Skip to main content

A local gate for MCP traffic with cross-call memory for sensitive values.

Project description

Sluice

Agents do not just answer questions. They reach into files, databases, APIs, and inboxes through MCP. Each hop is another place data can end up where you did not intend.

Sluice is the gate on that path. It reads what goes out to tools and what comes back, applies your rules, and keeps a short memory of sensitive values for the rest of the conversation. If the model tries to ship the same value somewhere new, the gate stays shut.

What this is (and what it is not)

Most MCP security tools work like a mailbox scanner. They open one envelope, look for a credit card or API key, and decide whether to let that single message through.

Sluice works like a gate with memory. It still scans every message, but it also remembers what sensitive data already entered the session. The second question it asks is different: has this exact value already been inside the conversation, and is it now trying to leave through another tool?

That second question is the whole point. A secret inside a read_file response can be legitimate. The same secret inside a later send_email call is a leak. Sluice blocks the second moment, not the first.

This is not a hosted service, not an LLM judge, and not a replacement for identity or network access control. It is a local runtime that sits on the MCP wire, enforces YAML policy, writes an audit log to disk, and fronts multiple tool servers from one config.

A concrete case

Your agent calls read_file and the response includes AKIAIOSFODNN7EXAMPLE. That is fine. The file really contained it.

Two turns later it calls send_email and the body includes the same string. Sluice has no opinion about the first call. It stops the second one because the value already appeared inside this session and is trying to travel again.

v0.1.0

This release ships:

  • stdio and HTTP transports with streamable HTTP (MCP 2025-03-26) for remote upstreams
  • Carryover memory across tool calls (taint_leak)
  • Secret, PII, and tool-poisoning detectors
  • Per-upstream and per-tool YAML policy
  • SQLite audit log and sluice logs
  • CLI: init, serve, stdio, logs, doctor, version
  • Legacy config migration to config.yaml.upgraded
  • ${VAR} expansion in config values

Quick demo script:

bash scripts/demo.sh

Performance on a developer laptop (pipeline only, 1 KB messages):

clean  p50=0.02 ms   p95=0.02 ms
secret p50=0.61 ms   p95=0.85 ms

Reproduce with python -m sluice.bench.latency.

Install

pip install sluice-taint

PyPI package: sluice-taint. The CLI command is still sluice.

Get started

sluice init
sluice serve

The proxy listens on 127.0.0.1:4444 by default. Edit config.yaml before you point anything real at it.

From source

git clone https://github.com/krishyaid-coder/sluice
cd sluice
pip install -e ".[dev]"
sluice init
sluice serve

Hook up Claude Desktop or Cursor

Run Sluice as the MCP command instead of the tool server directly:

{
  "mcpServers": {
    "filesystem": {
      "command": "sluice",
      "args": ["stdio", "--config", "/absolute/path/to/config.yaml"]
    }
  }
}

Sluice spawns the upstream named in your config and speaks MCP on stdin/stdout.

Prove it works

With default policy, this should come back as a JSON-RPC error:

curl -s -X POST http://127.0.0.1:4444 \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "write_file",
      "arguments": {"content": "key=AKIAIOSFODNN7EXAMPLE"}
    }
  }' | jq

Running multiple tool servers

HTTP mode can front more than one upstream. Send traffic to POST /u/<upstream-name> or POST / for the default route in config.yaml.

Tooling

sluice init scaffolds config.

sluice serve starts the HTTP gate.

sluice stdio bridges one upstream over stdio for desktop clients.

sluice logs --since 1h prints recent decisions from the local SQLite log.

sluice doctor loads your config and reports obvious problems.

sluice version prints the build.

Rules and outcomes

You declare what to do when a pattern fires: refuse the message (block), strip the match and continue (redact), or allow it but remember the value for later (flag).

Built-in matchers know common API keys, tokens, PEM blocks, email and phone shapes, cards and government IDs, noisy high-entropy strings, and suspicious text hiding inside tools/list payloads.

When a remembered value shows up again in an outbound call, the refusal reason is taint_leak.

Everything runs on your machine. Audit rows land in ~/.sluice/audit.db unless you point them elsewhere.

Architecture

See Architecture.md for the full system layout, request path, and module map.

License

Apache 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sluice_taint-0.1.0.tar.gz (34.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sluice_taint-0.1.0-py3-none-any.whl (29.6 kB view details)

Uploaded Python 3

File details

Details for the file sluice_taint-0.1.0.tar.gz.

File metadata

  • Download URL: sluice_taint-0.1.0.tar.gz
  • Upload date:
  • Size: 34.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.7

File hashes

Hashes for sluice_taint-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0a54acb768a1e64a80537936601e3deaf242029dc701682269daa6b8b020f23d
MD5 c6bf6c7f295def4398e319a8cfc3b716
BLAKE2b-256 3e1f2b9ea252f71acd85952954ca567ad98f6235f9ab1342eac90724fea945a0

See more details on using hashes here.

File details

Details for the file sluice_taint-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sluice_taint-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 29.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.7

File hashes

Hashes for sluice_taint-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8d8fbc252bd1ffa01d1b1b1dd2d69a2a9e5db174dbf7f3e9fa3fb13bc80644d7
MD5 56c61fad3e2acdfbe11a51b1397adbbc
BLAKE2b-256 14d6ced93f720207aa9839ecaf81a7196262c91e039c7f4e193ed41f1948cf1a

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page