Does Sentinel sit on the wire or in my code?

Both ends meet at the SDK. You add the Igris SDK to your agent; it opens a governed connection and every tool call routes through the Sentinel gateway, which authenticates the caller, matches policy, injects credentials, and forwards or refuses, then records the decision. Your code calls one method; the gateway does the rest as a service.

What happens if the gateway is unreachable?

You choose. Default is fail-closed: denied with a clear error, which is what most teams ship with. fail-open-cached is available for read-only tools where availability outweighs strictness.

Can I self-host the gateway?

Yes: single Docker image or Helm chart, ships with a Postgres + Redis dependency. Enterprise tier includes air-gapped mode with offline policy bundles. The SDK and CLI are Apache-2.0; the dashboard is source-available.

Does it work with MCP servers I didn't write?

Yes. Sentinel speaks MCP, not your business logic. Any conforming server (first-party, open-source, or vendor-provided) plugs in via a connection slug. Policy is enforced before the call leaves your network.

How does this differ from a feature flag?

Flags answer "should this code path run?" Sentinel answers "should this caller, with this role, on this resource, under this policy, with this credential, ever have been able to make this call?" It also writes the audit record either way.

What does Lens see automatically?

Every decision Sentinel makes streams to Lens with user, role, tool, args hash, latency, and outcome. No extra instrumentation. Existing SIEM (Splunk, Datadog, Panther) can subscribe to the same stream.

Igris Sentinel · Runtime governance

The MCP gateway your AI agents already wish they had.

Drop the SDK in. Sentinel becomes the single chokepoint for every tool call, authenticating the caller, matching policy, injecting credentials, and writing an complete audit trail. Deny-by-default, minimal overhead in line.

Request a Demo →SDK Reference

Minimalin-line gateway overhead

5M+tool calls / day

42+policy primitives

app.igris.security · /govern/policieslive

12:04:32repo.read · acme/apideveloper0.4msALLOW

12:04:28jira.issue.search · project=ACMEdeveloperMinimalALLOW

12:04:24repo.delete · acme/apideveloper0.3msDENY

12:04:20stripe.charge · $42.00agent0.5msALLOW

12:04:16stripe.refund · $90.00agent0.7msWARN

12:04:12postgres.query · ro replicadeveloper0.4msALLOW

role developer · connection github-prod8 policies · 452K evaluated / 24h

Anatomy of a tool call

Five stages. All inline. All audited.

Every mcp.call() your agent makes lands here first. Sentinel runs the pipeline and either forwards, rewrites, or refuses, never silently.

tracetrace_a4f9c2-83bd / tool mcp.repo.read("acme/api")ALLOWtotal0.81ms

01RESOLVE CALLERsession → user.role.tenant

+identity { user="alice@acme.com", role="developer" }

92μs11%

02POLICY LOOKUPfirst-match wins

+match { policy="acme-rw", decision=allow }

148μs18%

03VAULT & SCOPEAES-256-GCM

+credential { key=github-prod, scope=["repos:read"] }

164μs20%

04FORWARD TO MCPper-tenant routing

+upstream { host="github.com/mcp", tls=1.3 }

96μs12%

05COMPLETE AUDIToff the hot path

+audit { id="auT_b2k9-04a1", signed=true }

312μsASYNC

Outcome

ALLOWEDtool returned→200 OK · 240 tokens

deny-by-default

Capabilities

Everything you'd expect from a gateway, Nothing you'd have to write yourself.

Six primitives, every one auditable. Composed in a dashboard, enforced at the SDK, observed from Lens.

Policy engine

Deny-by-default. First-match-wins. Glob patterns on tool names & models. Four actions: allow, deny, alert, redact.

tool: delete_*✗ deny

model: gpt-4*✓ allow

tool: repo.readalert

Content Guard

PII regex patterns and keyword blocklists scan tool args and LLM prompts pre-flight. Optional response inspection. Match → deny or redact.

\d{3}-\d{2}-\d{4}SSN → redact

email regexalert

"AKIA" keyword✗ deny

Token Guard & rate limits

Cap input, output, and combined tokens per request. Sliding windows across three dimensions (requests, tokens, dollars) per minute, hour, or day.

input ≤ 4096 tok✓

100 req / min62%

$25 / hr cap$14.20

Session control & kill switch

Track agent sessions through active, suspended, completed. Suspend any session, user, or tenant in one click, manually or auto-fired by anomaly detectors.

sess_i9j0k1 · agentSUSPENDED

propagation164ms

Anomaly detection

Rolling EWMA baselines flag volume spikes, never-before-seen tools, and sequence deviations. LLM side tracks cost burn, token burn, response length, model shift, error rate.

volume spike · 7× baselinefired

unusual tool: fs.writealert

model shift gpt-4→o1alert

Alerts & audit fan-out

Async dispatch to Slack, Discord, and the tamper-evident audit log. Ingest external sources too (Portkey, Helicone, Cloudflare AI Gateway) into one trail.

#sec-alerts (Slack)✓

audit.portkey→ normalized

audit.helicone→ normalized

Policy composer

Compose policy in a form. Enforce it in microseconds.

Glob patterns on tool and model names. Conditions on metadata with eq / neq / in / nin. No DSL, no YAML.

New policy rule

Composing into org:acme · production.

Role

developer▾

Tool target

delete_*▾

Condition (metadata)

role nin ["admin"]▾

Decision

ALLOWDENYALERTREDACT

Push ruleDry run

Target	Pattern	Condition	Action
mcp.tool	repo.read	role eq "developer"	ALLOW
mcp.tool	delete_*	role nin ["admin"]	DENY
llm.model	gpt-4*	tokens.in ≤ 4096	ALLOW
llm.endpoint	chat.completions	PII pattern match	REDACT
mcp.tool	stripe.charge.*	amount > $50	ALERT
mcp.tool	repo.write	department in ["eng","sec"]	ALLOW
llm.endpoint	embeddings	$25 / hr cap	ALLOW
mcp.tool	*	— (catch-all)	DENY

Credentials & SDK

One vault upstream. One SDK call downstream.

Real credentials never reach your agent. They never reach your logs. They stay in the vault. Sentinel injects them on the wire and writes back the audit record.

Vault · org:acmeAES-256-GCM · 12 keys

github-prod ghp_•••8a4f

repos:readrepos:writeorg:acme/*

14dto rotate

stripe-prod sk_•••be01

charge:createamount ≤ 50

27dto rotate

postgres-ro pgsql://•••

read-onlyreplica

rotatequeued · 3d

jira-acme atok_•••2911

issue:searchissue:comment

61dto rotate

s3-acme-data AKIA•••KQ7Y

s3:GetObjectbucket: data-pii

9dto rotate

Encrypted with AES-256-GCMHSM-backed root key

agent.ts

// 1. Install · then add three lines to your agent.
import { Igris } from "@igris-security/sdk";

const igris = new Igris({ apiKey: process.env.IGRIS_API_KEY });

// 2. Open a governed MCP connection for the current user.
const mcp = await igris.connectStdio("github-prod", {
  user: "alice@acme.com",
  metadata: { role: "developer", tenant: "acme" },
});

// 3. Every tool call is now governed.
await mcp.call("repo.read", { repo: "acme/api" });
// → ✓ allow  · 0.4ms · audited

await mcp.call("repo.delete", { repo: "acme/api" });
// → ✗ deny   · role !∈ {admin}

Also available for Python, Go, and any HTTP runtime via the REST API. The SDK is open-core under Apache-2.0.

Minimal

In-line gateway overhead

5M+

Tool calls governed daily

200ms

Kill-switch propagation

42+

Policy primitives

Incidents Sentinel caught last week

The boring kind. The kind that doesn't make the postmortem.

CRITICAL · BLOCKEDtue · 14:22

Agent attempts to drop a production database

A coding assistant with an off-by-one prompt called postgres.exec("DROP TABLE users") against the prod connection. Role lacked ddl:* scope.

tool · postgres.execverdict · DENY

WARN · STEPPED UPwed · 09:41

Agent issues a refund $40 above policy cap

Support bot tried to refund $90 on a ticket. Policy capped autonomous refunds at $50. Sentinel routed to CONFIRM, an on-call human approved in Slack, ticket closed in 4 minutes.

tool · stripe.refund.createverdict · CONFIRM

INFO · ROTATEDfri · 02:00

GitHub token rotated mid-flight, zero downtime

Scheduled rotation of the github-prod connection. 1,247 in-flight calls held for 38ms, drained to the new credential. No agent code changed.

connection · github-proddrain · 38ms

FAQ

Questions, answered.

Ready when you are

Stop trusting your agent to do the right thing.

Sentinel makes "the right thing" the only thing it can do. Three lines to install, deny-by-default from minute one.

Request a Demo →Read the SDK Reference

Deny-by-default from the first deploy
Minimal in-line gateway overhead
AES-256-GCM credential vault, HSM-backed
Complete audit streamed to Lens & your SIEM