Skip to main content

A local-first control plane for your AI agent's tools — cap spend, rate-limit, and audit every MCP tool call.

Project description

Bastion

A local-first control plane for your AI agent's tools. Bastion is a gateway that sits between an AI agent (Claude Code, Cursor, Claude Desktop, …) and the MCP servers it uses — capping spend, rate-limiting, enforcing per-action permissions, and auditing every tool call.

Status: early development. Bastion is being built in the open, milestone by milestone. Today it proxies your MCP servers, writes a full audit log of every tool call, and enforces per-tool permissions; rate limits, budgets, and argument guards land over the next milestones — see the roadmap.

Why

Model Context Protocol won — every major AI vendor ships it and there are 17,000+ MCP servers. But agents call those servers with no spend caps, no rate limits, no permissions, and no audit trail. A looping agent can burn real money in minutes, and you have no record of what it did.

Bastion is the missing control layer. One config file, one command, no cloud, no database.

How it works

Your agent points at Bastion instead of at its MCP servers directly. Bastion is both an MCP server (to the agent) and an MCP client (to the real "upstream" servers). It aggregates your upstreams behind one endpoint and enforces rules on every tools/call:

  AI agent  ──MCP──▶  Bastion  ──MCP──▶  upstream server A
                      (policy +          upstream server B
                       audit)            upstream server C

Install

pip install bastion-mcp

This installs the bastion command. To run it without installing globally, use uv:

uvx --from bastion-mcp bastion --help

To hack on Bastion itself, see CONTRIBUTING.md.

Quickstart

Create bastion.yaml:

upstreams:
  files:
    command: npx
    args: ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/project"]

Validate it:

bastion validate

Point your agent at the gateway — e.g. for Claude Code:

claude mcp add --transport stdio bastion -- bastion run --config ./bastion.yaml

Your agent now reaches the filesystem server through Bastion. With a single upstream, tools keep their original names; configure several and Bastion namespaces each tool by its upstream key (files_read_file, search_query, …) so they never collide.

Configuration

bastion.yamlupstreams is required; everything else is optional.

gateway:
  transport: stdio          # stdio | http

upstreams:                  # each key names an upstream MCP server
  files:
    command: npx            # `command` ⇒ stdio upstream
    args: ["-y", "@modelcontextprotocol/server-filesystem", "/data"]
  search:
    url: https://search.example.com/mcp   # `url` ⇒ http upstream

audit:                      # every tool call is logged here (JSON Lines)
  enabled: true
  path: ./bastion-audit.jsonl

policy:                     # per-tool allow/deny (most-specific rule wins)
  default: allow
  permissions:
    - { tool: "files_read_*",   action: allow }
    - { tool: "files_delete_*", action: deny  }

A denied call is blocked before it reaches the upstream and recorded in the audit log. The cost section (budgets) is documented as it lands — see the roadmap below.

Dashboard

bastion dashboard serves a local web view of the audit log — every tool call, live, with arguments, outcomes, and timings:

bastion dashboard --config bastion.yaml   # then open http://127.0.0.1:8787

Roadmap

Bastion is built in milestones; each adds one capability. The first PyPI release comes early — right after permissions — and every milestone after ships a release.

  • M0 — multi-upstream proxy (stdio + HTTP), config schema, CLI
  • M1 — audit log: every tool call recorded to JSONL
  • M2 — permissions: per-tool allow/deny rules
  • M3 — first PyPI release (pip install bastion)
  • M4 — rate limiting: per-tool / per-client / global token buckets
  • M5 — budgets: call-count and cost caps that survive restarts
  • M6 — argument guards: block dangerous tool arguments
  • M7 — live log viewer (bastion tail) and CLI polish
  • M8 — docs, examples, v1.0.0

Contributing

Issues and PRs welcome — see CONTRIBUTING.md.

License

Apache 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

bastion_mcp-0.4.0.tar.gz (45.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

bastion_mcp-0.4.0-py3-none-any.whl (35.4 kB view details)

Uploaded Python 3

File details

Details for the file bastion_mcp-0.4.0.tar.gz.

File metadata

  • Download URL: bastion_mcp-0.4.0.tar.gz
  • Upload date:
  • Size: 45.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for bastion_mcp-0.4.0.tar.gz
Algorithm Hash digest
SHA256 c44f08a5fd4a58290719f50ed5470d19c3793941071674a07c19f9664887c2f4
MD5 9a4023d1d72e21171e342da2412c69fd
BLAKE2b-256 5fe6a2cc063196e2452ec0227fa97411c3b2f454cb706c4c4f1fd21c30190e8c

See more details on using hashes here.

Provenance

The following attestation bundles were made for bastion_mcp-0.4.0.tar.gz:

Publisher: release.yml on SoumilBhandari/Bastion

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file bastion_mcp-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: bastion_mcp-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 35.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for bastion_mcp-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0ea39023340c2a5ea1cde647514994cfe423d4a9d9204815d2e4dccbf0563f11
MD5 b88d54d3049e94d55aee36cbb46d0799
BLAKE2b-256 e20c5bc0ddaa97cb2b6287b22157cb650501538bb7f1f29a74a28f7a30fec2f0

See more details on using hashes here.

Provenance

The following attestation bundles were made for bastion_mcp-0.4.0-py3-none-any.whl:

Publisher: release.yml on SoumilBhandari/Bastion

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page