arbitus
mcp
Warn
Health Warn
- License — License: MIT
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 6 GitHub stars
Code Pass
- Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Pass
- Permissions — No dangerous permissions requested
No AI report is available for this listing yet.
Open-source security gateway for MCP tool calls — blocks secret leaks, enforces agent policies, and requires human approval for risky actions
README.md
Arbitus
Open-source firewall for MCP tool calls. Arbitus sits between AI agents and MCP servers, then blocks secret leaks, dangerous tools, runaway loops, and unapproved actions before requests reach upstream.
Agent (Claude Code, Cursor, OpenAI Agents SDK, etc.)
│ JSON-RPC
▼
arbitus ← auth, rate limit, HITL, payload filter, audit
│
▼
MCP Server (filesystem, database, APIs...)
Use it when you want developers to keep using AI agents without giving every agent unrestricted access to your filesystem, databases, internal APIs, or production tools.
Why teams use it
- Stop secret exfiltration — block or redact
.envvalues, API keys, private keys, bearer tokens, and encoded variants before they leave the agent runtime - Constrain agent tools — expose only approved tools through
tools/list, then enforce the same policy ontools/call - Control blast radius — rate-limit agents per minute, per tool, and per IP so loops do not become budget or infrastructure incidents
- Approve risky actions — require Human-in-the-Loop approval before writes, deletes, deploys, database mutations, or shell-like tools run
- Keep an audit trail — record every decision with request IDs and send events to SQLite, webhooks, CloudEvents, OpenLineage, Prometheus, or OTLP backends
Threats Arbitus blocks
| Threat | Example | Arbitus control |
|---|---|---|
| Secret exfiltration | An agent sends .env, API keys, bearer tokens, or private keys through tools/call arguments |
Encoding-aware payload filtering with block or redact mode |
| Hidden dangerous tools | An agent guesses delete_file, exec_shell, or drop_table even if the tool was hidden from discovery |
tools/list filtering plus enforced allowlists/denylists on tools/call |
| Prompt-injection payloads | Retrieved content tells the agent to ignore instructions or call another tool | Built-in prompt-injection patterns and response filtering |
| Runaway loops | A tool-calling loop burns budget or hammers an internal service | Per-agent, per-tool, and per-IP rate limits |
| Risky production actions | An agent tries to deploy, delete, mutate data, or run command-like tools | Human-in-the-Loop approval, shadow mode, and OPA/Rego policy checks |
| Unreviewable agent behavior | Security teams cannot reconstruct who called what and why it was allowed or blocked | Request IDs, audit logs, CloudEvents, OpenLineage, Prometheus, and OTLP traces |
What it does
- Auth — per-agent allowlist/denylist with glob wildcards; API key, JWT/OIDC, or mTLS
- tools/list filtering — agents only see the tools they are allowed to call
- Resource & Prompt access control —
allowed_resources/denied_resourcesandallowed_prompts/denied_promptswith list filtering; full MCP protocol governance - Default policy — fallback policy for unknown agents; avoids hard-blocking agents not listed in config
- Rate limiting — per-agent sliding window + per-tool limits + per-IP limit; standard
X-RateLimit-*headers - Human-in-the-Loop (HITL) — suspend tool calls until an operator approves or rejects via REST API
- Shadow mode — intercept and log tool calls without forwarding; dry-run risky operations
- Payload filtering — block or redact sensitive patterns; encoding-aware (Base64, percent-encoding, Unicode)
- Response filtering — block upstream responses containing sensitive patterns
- Schema validation — validate
tools/callarguments againstinputSchemafromtools/list - OPA/Rego policy engine — evaluate every
tools/callagainst a Rego policy file; input exposes agent, tool, arguments, and client IP - Supply-chain security — verify MCP server binaries via SHA-256 or cosign before spawning (stdio mode)
- Audit log — every request recorded with
X-Request-Id; fan-out to SQLite, webhook, stdout, or OpenLineage - CloudEvents — webhook audit can emit CNCF CloudEvents 1.0 for direct SIEM ingestion
- Tool Federation — aggregate tools from multiple upstreams into a single view
- OpenAI Tools Bridge —
/openai/v1/toolsand/openai/v1/executefor OpenAI function-calling clients - Multiple upstreams — route different agents to different MCP servers
- Circuit breaker — automatic upstream failure isolation with half-open recovery
- Config hot-reload — reload on
SIGUSR1, automatically every 30 seconds, or event-driven via Kubernetes ConfigMap watcher - Lock-free rate limiting — GCRA algorithm via
governor; O(1) per check, configurable burst allowance - Metrics — Prometheus-compatible
/metricsendpoint with cost/token estimation - OpenTelemetry — export traces to any OTLP backend (Jaeger, Tempo, Honeycomb, Datadog)
- Dashboard —
/dashboardaudit viewer with per-agent filtering - TLS / mTLS — optional HTTPS with mutual TLS agent authentication
- Transport agnostic — HTTP+SSE or stdio; same config, same policies
- Secrets-safe config —
${VAR}interpolation in YAML +ARBITUS_*env var overrides; compatible with K8s Secrets, Vault, External Secrets Operator - Container-ready — multi-arch Docker image, Helm chart with sidecar pattern, graceful shutdown
Documentation
| Document | Contents |
|---|---|
| Configuration | Full YAML reference — transport, auth (JWT/OIDC), agents, rules, secrets, upstreams, default policy, OPA, schema validation |
| Usage | HTTP mode, sessions, rate-limit headers, HITL approvals, shadow mode, supply-chain verification, SSE streaming, OpenAI bridge, tool federation |
| Deployment | Docker, Helm chart (sidecar pattern, values reference), HTTPS, mTLS, stdio mode, graceful shutdown |
| Audit | Audit backends (SQLite, webhook, stdout), CloudEvents 1.0, OpenLineage, audit CLI |
| Observability | Prometheus metrics, cost/token estimation, health check, dashboard, config hot-reload, OpenTelemetry, logging, circuit breaker |
| Architecture | Middleware pipeline, trait-based design, encoding-aware filtering, test structure |
| Threat model | Assets, trust boundaries, mitigated threats, residual risks, hardening checklist |
| Security demo | Copy/paste walkthrough that blocks a fake .env exfiltration attempt |
| Demo script | Reproducible terminal demo for recording and launch assets |
| Claude Code | Connect Claude Code to MCP servers through Arbitus |
| Cursor | Configure Cursor MCP access through Arbitus |
| OpenAI Agents SDK | Use MCPServerStreamableHttp with Arbitus as the policy gateway |
Starter policies
The examples/policies/ directory contains ready-to-copy configs for common agent setups:
| Policy | Use case |
|---|---|
| claude-code-readonly.yml | Claude Code can inspect files and search, but cannot write, delete, execute, or dump secrets |
| cursor-dev.yml | Cursor gets normal dev tools with HITL approval for writes and shadow mode for command execution |
| openai-agents-safe.yml | OpenAI Agents SDK clients get read-oriented MCP access with strict rate limits and secret filtering |
Community
- Contributing — How to contribute, development setup, code quality requirements
- Code of Conduct — Standards for community behavior
- Security Policy — Reporting vulnerabilities, supported versions, security features
- Governance — Project roles, decision-making, becoming a maintainer
Quick start
Install
cargo install arbitus
Or download a pre-built binary from the releases page:
| Platform | Archive |
|---|---|
| Linux x64 (static) | arbitus-vX.Y.Z-x86_64-unknown-linux-musl.tar.gz |
| Linux ARM64 (static) | arbitus-vX.Y.Z-aarch64-unknown-linux-musl.tar.gz |
| macOS x64 | arbitus-vX.Y.Z-x86_64-apple-darwin.tar.gz |
| macOS Apple Silicon | arbitus-vX.Y.Z-aarch64-apple-darwin.tar.gz |
| Windows x64 | arbitus-vX.Y.Z-x86_64-pc-windows-msvc.zip |
Or build from source:
git clone https://github.com/arbitusgateway/arbitus
cd arbitus
cargo build --release
Or use Docker:
docker pull ghcr.io/arbitusgateway/arbitus:latest
docker run --rm -p 4000:4000 -v $(pwd)/gateway.yml:/app/gateway.yml ghcr.io/arbitusgateway/arbitus:latest
Configure
cp gateway.example.yml gateway.yml
transport:
type: http
addr: "0.0.0.0:4000"
upstream: "http://localhost:3000/mcp"
agents:
cursor:
allowed_tools: [read_file, list_directory]
rate_limit: 30
claude-code:
denied_tools: [write_file, delete_file]
rate_limit: 60
rules:
block_patterns: ["password", "api_key", "secret"]
Or start from a stricter policy:
arbitus policy init claude-code --out gateway.yml
List all bundled starter policies:
arbitus policy list
Run
./arbitus gateway.yml
Agents connect to http://localhost:4000/mcp. The gateway enforces policies and forwards allowed requests to the upstream MCP server.
Validate config
./arbitus validate gateway.yml
Query audit log
./arbitus audit gateway-audit.db --agent cursor --outcome blocked --since 1h
Architecture
┌──────────────────────────────────────────┐
│ Arbitus │
│ │
request ──► Pipeline │
│ 1. RateLimitMiddleware │
│ 2. AuthMiddleware │
│ 3. HitlMiddleware ← suspend & wait │
│ 4. SchemaValidationMiddleware │
│ 5. PayloadFilterMiddleware │
│ │ │
│ Allow / Block │
│ │ │
│ Shadow mode check ← mock if matched │
│ │ │
│ AuditLog + Metrics │
│ │ │
│ McpUpstream (per-agent) │
└──────────────────────────────────────────┘
Tests
cargo test --all-features # All tests
cargo test --lib # Unit tests only (no stdio/npx)
cargo test --test http_gateway # Single integration test file
License
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found