Server data from the Official MCP Registry
Security middleware for MCP. Blocks prompt injection, PII leakage, and resource exhaustion.
Security middleware for MCP. Blocks prompt injection, PII leakage, and resource exhaustion.
Valid MCP server (0 strong, 2 medium validity signals). No known CVEs in dependencies. Package registry verified. Imported from the Official MCP Registry.
1 file analyzed · 1 issue found
Security scores are indicators to help you make informed decisions, not guarantees. Always review permissions before connecting any MCP server.
Add this to your MCP configuration file:
{
"mcpServers": {
"io-github-vaquarkhan-mcp-bastion": {
"args": [
"mcp-bastion-python"
],
"command": "uvx"
}
}
}From the project's GitHub README.
Current release: 3.1.0 · Docker v3.1.0 · 18 PyPI packages · CHANGELOG
The Zero-Trust control plane for MCP agents. Your agent can call databases, APIs, and shell tools. One bad prompt can leak PII; one runaway loop can burn your API budget in minutes; three agents on one server with no identity boundary is a confused-deputy incident waiting to happen. MCP-Bastion wraps your MCP server with local guardrails: agent IAM, supply-chain checksums, injection blocking, PII redaction, and denial-of-wallet caps, under 5ms overhead, with no third-party safety API.
Guiding rule: Stay a zero-infra, drop-in library - the guardrail brain that composes with any gateway, not a gateway itself. Strategy: docs/ZERO_INFRA_STRATEGY.md.
| Phase | What | Command |
|---|---|---|
| Scan | Static tool-definition checks before deploy (injection, secrets, homoglyphs, fingerprint drift, schema preconditions) | mcp-bastion scan tools.json |
| Audit | Local MCP client-config risk report (over-broad tools, standing credentials, filesystem servers) | mcp-bastion audit |
| Test | Integrated red-team harness against your bastion.yaml policy | mcp-bastion redteam |
| Enforce | Runtime middleware on every MCP method | secure_fastmcp(mcp) or bastion.yaml |
scan vs audit — different inputs, different questions
mcp-bastion scan | mcp-bastion audit | |
|---|---|---|
| Looks at | A tool catalog (tools.json / tools/list export) | MCP client configs on disk (mcp.json, Claude Desktop config, etc.) |
| Asks | “Is this tool metadata poisoned or drifted?” | “What can agents already reach on this machine?” |
| Finds | Injection in descriptions, secrets in schemas, homoglyphs, fingerprint drift, weak/unbounded inputSchema shapes | Over-broad tool grants (*), standing credentials in env, filesystem-server hints |
| When | Before you ship or attach a server’s tools (CI / pre-deploy) | Before you tighten policy on a laptop or workspace (local hygiene) |
They complement each other: audit the host surface, then scan the tools you attach. Neither replaces runtime enforce.
mcp-bastion scan also accepts --skills DIR for offline agent skill-file checks. Dependency CVEs: mcp-bastion osv-refresh then mcp-bastion osv-scan (local DB default; --online opt-in, fail-open).
# 1. Scan a tools/list export (or hand-authored catalog) — client-side, no cloud
mcp-bastion scan examples/fixtures/tools-poisoned.json
mcp-bastion fingerprint tools.json -o baseline.json
mcp-bastion scan tools.json --baseline baseline.json --format json -o report.json
mcp-bastion scan --skills ./skills/
# 1b. Audit local MCP client configs (what agents can already reach)
mcp-bastion audit --root .
mcp-bastion audit --format json -o risk-audit.json --fail-on none
# 2. Test policy effectiveness
mcp-bastion redteam --config bastion.yaml
# 3. Enforce at runtime (filesystem path guards when agents can read local files)
# merge examples/bastion-filesystem-guards.yaml into bastion.yaml
mcp-bastion validate --config bastion.yaml
As noted in the NSA's recent Cybersecurity Information Sheet on MCP security and the OWASP MCP Top 10, traditional AppSec tools cannot secure agentic workflows. The gap is runtime governance and the confused deputy problem: multiple AI agents sharing one MCP server with no native identity boundary. Public registry typosquatting and unverified servers have made supply-chain verification a board-level concern.
MCP-Bastion acts as the Zero-Trust Control Plane for your agents, addressing the hardest production problems:
search_docs, not delete_user.bastion.yaml)# Stop the Confused Deputy Problem - Identity-Aware Routing
agent_iam:
enabled: true
token_metadata_key: bastion_agent_token
agents:
- id: customer_support_bot
token_env: BASTION_TOKEN_SUPPORT
allowed_tools: ["search_docs", "get_ticket_status"]
blocked_tools: ["execute_sql", "delete_user"]
rate_limit:
max_iterations: 5
# Supply-chain checksums before any tool executes
server_verification:
enabled: true
on_mismatch: block
base_path: .
manifest_path: mcp-server.manifest.json
Generate a manifest after a trusted build: mcp-bastion manifest server.py pyproject.toml -o mcp-server.manifest.json
Deep dive: docs/RUNTIME_GOVERNANCE.md · docs/ENTERPRISE_RUNTIME_CONTROLS.md (3.0 pillars)
Opt-in enterprise controls for production MCP runtimes. All default off so 2.x behavior is unchanged until you enable them.
| Pillar | Config | What it does |
|---|---|---|
| Exfiltration canary | canary_goallock | Session token in context; blocks tool args that echo it (-32025) |
| ATR YAML rules | atr_rules | Community threat rules merged into content_filter (-32027) |
| Local LLM scanner | llm_scanner | Optional Ollama tier after heuristics; fail-open (-32026) |
| Threat intel feeds | threat_feeds | Background refresh of remote regex patterns |
| Auto-repave | auto_repave | Threshold-based containment (rotate canary, reset scope) |
| Secret redaction | secrets.redact_patterns | replace / hash / mask / remove on tool outputs |
| Observe mode | mode: observe | Log would_block without denying |
mode: enforce
canary_goallock:
enabled: true
atr_rules:
enabled: true
rules_dir: ./atr-rules
secrets:
redact_patterns:
- rule: "sk-[A-Za-z0-9]{20,}"
strategy: mask
CLI compliance evidence: mcp-bastion report --framework soc2 --audit ./audit.jsonl
Previously, most pillars ran only on tools/call. 2.0.0 extends the pipeline to resources/read, prompts/get, sampling/createMessage, and elicitation/create - closing exfil/injection gaps on the rest of the MCP surface.
For multi-replica deployments, enable state_backend.type: redis so rate limits, replay nonces, cost budgets, and session tool scope are shared across pods (default memory is single-process).
state_backend:
type: redis
redis_url: redis://127.0.0.1:6379/0
pip install mcp-bastion-python[redis] · Deep dive: docs/MCP_SURFACE_AND_SCALE.md
Battle-tested patterns from the broader MCP gateway ecosystem, wired into the middleware stack:
| Feature | What you get |
|---|---|
| JSONPath argument guards | Block or redact tool arguments by tool glob + JSONPath + regex before execution (argv-array evasion aware). pip install mcp-bastion-python[policy] |
| RBAC fnmatch globs | Role permissions like read_* / files_* with specificity-aware matching |
Audit JSONL + mcp-bastion tail | Append-only compliance log; audit.jsonl_path in config or mcp-bastion tail -p audit.jsonl |
| Cost checkpoint | Optional disk persistence for session totals across restarts (cost_tracker.checkpoint_path, memory backend only) |
Cost-aware policy (cost_policy) | Live spend rules: degrade model, force discovery filter, require approval; expensive-chain blocking |
| Governance attestation | mcp-bastion attest export --session … - signed session bundle with policy hash + controls fired |
| Boundary mode | Mandatory proxy auth on every request (boundary_mode + edge_auth / agent_iam) - GATEWAY_BOUNDARY.md |
| Ungated PromptGuard | prompt_guard.use_ungated_default: true → ProtectAI DeBERTa classifier (no HF gate) |
cost_policy:
enabled: true
rules:
- when: { session_spend_pct_gte: 80 }
action: degrade_model
target_model: gpt-4o-mini
- when: { session_spend_pct_gte: 95 }
action: require_approval
expensive_chain:
enabled: true
max_projected_cost_usd: 1.0
governance:
attestation_enabled: true
boundary_mode:
enabled: true # requires edge_auth or agent_iam
argument_guards:
enabled: true
rules:
- name: block_shell
match: "run_*"
arg: "$.command"
pattern: "(rm\\s+-rf|curl\\s+.*\\|.*sh)"
action: block
audit:
jsonl_path: .bastion/audit.jsonl
cost_tracker:
checkpoint_path: .bastion/cost-checkpoint.json
| You need… | MCP-Bastion gives you… |
|---|---|
| Guardrails without a rewrite | Drop-in middleware: secure_fastmcp(mcp) or one bastion.yaml |
| Privacy your legal team accepts | PromptGuard + Presidio run in your process; data stays on your network |
| Stop runaway agents & budget burn | On by default: 15 tool calls/session, 60s timeout, 50k token budget. Optional: per-tool caps, USD session/day limits, response offload |
| Shrink context & cut token spend | Opt-in: discovery filter (fewer tools in tools/list), output budget + session offload (up to ~99% on oversized tool outputs), lexical similarity cache - measured benchmarks |
| Something that ships today | PyPI, npm, Docker on GHCR, FastMCP, TypeScript wrapper, CI validate, live dashboard |
| Policy your team can review | bastion.yaml in Git, hot reload, OWASP-aligned controls (docs/PILLARS.md) |
Agents can loop on expensive tools (search, LLM calls, paid APIs) until your bill spikes. Bastion enforces session-level FinOps at the MCP boundary before each tools/call:
| Attack pattern | What Bastion does | Default |
|---|---|---|
| Infinite tool loop | Blocks after max iterations per session | On (15 calls) |
| Long-running session abuse | Session timeout | On (60s) |
| Token / context budget burn | Token budget per session; optional output offload | On (50k tokens); offload opt-in |
| Same tool hammered | Per-tool call cap (max_per_tool) | Opt-in |
| Paid API spend runaway | USD caps via cost tracker | Opt-in |
| Flaky or hostile tool cascade | Circuit breaker opens after failures | Opt-in in example config |
| Tool sprawl in one session | Cap distinct tools per session | Opt-in |
Blocked calls return standard errors (RateLimitExceededError -32002, TokenBudgetExceededError -32003, CostBudgetExceededError -32009) and show up in the dashboard and audit log. See docs/ATTACK_PREVENTION.md.
Bastion does not only block runaway spend - it reduces how much tool output and tool-catalog tokens reach the model on each turn (not the user’s LLM prompt text itself):
| Savings lever | What it does | Default |
|---|---|---|
| Discovery filter | Hides unused tools from tools/list so agents carry a smaller tool catalog in context (~85% fewer catalog tokens in benchmarks with 20→3 tools) | Opt-in |
| Output budget + offload | Truncates oversized tool responses; stores the rest in-session for bastion_get_offloaded (up to ~99.7% on 50k-token dumps; 0% when already under budget) | Opt-in |
| Lexical similarity cache | Skips redundant tool calls when queries are near-identical (Jaccard word overlap - not embedding “semantic” search) | Opt-in |
| Token budget caps | Hard stop before session token burn exceeds your limit | On (50k tokens) |
| USD session/day limits | Dollar ceilings via cost tracker | Opt-in |
There is no honest single “X% prompt reduction” figure - savings are input-dependent. See docs/BENCHMARKS.md for reproducible pytest benchmarks and live numbers.
Less tool output and catalog noise per turn means lower LLM input cost - without sending prompts to a third-party optimizer API.
Bottom line: MCP turned every server into an agent gateway overnight. Bastion is the firewall that makes that gateway safe to run in production - in three lines of code or one config file.
All 10 OWASP MCP Top 10 risks are mitigated at the MCP boundary (see controls below). Bastion also blocks FinOps and abuse patterns that OWASP does not list separately.
OWASP MCP Top 10 (all addressed)
| ID | Risk | Bastion controls |
|---|---|---|
| MCP01 | Token / secret exposure | PII redaction, audit trail, outbound response scan |
| MCP02 | Privilege escalation | RBAC, agent IAM, rate limits, cost caps, session tool scope |
| MCP03 | Tool poisoning | Prompt guard, content filter, response scan, metadata guard, grounding guard |
| MCP04 | Supply chain | Circuit breaker, server_verification checksums, doctor CLI, mcp-bastion manifest, audit |
| MCP05 | Command injection | Prompt guard, content filter, schema validation |
| MCP06 | Intent subversion | Rate limits, replay guard, per-tool caps, semantic firewall |
| MCP07 | Weak authentication | RBAC, edge auth, agent IAM (per-agent tokens) |
| MCP08 | Audit & telemetry | Audit log, dashboard, Prometheus, OTEL, alerts |
| MCP09 | Shadow MCP servers | Central bastion.yaml policy, metrics, discovery filter |
| MCP10 | Context injection | PII redaction, response scan, output budget, discovery filter |
FinOps & abuse attacks (beyond OWASP)
| Attack | Controls |
|---|---|
| Denial of wallet | Iteration cap, token budget, cost tracker, output budget |
| Runaway tool loops | Session timeout, rate limiter, circuit breaker |
| Per-tool hammering | max_per_tool session caps |
| API spend runaway | USD session/day caps |
| Session tool sprawl | Distinct-tool limit per session |
| Replay abuse | Replay guard + nonces |
Token reduction & cost saving
| Lever | Controls | Benchmark |
|---|---|---|
| Smaller tool catalog in context | Discovery filter on tools/list | ~85% catalog tokens (20→3 tools) - BENCHMARKS.md |
| Less tool output in every turn | Output budget, session offload, bastion_get_offloaded | Up to ~99.7% on oversized dumps; 0% when under budget |
| Fewer redundant calls | Lexical similarity cache (Jaccard overlap) | Exact repeat hits; paraphrase misses at 0.9 |
| Predictable spend | Token budget caps, USD session/day limits | Session defaults on |
Deep-dive mapping and integration hooks: docs/SECURITY_OBSERVABILITY.md · docs/ATTACK_PREVENTION.md
pip install mcp mcp-bastion-fastmcp
from mcp.server.fastmcp import FastMCP
from mcp_bastion_fastmcp import secure_fastmcp
mcp = FastMCP("My Server")
secure_fastmcp(mcp) # wires prompt guard, PII redaction, rate limits into tools/call
Policy-as-code instead? Copy bastion.yaml.example → bastion.yaml, then pip install mcp-bastion-python[policy]:
from mcp_bastion import build_middleware_from_config
middleware = build_middleware_from_config() # loads bastion.yaml
More paths (TypeScript, CI validate, Docker): docs/QUICK_START.md · docs/README.md · website
MCP-Bastion sits in-process on your MCP server and inspects every tools/call before it reaches databases, APIs, or shell tools - then redacts sensitive data on the way back.
flowchart LR
Agent["AI agent / LLM client"]
Server["Your MCP server"]
Bastion["MCP-Bastion<br/>middleware"]
Tools["Tools & upstream APIs"]
Agent -->|"JSON-RPC"| Server
Server --> Bastion
Bastion -->|"✓ allow / ✗ block"| Tools
Tools -->|"raw result"| Bastion
Bastion -->|"PII masked · audited"| Server
Server --> Agent
flowchart TB
Start(["Protect my MCP server"])
Start --> FastMCP["FastMCP · Python<br/><code>secure_fastmcp(mcp)</code>"]
Start --> Policy["Policy-as-code<br/><code>build_middleware_from_config()</code>"]
Start --> TS["TypeScript<br/><code>wrapWithMcpBastion(server)</code>"]
FastMCP --> Docs["docs/QUICK_START.md · path A"]
Policy --> Yaml["bastion.yaml + CI validate"]
TS --> Sidecar["Rate limit in-process · ML via sidecar"]
Releases: npm, PyPI, and prebuilt Docker on GHCR - see DOCKER.md. Community: SUPPORT.md · CONTRIBUTING.md · FUNDING.md · Security: SECURITY.md.
Zero-Click Prompt Injection Prevention
Integrates Meta's PromptGuard model locally to detect and block malicious payloads, jailbreaks, and adversarial tokenization before they reach your external tools.
PII Redaction
Microsoft Presidio scans outbound tool results and masks PII (redaction, substitution, generalization).
Infinite Loop and Denial of Wallet Protection
Implements stateful cycle detection and configurable FinOps token-bucket algorithms to automatically terminate runaway agents and prevent massive API bill overruns.
100% Local Execution (Data Privacy)
All security classification and data redaction happen entirely within the local memory space of your server. Sensitive data never leaves your enterprise network for third-party safety evaluations.
Low Latency
Drop-in middleware, under 5ms overhead.
Framework Integration
Hooks into MCP SDKs (TypeScript, Python) and FastMCP via standard middleware. No business logic changes.
Pillar definitions: Security controls, bastion.yaml sections, and how they relate to dashboard health rows are documented in docs/PILLARS.md (canonical reference; avoids ambiguous “total pillar” counts). The same page lists extended features restored in 1.0.16+ (semantic firewall, sensitive classifier, external policy, edge auth, tool allowlist, session scope, tool metadata guard, multi-tenant, audit hash chain, pricing hooks, telemetry sinks, red team and doctor CLIs, etc.), FinOps/context pillars in 1.0.17+ (output budget, discovery filter, response scan, grounding guard), and runtime governance (agent IAM, server verification - introduced in 1.0.18+, shipped in 2.0.0).
Deeper context: docs/SECURITY_OBSERVABILITY.md - OWASP MCP Top 10 alignment, attack scenarios, and SIEM/log integrations. Framework add-ons (LangChain, OpenAI, Bedrock, …) are listed under Framework Integrations below.
| Feature | What you get |
|---|---|
| Prompt injection defense | Meta PromptGuard scores tool arguments; malicious / jailbreak-style payloads can be blocked before execution (local inference, no third-party API). |
| Content filter | Block shell/code execution patterns, sensitive file paths, and URLs; optional allowlist / denylist regex or substring rules. |
| PII redaction | Microsoft Presidio detects many entity types in outbound tool/resource text (SSN, email, phone, cards, passport, IBAN, licenses, etc. - see Presidio docs). |
| Feature | What you get |
|---|---|
| Agent IAM (Confused Deputy) | Bind API tokens to agent identities; per-agent allowed_tools / blocked_tools, resource URI allow/block, optional rate limits - stops a support bot from calling admin tools or reading secret resources. See docs/RUNTIME_GOVERNANCE.md. |
| Full MCP surface guards (2.0.0) | resources/read, prompts/get, sampling/createMessage, elicitation/create - same inbound/outbound pillars as tool calls (not only tools/call). docs/MCP_SURFACE_AND_SCALE.md |
| Distributed state (2.0.0) | state_backend: redis - shared rate limits, replay nonces, cost caps, session scope across replicas. pip install mcp-bastion-python[redis] |
| Server verification (supply chain) | SHA-256 manifest checksums verified at startup and on every tools/call; mcp-bastion manifest generates trusted manifests after a signed-off build. |
| RBAC | Tool-level allow/deny by role (from request metadata); fnmatch globs (read_*) with specificity-aware matching in bastion.yaml. Pair with Agent IAM or edge auth - alone, roles are only as trustworthy as whatever sets metadata["role"]. Live matrix → |
| Argument guards (2.0.0) | JSONPath + regex block/redact on tools/call arguments before schema validation - stops shell injection and secret exfil in argv-style payloads. |
| Schema validation | Validate tools/call arguments against JSON Schema before the tool runs (block malformed or bypass attempts). |
| Replay guard | Nonce tracking to reject replayed requests (configurable require_nonce). |
| Rate limiting | Token-bucket style limits: max iterations per session, timeout, token budget - stops runaway loops and brute-force patterns. |
| Circuit breaker | Stop calling tools that fail repeatedly (limits blast radius of bad upstreams or poisoned tools). |
| Feature | What you get |
|---|---|
| Cost tracker | Per-session and optional per-day USD caps; blocks when budget is exceeded. Optional disk checkpoint for restart-safe totals (memory backend). |
| Semantic cache (lexical) | Optional Jaccard word-overlap cache for near-identical tool queries - not embedding-based; see benchmarks. |
| Low overhead | Middleware on the hot path targeting <5 ms typical overhead (see docs/METRICS.md). |
| Feature | What you get |
|---|---|
| Audit logging | Structured allow/deny decisions with reason, tool, tenant_id, trace_id, request_id - feed SOC / compliance. Optional JSONL file sink + mcp-bastion tail. |
| Alert sinks | Slack incoming webhook; generic HTTP webhooks (PagerDuty, Teams, custom APIs); multiple URLs; retry, backoff, timeout in bastion.yaml. |
| In-memory metrics | Global MetricsStore: requests, blocks, PII counts, cost, per-tool stats, latency samples, rolling time series buckets. |
| Real-time dashboard | Local web UI (additive panels): pre-deploy posture grades + Sonar-style prevalidation from .bastion/scan/, PMD-style issue guides (why / how to fix / OWASP), OWASP ASI + MCP + LLM heatmaps, live attack matrix, compliance evidence + dated reports, date filters, observe-mode banner, agents / trends / onboarding, forensics with why/pillar/trace, FinOps cost burn (actual vs would-have-been, tokens saved + avoided by blocks, charts), plus classic KPIs. APIs: /api/metrics, /api/posture, /api/prevalidate, /api/issue-guide, /api/taxonomy, /api/attack-matrix, /api/compliance. Dark/light theme. See dashboard/README.md. |
| OpenTelemetry | Optional OTLP span export - pip install mcp-bastion-python[otel] - docs/OTEL.md. |
| Feature | What you get |
|---|---|
| Policy-as-code | Single bastion.yaml: toggles for all request-path controls plus audit, alerts, and hot reload (docs/PILLARS.md); load via load_config / build_middleware_from_config. |
| Hot reload | Optional reload bastion.yaml on change without restarting the MCP server (docs/POLICY_AS_CODE.md). |
| Composable middleware | compose_middleware ordering; MCPBastionMiddleware flags for each pillar. |
| CLI | mcp-bastion scan, audit, validate, redteam, manifest, attest export, serve, dashboard, doctor, tail - docs/CLI.md. |
| Python + TypeScript | mcp-bastion-python on PyPI; @mcp-bastion/core on npm for TypeScript MCP servers (rate limits in-process; prompt/PII via optional sidecar). |
| Containers | Dockerfile, docker-compose profiles (proxy + optional dashboard) - DOCKER.md. Prebuilt images (GHCR): mcp-bastion-proxy, mcp-bastion-dashboard - published on each v* tag (publish-docker.yml). |
The dashboard is optional and local — a read-only view over runtime metrics + local scan/audit artifacts. No login server, no cloud DB (see docs/ZERO_INFRA_STRATEGY.md).
Feature tour (GIF): posture + prevalidation → OWASP heatmaps → attack matrix → compliance → governance → forensics → FinOps actual vs would-have-been → traffic.
| Area | Panels / actions |
|---|---|
| Pre-deploy posture | Letter grades A–F for catalog scan, skill scan, OSV, risk audit + combined grade (reads .bastion/scan/*.json) |
| Static prevalidation | Sonar-style issue list from the same local JSON — not a SonarQube server (/api/prevalidate) |
| Issue guides | PMD-style why / how to fix / Bastion knobs / OWASP refs on every finding (/api/issue-guide) |
| OWASP coverage | Tabs for ASI Top 10, MCP Top 10, LLM Top 10 — green/amber/grey heatmap with finding + block pressure |
| Live attack matrix | Categories under pressure with intensity, share, top tool, OWASP tags, sample/trace drill-down |
| Compliance / reports | Attestation + policy hash; generate SOC2 / GDPR / ISO27001 / NIST AI RMF / ASI evidence or zip (date-filtered) |
| Runtime | KPIs, governance, alerts + SSE, insights, forensics (Why + Details), agents / trends / onboarding, traffic/latency/PII charts |
| FinOps | Actual vs would-have-been spend/tokens; FinOps tokens saved; tokens/$ avoided by blocks; charts + blocked-issues table |
| Filters | Date range + presets (forensics, trends, attack matrix, reports) |
mcp-bastion dashboard --port 7000 --demo
# or: PYTHONPATH=src python dashboard/app.py
| URL | What it returns |
|---|---|
| http://localhost:7000/ | Full UI (posture, prevalidate, OWASP, attack matrix, FinOps, forensics, …) |
| http://localhost:7000/api/metrics | Runtime JSON (cost_reduction: used/saved/avoided + would-have cost) |
| http://localhost:7000/api/posture | Scan / skill / OSV / risk-audit grades from local JSON |
| http://localhost:7000/api/prevalidate | Sonar-style issue list + grades (local scan suite) |
| http://localhost:7000/api/issue-guide?check=weak_schema | PMD-style rule card (or ?id=ASI02) |
| http://localhost:7000/api/taxonomy | ?framework=asi|mcp|llm heatmap |
| http://localhost:7000/api/attack-matrix | Live attack categories (+ date filter) |
| http://localhost:7000/api/compliance/report | Evidence markdown (framework, date_from, date_to) |
| http://localhost:7000/api/health | Build / ui_revision |
| http://localhost:7000/metrics | Prometheus text |
Feed scan/audit artifacts into the posture panels:
mkdir -p .bastion/scan
mcp-bastion scan tools.json --format json -o .bastion/scan/catalog.json
mcp-bastion scan --skills ./skills --format json -o .bastion/scan/skills.json
mcp-bastion osv-scan --format json -o .bastion/scan/osv.json
mcp-bastion audit --format json -o .bastion/scan/risk-audit.json
Adoption paths (start-to-finish):
| Goal | Read in order |
|---|---|
Policy-as-code (bastion.yaml) | docs/PILLARS.md → docs/POLICY_AS_CODE.md → bastion.yaml.example → docs/CLI.md (validate) |
| LLM clients (OpenAI, Claude, Gemini, …) | docs/LLM_INTEGRATION.md → docs/INTEGRATION_MODELS.md → examples/ (llm_*.py) |
| FastMCP / TypeScript / third-party MCP | docs/TUTORIALS.md → docs/DETAILED_TUTORIAL.md |
Fleet rollout of bastion.yaml + SIEM / SOC audit | docs/SECURITY_OBSERVABILITY.md → docs/POLICY_AS_CODE.md |
| Minimal “hello world” + CI / registries | docs/QUICK_START.md → examples/ci/README.md → docs/DISCOVERY.md |
Full index: docs/README.md (docs hub) · published site entry: docs/index.md · quick wrap: docs/QUICK_START.md · discovery: docs/DISCOVERY.md · contribute: CONTRIBUTING.md.
Documentation truncated — see the full README on GitHub.
Be the first to review this server!
by Modelcontextprotocol · Developer Tools
Read, search, and manipulate Git repositories programmatically
by Toleno · Developer Tools
Toleno Network MCP Server — Manage your Toleno mining account with Claude AI using natural language.
by mcp-marketplace · Developer Tools
Create, build, and publish Python MCP servers to PyPI — conversationally.