{"data":{"slug":"abluva-research-mcp-trust-plane","name":"mcp-trust-plane","tagline":"Pluggable security framework for MCP traffic","github_url":"https://github.com/abluva-research/mcp-trust-plane","owner":"abluva-research","repo":"mcp-trust-plane","owner_avatar_url":"https://avatars.githubusercontent.com/u/121275274?v=4","primary_language":"JavaScript","stars":59,"forks":14,"topics":["access-control","agentic-ai","ai-agents","data-governance-and-ai","data-security","enterprise-security","guardrails","llm-security","mcp","model-context-protocol","open-source","trust-plane"],"archived":false,"github_pushed_at":"2026-06-19T14:25:55+00:00","maintenance_label":"Active","url":"https://www.graphcanon.com/tools/abluva-research-mcp-trust-plane","markdown_url":"https://www.graphcanon.com/tools/abluva-research-mcp-trust-plane.md","api_url":"https://www.graphcanon.com/api/graphcanon/tools/abluva-research-mcp-trust-plane","graph_url":"https://www.graphcanon.com/api/graphcanon/graph?tool=abluva-research-mcp-trust-plane","description":"Composable data security plane for Model Context Protocol. Pluggable layers — collect, analyze, guard — across 50+ enterprise providers. Open architecture.","homepage_url":null,"license":"Apache-2.0","open_issues":0,"watchers":0,"ai_summary":"MCP Trust Plane provides a flexible data security layer that intercepts and modifies Model Context Protocol (MCP) communications to enforce enterprise policies like PII redaction and operation blocking without altering the core MCP server or agent runtime.","readme_excerpt":"# MCP Trust Plane\n\nA pluggable, language-agnostic filter framework for Model Context Protocol\n(MCP) traffic. Each filter is a tiny HTTP service that decides whether a\ntool call should be allowed, blocked, modified, or truncated.\n\n## Why\n\nMCP gives agents direct access to tools and data sources. That's powerful\nand dangerous in equal measure. Filters give you a place to enforce\nguardrails — block destructive SQL, redact PII before it reaches the\nmodel, throttle abusive agents, cap response sizes, redact columns —\nwithout modifying the upstream MCP server or the agent runtime.\n\n## How it works\n\n```\n                    pre-request                       post-response\n   Client ─▶ MCP Gateway ─────────▶ Engine ─▶ filter ─┐\n                │     ◀────────────────── allow/block ┘\n                │\n                ▼ (forward)\n            MCP Server\n                │\n                ▼\n   Client ◀ MCP Gateway ◀──── Engine ─▶ filter ─┐\n                                ◀───── allow/truncate/modify ┘\n```\n\n- An MCP gateway sits in front of the upstream MCP server.\n- For every `tools/call`, the gateway asks an **engine** \"what should I do\n  for target X at execution_point Y?\".\n- The engine looks up the policies assigned to that target and, for each\n  filter in those policies, calls `POST {filter_url}/filter`.\n- Filters are completely independent processes. They can be written in\n  any language. They share no state with the gateway or the engine.\n\nA reference engine and gateway live in the parent repo\n(`secure-ai-plane-x/mcp-filter-gateway`). This sub-project ships only the\nfilter implementations and the contract.\n\n## The Filter Contract\n\nEvery filter MUST expose two HTTP endpoints:\n\n### `POST /filter`\n\nRequest body:\n\n```json\n{\n  \"config\":    { \"max_rows\": 1000 },\n  \"arguments\": {\n    \"sql\": \"SELECT * FROM employees\",\n    \"response_count\": 8000,\n    \"response_rows\": [\"row-1\", \"row-2\", \"...\"]\n  },\n  \"metadata\": {\n    \"agent_id\":   \"demo_agent\",\n    \"agent_name\": \"demo_agent\",\n    \"member_id\":  \"f5d9e4ec-…\",\n    \"project_id\": \"b0000000-…\",\n    \"tool_name\":  \"run_sql\"\n  }\n}\n```\n\nResponse body:\n\n```json\n{\n  \"action\": \"allow | block | truncate | modify\",\n  \"reason\": \"human-readable string surfaced to the user and audit log\",\n  \"modified_response\": { \"...optional...\" },\n  \"original_count\":    8000,\n  \"truncated_to\":      1000\n}\n```\n\n- `allow` — let the request through unchanged.\n- `block` — reject. The gateway returns an MCP error using `reason`.\n- `truncate` — return a smaller payload (`modified_response`) and an\n  audit notice. Used by post-response filters like Row Limiter.\n- `modify` — replace the payload with `modified_response`. Used by\n  redactors and maskers.\n\nFilters MUST be idempotent and side-effect free with respect to the\nagent's behaviour (with the obvious exception of audit / rate limiter\nstate). Filter execution time should stay under 50ms p95; the engine\ntreats slow filters as `allow` to fail-open.\n\n### `GET /health`\n\nReturns `200 { \"status\": \"healthy\", \"filter\": \"<slug>\", \"version\": \"...\" }`.\nUsed by orchestrators to gate traffic.\n\n## Common filters\n\nCross-cutting guards under `common/` (Apache 2.0):\n\n| Filter           | Slug              | Phase          | Default port |\n|------------------|-------------------|----------------|--------------|\n| SQL Guard        | sql-guard         | pre-request    | 6001         |\n| PII Redactor     | pii-redactor      | post-response  | 6002         |\n| Row Limiter      | row-limiter       | post-response  | 6003         |\n| Schema Validator | schema-validator  | pre-request    | 6005         |\n| Rate Limiter     | rate-limiter      | pre-request    | 6007         |\n| Field Masker     | field-masker      | post-response  | 6008         |\n\n## Provider filters\n\nIntegration-specific guards under `provider/<vendor>/data-guard/` — **54\nproviders** today (AWS, GitHub, Stripe, Snowflake, Slack, PostgreSQL,\nNotion, Terraform, and more). See `provider/README.md` and\n`provider/manifest.json` for the full","github_created_at":"2026-06-18T08:14:29+00:00","created_at":"2026-07-15T10:44:36.701698+00:00","updated_at":"2026-07-15T11:06:26.362683+00:00","categories":[{"slug":"ai-agents","name":"AI Agents","url":"https://www.graphcanon.com/categories/ai-agents","markdown_url":"https://www.graphcanon.com/categories/ai-agents.md","api_url":"https://www.graphcanon.com/api/graphcanon/categories/ai-agents"},{"slug":"evaluation-observability","name":"Evaluation & Observability","url":"https://www.graphcanon.com/categories/evaluation-observability","markdown_url":"https://www.graphcanon.com/categories/evaluation-observability.md","api_url":"https://www.graphcanon.com/api/graphcanon/categories/evaluation-observability"}],"tags":[{"slug":"access-control","name":"access-control"},{"slug":"ai-agents","name":"ai-agents"},{"slug":"data-governance-and-ai","name":"data-governance-and-ai"},{"slug":"data-security","name":"data-security"},{"slug":"enterprise-security","name":"enterprise-security"},{"slug":"open-source","name":"open-source"}],"trust":{"provenance":{"is_fork":false,"github_id":1273116225,"owner_type":"Organization","methodology":"github_public_v1","parent_repo":null,"near_duplicate_slugs":[]},"computed_at":"2026-07-15T10:44:37.671Z","maintenance":{"label":"Active","score":82,"methodology":"github_public_v1","releases_90d":1,"days_since_push":25,"last_release_at":"2026-06-19T07:05:14Z"},"security_summary":{"status":"no_manifest","scanner":null,"low_count":0,"high_count":0,"last_scan_at":"2026-07-15T10:44:37.999Z","medium_count":0,"scan_profile":"mcp_manifest","critical_count":0}},"capability_facts":{"scan":{"source":"repo_scan","observed_at":"2026-07-15T11:05:52.182Z"},"deploy":{"source":"dockerfile:docker-compose.yml","self_host":true,"observed_at":"2026-07-15T11:05:52.182Z","managed_saas":false},"languages":{"value":["javascript"],"source":"github.language","observed_at":"2026-07-15T11:05:52.182Z"},"has_docker":{"value":true,"source":"dockerfile:docker-compose.yml","observed_at":"2026-07-15T11:05:52.182Z"},"license_spdx":{"value":"Apache-2.0","source":"github.license","observed_at":"2026-07-15T11:05:52.182Z"}},"decision_facts":{"hosting":null,"pricing":{"model":"freemium","summary":"MCP Trust Plane is open-source under Apache 2.0, making it available at no cost but provides flexibility to extend commercially through proprietary filter implementations."},"requirements":{"min_ram_gb":1,"requires_docker":false},"constraints":{"min_ram_gb":1,"pricing_model":"freemium","requires_docker":false},"when_to_use":["MCP Trust Plane should be used when you require granular control over tool calls in your MCP-enabled systems, such as enforcing PII redaction or operation blocking.","MCP Trust Plane is ideal for setups that need to integrate with 50+ enterprise providers without changing existing agent runtimes or MCP servers."],"when_not_to_use":["Avoid MCP Trust Plane if your security needs do not require modification of traffic post-response, as it introduces an additional layer of complexity and latency.","MCP Trust Plane may not be the best choice for environments that strictly enforce language-specific policies since its filters are written in any language and must comply with a strict contract."],"source":"enrich:decision_facts","observed_at":"2026-07-15T11:06:26.064Z"},"constraint_facets":{"min_ram_gb":1,"pricing_model":"freemium","requires_docker":false},"decision_summary":[{"label":"Pricing","value":"freemium - MCP Trust Plane is open-source under Apache 2.0, making it available at no cost but provides flexibility to extend commercially through proprietary filter implementations."},{"label":"Requirements","value":"Min 1 GB RAM"},{"label":"Adopt for","value":"MCP Trust Plane is designed for organizations that need to enforce security policies on MCP traffic without modifying core components of the protocol stack."}]}}