Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). UI Patterns (SDC in Drupal UI) 2.0.18 Minor update available for module ui_patterns (2.0.18). Varbase FAQs 9.2.1 Minor update available for module varbase_faqs (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

MCP Sentinel provides a security and governance layer for Drupal sites that allow AI agents to interact with content. It controls what AI agents can access, hides sensitive fields, logs all actions in a tamper-evident log, limits data retrieval, and protects content being edited by humans. It also includes a dashboard for monitoring these activities.

MCP Sentinel is the governance layer for Drupal sites that expose content to AI agents over the Model Context Protocol (MCP), JSON:API, and GraphQL. It decides what an agent may touch, hides what it must not see, records everything it does, and protects content people are editing — so you don't have to build that control yourself.

It sits on top of MCP Server and the Tool API and adds only the governance those projects leave to the site builder. It does not reimplement the protocol, OAuth, or the tool system.

How governance triggers. It applies to traffic on the validated OAuth agent channel — a designated consumer, or an agent scope on the request's token, checked server-side and never from a header. Your public frontend and your own cookie-session admin work are untouched. Each agent's role selects a policy profile, and every action is attributed to its account.

What it does

  • Policy profiles per role — gates, redaction, limits, quotas, and IP rules live on a reusable config entity; the agent's role selects which profile applies.
  • Operation gates — a master switch plus independent read, write, delete, and GraphQL-mutation toggles.
  • Open-redirect guard — stop an agent from pointing a redirect off-domain (secure by default, with a per-profile host allowlist).
  • Entity allow / deny lists — restrict agents to specific entity types, or block sensitive ones (users are blocked by default). Enforced through Drupal's own access system, so JSON:API and GraphQL honour it automatically.
  • Field redaction — hide fields like mail or pass from agent requests: stripped from JSON:API/REST, returned as [REDACTED] in GraphQL, and cached separately so nothing leaks across the boundary.
  • PII redaction (opt-in) — scan field values for emails, phone numbers, SSNs, and card numbers and mask the matches.
  • Audit log — every operation and GraphQL query recorded with user, IP, time, and payload metadata; filterable, exportable to CSV or JSON, with automatic retention pruning.
  • Tamper-evident trail — each row is hash-chained (HMAC-SHA256 when keyed via a Key entity); drush mcp-sentinel:audit-verify detects any change. Optional at-rest encryption and SIEM streaming.
  • Change diffs — updates record which fields changed; redacted fields never enter the trail.
  • Rate limits and quotas — throttle agent traffic per profile, keyed on the resolved user ID so one token can't saturate the server.
  • Exfiltration guards — cap result counts and response size so a single call can't bulk-export your content.
  • IP allowlisting — restrict agent connections to specific addresses or CIDR blocks (trusted-proxy aware).
  • Anomaly detection — cron rules over the audit log raise alerts by log, email, or webhook, with per-rule debounce. No rules are enabled by default.
  • Content locks — stop agents from overwriting content a person is editing, with TTL expiry.
  • Webhooks — queue-backed, HTTPS-only, HMAC-signed delivery with retries, an SSRF guard, and one-click replay.
  • Context endpoint/drupal-mcp/context exposes your content model so agents can discover it before acting; /drupal-mcp/health is a status probe.
  • Governed Tool plugins — ready-made tools for content, media, workflow transitions, bulk actions, and schema discovery, each run through the same checks.
  • Dashboard — a read-only console at /admin/reports/mcp-sentinel with posture, alerts, top agents, and denied-by-policy panels.

Submodules

  • Server (mcp_sentinel_server) — registers the Tool plugins with MCP Server and wires per-tool OAuth scopes.
  • GraphQL (mcp_sentinel_graphql) — extends gating, auditing, and redaction to the GraphQL Compose endpoint.
  • Approval (mcp_sentinel_approval) — queues destructive operations for human approval instead of running them immediately.

Requirements

Audit, redaction, content locks, and webhooks all work without MCP Server installed.

Quick start

composer require drupal/mcp_sentinel drupal/mcp_server drupal/simple_oauth
drush en mcp_sentinel mcp_sentinel_server mcp_server_tool_bridge -y
drush mcp-sentinel:setup

Configure at Configuration → Web services → MCP Sentinel, and review activity at Reports → MCP Sentinel.

Companion connector

drupal-mcp-connector is a Node.js MCP connector (multi-site, JSON:API + GraphQL, Drush bridge) that pairs with MCP Sentinel and appears by its X-MCP-Client label in the audit log.

Security

Covered by Drupal's security advisory policy. Report issues through the project issue queue.

Maintainers

Maintained by Jeremy Michael Cerda, sponsored by Wilkes & Liberty, LLC.

Activity

Total releases
20
First release
Jun 2026
Latest release
1 day ago
Releases (12 mo)
20 ▲ from 0
Maintenance
Active

Release Timeline

Releases

Version Type Release date
1.9.0 Stable Jul 16, 2026
1.8.0 Stable Jul 15, 2026
1.7.0 Stable Jul 14, 2026
1.6.1 Stable Jul 6, 2026
1.6.0 Stable Jul 5, 2026
1.5.1 Stable Jul 4, 2026
1.5.0 Stable Jul 4, 2026
1.4.0 Stable Jun 29, 2026
1.3.0 Stable Jun 29, 2026
1.2.0 Stable Jun 27, 2026
1.1.0 Stable Jun 27, 2026
1.0.0 Stable Jun 26, 2026
1.0.0-beta6 Pre-release Jun 26, 2026
1.0.0-beta5 Pre-release Jun 26, 2026
1.0.0-beta4 Pre-release Jun 23, 2026
1.0.x-dev Dev Jun 3, 2026
1.0.0-beta3 Pre-release Jun 3, 2026
1.0.0-beta2 Pre-release Jun 3, 2026
1.0.0-beta1 Pre-release Jun 2, 2026
1.0.0-alpha1 Pre-release Jun 1, 2026