
|
|
790
895
|
MCP-Bastion is distributed under the **MCP-Bastion Community and Commercial License**.
|