GraphCanon updated today · GitHub synced today
Decision brief
MCP Trust Plane is designed for organizations that need to enforce security policies on MCP traffic without modifying core components of the protocol stack.
Good fit when
- MCP Trust Plane should be used when you require granular control over tool calls in your MCP-enabled systems, such as enforcing PII redaction or operation blocking.
- MCP Trust Plane is ideal for setups that need to integrate with 50+ enterprise providers without changing existing agent runtimes or MCP servers.
Avoid when
- Avoid MCP Trust Plane if your security needs do not require modification of traffic post-response, as it introduces an additional layer of complexity and latency.
- MCP Trust Plane may not be the best choice for environments that strictly enforce language-specific policies since its filters are written in any language and must comply with a strict contract.
- Pricing:
- freemium - MCP Trust Plane is open-source under Apache 2.0, making it available at no cost but provides flexibility to extend commercially through proprietary filter implementations.
- Requirements:
- Min 1 GB RAM
Observed Jul 15, 2026 · Source: enrich:decision_facts
Verify the decision
Maintenance and security
Full trust report- Maintenance
- Active (25d since push)
- As of today
- Provenance
- Not a fork · Organization account
- As of today
- Security (OSV)
- No MCP manifest
- As of today
Public GitHub metadata and optional OSV scans. Signals, not a guarantee. Trust methodology.
Install
npm install mcp-trust-plane npmSimilar tools
Same-category neighbours. No typed graph edges are catalogued for this tool yet.
Evidence and technical details
Sourced facts, taxonomy, compatibility claims, README excerpt, and machine-readable endpoints.
Overview
MCP Trust Plane provides a flexible data security layer that intercepts and modifies Model Context Protocol (MCP) communications to enforce enterprise policies like PII redaction and operation blocking without altering the core MCP server or agent runtime.
Capability facts
- Deploy
- Self-host
Source: dockerfile:docker-compose.yml · Jul 15, 2026
- Docker
- Dockerfile present
Source: dockerfile:docker-compose.yml · Jul 15, 2026
- Languages
- javascript
Source: github.language · Jul 15, 2026
Categories
Tags
README
MCP Trust Plane
A pluggable, language-agnostic filter framework for Model Context Protocol (MCP) traffic. Each filter is a tiny HTTP service that decides whether a tool call should be allowed, blocked, modified, or truncated.
Why
MCP gives agents direct access to tools and data sources. That's powerful and dangerous in equal measure. Filters give you a place to enforce guardrails — block destructive SQL, redact PII before it reaches the model, throttle abusive agents, cap response sizes, redact columns — without modifying the upstream MCP server or the agent runtime.
How it works
pre-request post-response
Client ─▶ MCP Gateway ─────────▶ Engine ─▶ filter ─┐
│ ◀────────────────── allow/block ┘
│
▼ (forward)
MCP Server
│
▼
Client ◀ MCP Gateway ◀──── Engine ─▶ filter ─┐
◀───── allow/truncate/modify ┘
- An MCP gateway sits in front of the upstream MCP server.
- For every
tools/call, the gateway asks an engine "what should I do for target X at execution_point Y?". - The engine looks up the policies assigned to that target and, for each
filter in those policies, calls
POST {filter_url}/filter. - Filters are completely independent processes. They can be written in any language. They share no state with the gateway or the engine.
A reference engine and gateway live in the parent repo
(secure-ai-plane-x/mcp-filter-gateway). This sub-project ships only the
filter implementations and the contract.
The Filter Contract
Every filter MUST expose two HTTP endpoints:
POST /filter
Request body:
{
"config": { "max_rows": 1000 },
"arguments": {
"sql": "SELECT * FROM employees",
"response_count": 8000,
"response_rows": ["row-1", "row-2", "..."]
},
"metadata": {
"agent_id": "demo_agent",
"agent_name": "demo_agent",
"member_id": "f5d9e4ec-…",
"project_id": "b0000000-…",
"tool_name": "run_sql"
}
}
Response body:
{
"action": "allow | block | truncate | modify",
"reason": "human-readable string surfaced to the user and audit log",
"modified_response": { "...optional..." },
"original_count": 8000,
"truncated_to": 1000
}
allow— let the request through unchanged.block— reject. The gateway returns an MCP error usingreason.truncate— return a smaller payload (modified_response) and an audit notice. Used by post-response filters like Row Limiter.modify— replace the payload withmodified_response. Used by redactors and maskers.
Filters MUST be idempotent and side-effect free with respect to the
agent's behaviour (with the obvious exception of audit / rate limiter
state). Filter execution time should stay under 50ms p95; the engine
treats slow filters as allow to fail-open.
GET /health
Returns 200 { "status": "healthy", "filter": "<slug>", "version": "..." }.
Used by orchestrators to gate traffic.
Common filters
Cross-cutting guards under common/ (Apache 2.0):
| Filter | Slug | Phase | Default port |
|---|---|---|---|
| SQL Guard | sql-guard | pre-request | 6001 |
| PII Redactor | pii-redactor | post-response | 6002 |
| Row Limiter | row-limiter | post-response | 6003 |
| Schema Validator | schema-validator | pre-request | 6005 |
| Rate Limiter | rate-limiter | pre-request | 6007 |
| Field Masker | field-masker | post-response | 6008 |
Provider filters
Integration-specific guards under provider/<vendor>/data-guard/ — 54
providers today (AWS, GitHub, Stripe, Snowflake, Slack, PostgreSQL,
Notion, Terraform, and more). See provider/README.md and
provider/manifest.json for the full
For agents
This page has a .md twin and JSON over the API.