Open Source | MIT License | 100% Local | 3.0 runtime governance

Cost-Aware Runtime
Governance for AI Agents

Treat live spend as a security signal. Block injection and PII leaks, enforce principal-keyed FinOps caps, and govern the full MCP path — embed or proxy. Under 5ms overhead.

PyPI version PePy downloads Sponsor
<5ms
Overhead
18
Security Pillars
92%+
Test Coverage
17+
Integrations
SCAN → TEST → ENFORCE — No other tool has all three

Scan Test Enforce

No other tool has all three

Privacy-first, in-process, MCP-native — plus FinOps and a CI testing companion. One permissively licensed stack.

Scan

Static tool-definition checks before deploy

mcp-bastion scan tools.json

Test

Red-team harness against your policy

mcp-bastion redteam

Enforce

Runtime middleware on every MCP method

bastion.yaml
mcp-bastion scan CLI output with letter grade and findings
MCP-Bastion live governance dashboard

mcp-bastion dashboard --demo · optional local metrics UI

Three Lines to Secure Your Server

Add enterprise-grade security without changing business logic

server.py
from mcp_bastion import MCPBastionMiddleware, compose_middleware

# One object. All 18 security pillars.
bastion = MCPBastionMiddleware(
    enable_prompt_guard=True,    # Block jailbreaks
    enable_pii_redaction=True,   # Mask SSN, email, phone
    enable_rate_limit=True,      # Stop runaway agents
)

middleware = compose_middleware(bastion)

18 Security Pillars

Defense-in-depth for every MCP server. Each pillar runs independently.

🛡

Prompt Injection

Meta PromptGuard blocks jailbreaks locally

🔐

PII Redaction

Presidio masks SSN, email, phone

Rate Limiting

Token bucket per session

Circuit Breaker

Auto-disable failing tools

🔒

RBAC

Tool-level permissions by role

🚫

Content Filter

Block code injection, path traversal

💰

Cost Tracker

Principal-keyed session & daily FinOps caps

📊

Cost-Aware Policy

Degrade model, force discovery filter, block expensive chains

📜

Governance Attestation

Signed session export — policy hash, controls fired, spend

🚧

Boundary Mode

Mandatory proxy auth — un-bypassable network hop

🔄

Replay Guard

Nonce-based replay prevention

🧠

Semantic Cache

Deduplicate similar queries

Schema Validation

Validate tool input types

📝

Audit Logging

Structured JSON audit trail

📡

OpenTelemetry

OTLP spans for Grafana, Datadog

🔔

Alerts

Slack, webhook, cost anomaly alerts

📊

Metrics Dashboard

Real-time requests, cost, blocked stats

🔗

Audit Hash Chain

Tamper-proof forensic audit trail

🏛

External Policy (OPA/Cedar)

Plug in OPA or Cedar policy engines

🔥

Semantic Firewall

Heuristic semantic policy checks

Runtime Governance 3.0

Opt-in enterprise controls for production MCP deployments. All default off — enable only what you need in bastion.yaml.

MCP-Bastion 3.0 runtime governance pillars overview
Exfiltration canary detects context leakage in tool arguments
ATR rules, threat feeds, and compliance reports
Secret pattern redaction on outbound tool results

The exfiltration canary adds a separate trailing text block on prompts/get and resources/read (original JSON/code bodies stay intact), then blocks tool arguments that echo the session token. Host orchestrators can also read bastion_canary_snippet from request metadata for custom system prompts. LLM scanner and ATR rules are opt-in; expect up to ~2.5s latency (scanner) or per-rule regex cost when enabled.

Exfiltration Canary

Session token echo detection in tool args

ATR YAML Rules

Community threat rules merged into scanners

Local LLM Scanner

Optional Ollama tier, fail-open

Threat Intel Feeds

Background regex rule refresh

Auto-Repave

Threshold-based containment actions

Secret Redaction

mask / hash / remove on tool outputs

Observe Mode

Log would-block without denying

Compliance Report

mcp-bastion report CLI

Works With Everything

One-line install for every major LLM framework

LangChain
OpenAI
Claude
Bedrock
Gemini
CrewAI
LlamaIndex
Groq
Mistral
Azure
DeepSeek
+6 more

Why MCP-Bastion

Feature MCP-Bastion Others
Active defenseAuto-blockLogging only
Data privacy100% localExternal APIs
Cost protectionCost-as-policy FinOpsBilling only
CategoryRuntime governanceScanner or gateway
ArchitectureDrop-in middlewareStandalone proxy
Latency<5ms50-200ms
Test coverage92%+ gateUnknown

Real-Time Security Dashboard

Monitor requests, blocked attacks, PII redacted, cost tracking, and alerts in real time

MCP-Bastion Dashboard showing real-time security metrics
Live Metrics

Requests, blocked %, PII redacted, cost per user

Prometheus Export

Scrape /metrics for Grafana and Datadog

Slack Alerts

Instant notifications on injection, cost spikes

How MCP-Bastion Compares

Most MCP security tools focus on logging or require external APIs. MCP-Bastion provides active, local defense.

Capability MCP-Bastion MCP Guardian MCP Gateways
Prompt injection blockingLocal ML modelWAF rules onlyExternal API
PII redactionPresidio (local)NoSome (cloud)
Data leaves your networkNeverNoYes
Denial-of-wallet protectionFinOps budgetsRate limit onlyRate limit only
ArchitectureDrop-in middlewareStandalone proxyHosted gateway
Latency overhead<5ms10-50ms50-200ms
Policy-as-codeYAML + OPA + CedarConfig fileDashboard UI
Framework integrations17+ packagesGeneric onlyVaries
CostFree (MIT)Free$$$
Test coverage100%UnknownUnknown

Why Your MCP Server Needs This

Prompt Injection is Real

Attackers embed "ignore previous instructions" in tool arguments. Without active defense, your agent executes malicious commands on your infrastructure.

PII Leaks to LLMs

Tool results containing SSN, emails, and phone numbers flow directly into LLM context windows. One leaked prompt and your customer data is exposed.

Runaway Agents Burn Budget

An infinite loop calling a paid API can rack up thousands in minutes. Token budgets and session timeouts stop this before it starts.

Compliance Requires Audit

SOC2, HIPAA, and GDPR require audit trails for data access. MCP-Bastion logs every tool call with structured, tamper-proof entries.

Ready to Secure Your Agents?

Get started in under 60 seconds. No config needed.

$ pip install mcp-bastion-python