A local-first control plane for your AI agent's tools — cap spend, rate-limit, and audit every MCP tool call.
Project description
Bastion
A local-first control plane for your AI agent's tools. Bastion is a gateway that sits between an AI agent (Claude Code, Cursor, Claude Desktop, …) and the MCP servers it uses — capping spend, rate-limiting, enforcing per-tool permissions, redacting or blocking dangerous arguments, and auditing every call.
One config file, one command, no cloud, no database.
Why
Model Context Protocol won — every major AI vendor ships it and there are 17,000+ MCP servers. But agents call those servers with no spend caps, no rate limits, no permissions, and no audit trail. A looping agent can burn real money in minutes, and you have no record of what it did.
Bastion is the missing control layer. One config file, one command, no cloud, no database.
How it works
Your agent points at Bastion instead of at its MCP servers directly. Bastion is
both an MCP server (to the agent) and an MCP client (to the real "upstream"
servers). It aggregates your upstreams behind one endpoint and enforces rules on
every tools/call:
AI agent ──MCP──▶ Bastion ──MCP──▶ upstream server A
(policy + upstream server B
audit) upstream server C
Install
pip install bastion-mcp
This installs the bastion command. To run it without installing globally,
use uv:
uvx --from bastion-mcp bastion --help
To hack on Bastion itself, see CONTRIBUTING.md.
Quickstart
Create bastion.yaml:
upstreams:
files:
command: npx
args: ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/project"]
Validate it:
bastion validate
Point your agent at the gateway — e.g. for Claude Code:
claude mcp add --transport stdio bastion -- bastion run --config ./bastion.yaml
Your agent now reaches the filesystem server through Bastion. With a single
upstream, tools keep their original names; configure several and Bastion
namespaces each tool by its upstream key (files_read_file, search_query, …)
so they never collide.
Configuration
bastion.yaml — upstreams is required; everything else is optional. A
small example with permissions and audit:
upstreams:
files:
command: npx
args: ["-y", "@modelcontextprotocol/server-filesystem", "/data"]
audit:
enabled: true
path: ./bastion-audit.jsonl
policy:
default: allow
permissions:
- { tool: "files_read_*", action: allow }
- { tool: "files_delete_*", action: deny }
A denied call is blocked before reaching the upstream and recorded in the
audit log. Rate limits, budgets (call-count and cost), and argument guards
(block or redact) layer onto the same policy section.
See docs/configuration.md for the full reference
of every section, docs/security.md for the security
model (secrets in the audit log, unauthenticated surfaces), and
examples/ for runnable starter configurations.
Dashboard
bastion dashboard serves a local web view of the audit log — every tool call,
live, with arguments, outcomes, and timings:
bastion dashboard --config bastion.yaml # then open http://127.0.0.1:8787
Milestones
Bastion shipped one feature per release, milestone by milestone:
- M0 — multi-upstream proxy (stdio + HTTP), config schema, CLI
- M1 — audit log: every tool call recorded to JSONL
- M2 — permissions: per-tool allow/deny rules
- M3 — first PyPI release (
pip install bastion-mcp) - M4 — rate limiting: per-tool and global token buckets
- M5 — budgets: call-count and cost caps with on-disk checkpoint
- M6 — argument guards: regex-on-JSONPath, block or redact
- M7 — live log viewer (
bastion tail/logs/stats/init) + Windows CI - M8 — docs, examples,
v1.0.0🎉
Contributing
Issues and PRs welcome — see CONTRIBUTING.md.
License
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file bastion_mcp-1.0.1.tar.gz.
File metadata
- Download URL: bastion_mcp-1.0.1.tar.gz
- Upload date:
- Size: 48.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d5a06acb1b204559dd0797b38427fb92f93ca73770f239b536abce350f1b0e62
|
|
| MD5 |
d1fa4cbb3800fae7a24d773569e3c2fa
|
|
| BLAKE2b-256 |
b0c87e4fcd35bc5cac15dbcd777958f4d2daac817754791f0be04861e7540a44
|
Provenance
The following attestation bundles were made for bastion_mcp-1.0.1.tar.gz:
Publisher:
release.yml on SoumilBhandari/Bastion
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
bastion_mcp-1.0.1.tar.gz -
Subject digest:
d5a06acb1b204559dd0797b38427fb92f93ca73770f239b536abce350f1b0e62 - Sigstore transparency entry: 1672598891
- Sigstore integration time:
-
Permalink:
SoumilBhandari/Bastion@b2b6b89af60c9b6a5b46f3393eb16020e94bc371 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/SoumilBhandari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b2b6b89af60c9b6a5b46f3393eb16020e94bc371 -
Trigger Event:
release
-
Statement type:
File details
Details for the file bastion_mcp-1.0.1-py3-none-any.whl.
File metadata
- Download URL: bastion_mcp-1.0.1-py3-none-any.whl
- Upload date:
- Size: 35.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
95b997924f6604dcc0566f2e66043b10d9e9413732a5a228fd5f7ab69a9bf1dd
|
|
| MD5 |
fba3c98e8cd5c1487a9e27e5e465bf2f
|
|
| BLAKE2b-256 |
bb921b78f2b8459f01fe57ea715c3fecaa94cf86724c1daf4f502eca644828a7
|
Provenance
The following attestation bundles were made for bastion_mcp-1.0.1-py3-none-any.whl:
Publisher:
release.yml on SoumilBhandari/Bastion
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
bastion_mcp-1.0.1-py3-none-any.whl -
Subject digest:
95b997924f6604dcc0566f2e66043b10d9e9413732a5a228fd5f7ab69a9bf1dd - Sigstore transparency entry: 1672598912
- Sigstore integration time:
-
Permalink:
SoumilBhandari/Bastion@b2b6b89af60c9b6a5b46f3393eb16020e94bc371 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/SoumilBhandari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@b2b6b89af60c9b6a5b46f3393eb16020e94bc371 -
Trigger Event:
release
-
Statement type: