Command Palette

Search for a command to run...

UnylyUnyly
Browse all

Io.Github.Crunchtools/Airlock

FreeNot checked

Secure MCP server for quarantined web content extraction with two-layer prompt injection defense, enabling safe fetching of URLs and reading of files via saniti

GitHubEmbed

About

Secure MCP server for quarantined web content extraction with two-layer prompt injection defense, enabling safe fetching of URLs and reading of files via sanitized markdown output.

README

Trentina is a secure MCP gateway that quarantines everything between your AI agents and the outside world — web content, MCP tool responses, LLM API keys, network access, and agent-to-agent communication. Named after the 1377 quarantine system from Ragusa, where incoming ships had to anchor offshore for thirty days before anyone was allowed into the city. Same idea: keep the commerce flowing without letting something dangerous through.

Capabilities

MCP Gateway

Single chokepoint between your agents and all their MCP backends. One endpoint, one bearer token, one audit log — instead of each agent connecting directly to dozens of MCP servers. Backend tools are namespaced automatically (slack__slack_search_messages, github__list_issues_tool) so there are no collisions.

Per-Agent Profiles

Each consumer — Claude Code, Hermes, OpenClaw, or any MCP client — gets its own profile with independent tool access, defense settings, and authentication. Your human-supervised agent can have full tool access while your autonomous agent gets a locked-down subset, all through the same gateway.

Tool Allowlists & Denylists

Control which tools each agent can even see. Tools not in the allowlist are stripped from tools/list responses before they reach the consumer — they never enter the agent's context window. Supports exact names and glob patterns (delete*, *_gmail_*). Reduces both context cost and attack surface.

Parameter Guards

Per-tool argument validation at the gateway level. Restrict what values an agent can pass, not just which tools it can call. Example: "this agent can send email, but only to [email protected]." The call is rejected before it reaches the backend — no tokens spent, no side effects. Deterministic enforcement that doesn't depend on LLM behavior.

Three-Layer Defense Pipeline

Every piece of untrusted content passes through three independent detection layers. Layer 1 strips structural attacks (hidden HTML, invisible Unicode, encoded payloads, exfiltration URLs). Layer 2 runs a Prompt Guard 2 86M classifier to catch instruction overrides. Layer 3 hands sanitized content to a quarantined LLM (Gemini Flash Lite) for semantic analysis — no tools, no memory, minimal blast radius. Each layer catches what the others miss.

Tool Description Compression

MCP servers ship verbose tool descriptions that waste context tokens. Trentina uses an LLM to compress every tool description as it passes through the gateway, caching results in SQLite so the model is only called once per unique description. Real-world results: 154 tools compressed from 62K to 17K characters (72% reduction), saving ~11K tokens per session. The compressed descriptions are fully functional — agents use them without issue.

Gateway Audit Log

Every tool call through the gateway is recorded in SQLite with profile, backend, tool name, success/failure, duration, and error message. The quarantine_stats tool exposes this data for monitoring — tool call counts, error rates, per-backend breakdowns. Data-driven evidence for tightening allowlists and identifying problems.

Cumulative Detection Memory

When Trentina detects prompt injection in a source, it records the source in a SQLite blocklist. Future requests for that source trigger an immediate warning — the system remembers what it's seen before. Blocklist entries include the source URL or content hash, detection timestamp, and risk level.

Web Content Quarantine Tools

Trentina's original capability: safe web fetching, file reading, and web search with prompt injection defense. safe_fetch fails on injection. quarantine_fetch warns but proceeds, extracting content through the Q-Agent. quarantine_search chains Gemini grounding with the full defense pipeline. quarantine_scan does pre-flight detection without returning content.

LLM Key Proxying

Proxy LLM API calls (Gemini, OpenAI, Anthropic) through the gateway so API keys never leave the trusted boundary. Agents send model requests to Trentina, which forwards them with the real credentials. Adding a new provider is a YAML entry, not code. Streaming and non-streaming responses are forwarded transparently.

Matrix Reverse Proxy

Proxy Matrix Client-Server API traffic through the gateway so agents on the internal network can communicate via Matrix without direct internet access. Agents point MATRIX_HOMESERVER at Trentina instead of matrix.org. Long-poll /sync timeouts are tuned automatically.

Cockpit Plugin

Live web dashboard for the defense pipeline, built as a Cockpit plugin with PatternFly 6. Shows layer status, blocklist entries, and pipeline events in real time through the same web console sysadmins already use to manage RHEL systems. Vanilla JavaScript, no React, no build step.

Quick Start

# PyPI
pip install mcp-trentina-crunchtools

# uvx (zero-install)
uvx mcp-trentina-crunchtools

# Container (includes Prompt Guard 2 86M classifier)
podman run quay.io/crunchtools/mcp-trentina

Minimal Configuration

# Required for Layer 3 (Q-Agent) and description compression
export GEMINI_API_KEY=your-key

# Enable gateway mode
export TRENTINA_GATEWAY_ENABLED=true
export TRENTINA_PROFILES_PATH=/path/to/profiles.yaml

# Per-profile bearer tokens
export TRENTINA_PROFILE_MYAGENT_TOKEN=your-token

Claude Code

{
  "mcpServers": {
    "trentina": {
      "type": "streamable-http",
      "url": "http://localhost:8019/gateway/myprofile/mcp",
      "headers": {
        "Authorization": "Bearer your-token"
      }
    }
  }
}

Documentation

Document Description
MCP Gateway Architecture, routing, namespacing
Per-Agent Profiles Authentication, profile schema, multi-agent setup
Tool Filtering Allowlists, denylists, glob patterns
Parameter Guards Per-tool argument validation
Defense Pipeline L1/L2/L3 layers, coverage matrix
Description Compression LLM-powered context reduction
Audit Log Call recording, stats, monitoring
Blocklist Cumulative detection memory
Quarantine Tools Web fetch, read, search, scan
LLM Key Proxying API key isolation via reverse proxy
Matrix Reverse Proxy Agent communication via Matrix
Cockpit Plugin Live defense pipeline dashboard
Internal: Gateway Design Original design document for contributors

Development

uv sync --all-extras
uv run ruff check src tests
uv run mypy src
uv run pytest -v
podman build -f Containerfile .

License

AGPL-3.0-or-later

from github.com/crunchtools/mcp-trentina

Install Io.Github.Crunchtools/Airlock in Claude Desktop, Claude Code & Cursor

Recommended · one command, every IDE
unyly install io-github-crunchtools-airlock

Installs into Claude Desktop, Claude Code, Cursor & VS Code — handles npx, uvx and build-from-source repos for you.

First time? Get the CLI: curl -fsSL https://unyly.org/install | sh

Or configure manually

Run in your terminal:

claude mcp add io-github-crunchtools-airlock -- uvx mcp-trentina-crunchtools

FAQ

Is Io.Github.Crunchtools/Airlock MCP free?

Yes, Io.Github.Crunchtools/Airlock MCP is free — one-click install via Unyly at no cost.

Does Io.Github.Crunchtools/Airlock need an API key?

No, Io.Github.Crunchtools/Airlock runs without API keys or environment variables.

Is Io.Github.Crunchtools/Airlock hosted or self-hosted?

Self-hosted: the server runs locally on your machine via the install command above.

How do I install Io.Github.Crunchtools/Airlock in Claude Desktop, Claude Code or Cursor?

Open Io.Github.Crunchtools/Airlock on unyly.org, pick your client tab (Claude Desktop, Claude Code, Cursor) and press Install — the config is generated automatically, no JSON editing.

Related MCPs

Compare Io.Github.Crunchtools/Airlock with

Not sure what to pick?

Find your stack in 60 seconds

Author?

Embed badge for your README

Browse similar

All development MCPs