Home/AI Agents/mcp-trust-plane
mcp-trust-plane logo

mcp-trust-plane

abluva-research/mcp-trust-plane

Pluggable security framework for MCP traffic

GraphCanon updated today · GitHub synced today

59 stars14 forksLast push 3w JavaScript Apache-2.0

Decision brief

MCP Trust Plane is designed for organizations that need to enforce security policies on MCP traffic without modifying core components of the protocol stack.

Good fit when

  • MCP Trust Plane should be used when you require granular control over tool calls in your MCP-enabled systems, such as enforcing PII redaction or operation blocking.
  • MCP Trust Plane is ideal for setups that need to integrate with 50+ enterprise providers without changing existing agent runtimes or MCP servers.

Avoid when

  • Avoid MCP Trust Plane if your security needs do not require modification of traffic post-response, as it introduces an additional layer of complexity and latency.
  • MCP Trust Plane may not be the best choice for environments that strictly enforce language-specific policies since its filters are written in any language and must comply with a strict contract.
Pricing:
freemium - MCP Trust Plane is open-source under Apache 2.0, making it available at no cost but provides flexibility to extend commercially through proprietary filter implementations.
Requirements:
Min 1 GB RAM

Observed Jul 15, 2026 · Source: enrich:decision_facts

Verify the decision

Maintenance and security

Full trust report
Maintenance
Active (25d since push)
As of today
Provenance
Not a fork · Organization account
As of today
Security (OSV)
No MCP manifest
As of today

Public GitHub metadata and optional OSV scans. Signals, not a guarantee. Trust methodology.

Install

npm install mcp-trust-plane
npm

Similar tools

Same-category neighbours. No typed graph edges are catalogued for this tool yet.

Evidence and technical details

Sourced facts, taxonomy, compatibility claims, README excerpt, and machine-readable endpoints.

Overview

MCP Trust Plane provides a flexible data security layer that intercepts and modifies Model Context Protocol (MCP) communications to enforce enterprise policies like PII redaction and operation blocking without altering the core MCP server or agent runtime.

Capability facts

Deploy
Self-host

Source: dockerfile:docker-compose.yml · Jul 15, 2026

Docker
Dockerfile present

Source: dockerfile:docker-compose.yml · Jul 15, 2026

Languages
javascript

Source: github.language · Jul 15, 2026

Categories

Tags

README

MCP Trust Plane

A pluggable, language-agnostic filter framework for Model Context Protocol (MCP) traffic. Each filter is a tiny HTTP service that decides whether a tool call should be allowed, blocked, modified, or truncated.

Why

MCP gives agents direct access to tools and data sources. That's powerful and dangerous in equal measure. Filters give you a place to enforce guardrails — block destructive SQL, redact PII before it reaches the model, throttle abusive agents, cap response sizes, redact columns — without modifying the upstream MCP server or the agent runtime.

How it works

                    pre-request                       post-response
   Client ─▶ MCP Gateway ─────────▶ Engine ─▶ filter ─┐
                │     ◀────────────────── allow/block ┘
                │
                ▼ (forward)
            MCP Server
                │
                ▼
   Client ◀ MCP Gateway ◀──── Engine ─▶ filter ─┐
                                ◀───── allow/truncate/modify ┘
  • An MCP gateway sits in front of the upstream MCP server.
  • For every tools/call, the gateway asks an engine "what should I do for target X at execution_point Y?".
  • The engine looks up the policies assigned to that target and, for each filter in those policies, calls POST {filter_url}/filter.
  • Filters are completely independent processes. They can be written in any language. They share no state with the gateway or the engine.

A reference engine and gateway live in the parent repo (secure-ai-plane-x/mcp-filter-gateway). This sub-project ships only the filter implementations and the contract.

The Filter Contract

Every filter MUST expose two HTTP endpoints:

POST /filter

Request body:

{
  "config":    { "max_rows": 1000 },
  "arguments": {
    "sql": "SELECT * FROM employees",
    "response_count": 8000,
    "response_rows": ["row-1", "row-2", "..."]
  },
  "metadata": {
    "agent_id":   "demo_agent",
    "agent_name": "demo_agent",
    "member_id":  "f5d9e4ec-…",
    "project_id": "b0000000-…",
    "tool_name":  "run_sql"
  }
}

Response body:

{
  "action": "allow | block | truncate | modify",
  "reason": "human-readable string surfaced to the user and audit log",
  "modified_response": { "...optional..." },
  "original_count":    8000,
  "truncated_to":      1000
}
  • allow — let the request through unchanged.
  • block — reject. The gateway returns an MCP error using reason.
  • truncate — return a smaller payload (modified_response) and an audit notice. Used by post-response filters like Row Limiter.
  • modify — replace the payload with modified_response. Used by redactors and maskers.

Filters MUST be idempotent and side-effect free with respect to the agent's behaviour (with the obvious exception of audit / rate limiter state). Filter execution time should stay under 50ms p95; the engine treats slow filters as allow to fail-open.

GET /health

Returns 200 { "status": "healthy", "filter": "<slug>", "version": "..." }. Used by orchestrators to gate traffic.

Common filters

Cross-cutting guards under common/ (Apache 2.0):

FilterSlugPhaseDefault port
SQL Guardsql-guardpre-request6001
PII Redactorpii-redactorpost-response6002
Row Limiterrow-limiterpost-response6003
Schema Validatorschema-validatorpre-request6005
Rate Limiterrate-limiterpre-request6007
Field Maskerfield-maskerpost-response6008

Provider filters

Integration-specific guards under provider/<vendor>/data-guard/54 providers today (AWS, GitHub, Stripe, Snowflake, Slack, PostgreSQL, Notion, Terraform, and more). See provider/README.md and provider/manifest.json for the full

For agents

This page has a .md twin and JSON over the API.

Was this helpful?

Anonymous feedback helps us improve pages and translations.