Drupal is a registered trademark of Dries Buytaert
cms 2.1.3 Update released for Drupal core (2.1.3)! drupal 10.5.11 Update released for Drupal core (10.5.11)! drupal 11.3.11 Update released for Drupal core (11.3.11)! drupal 11.2.13 Update released for Drupal core (11.2.13)! drupal 10.6.10 Update released for Drupal core (10.6.10)! cms 2.1.2 Update released for Drupal core (2.1.2)! drupal 11.1.10 Update released for Drupal core (11.1.10)! drupal 10.5.10 Update released for Drupal core (10.5.10)! drupal 10.4.10 Update released for Drupal core (10.4.10)! drupal 11.2.12 Update released for Drupal core (11.2.12)! drupal 11.3.10 Update released for Drupal core (11.3.10)! drupal 10.6.9 Update released for Drupal core (10.6.9)! drupal 10.6.8 Update released for Drupal core (10.6.8)! drupal 11.3.9 Update released for Drupal core (11.3.9)! drupal 11.3.8 Update released for Drupal core (11.3.8)! drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)!
← All modules

mcp_sentinel

No security coverage
View on drupal.org

MCP Sentinel is the security and governance layer for Drupal sites that let AI agents read and write content. It controls what agents can touch, hides sensitive fields, logs every action, and protects content people are editing.

AI assistants and agents (like Claude and other clients that speak the Model Context Protocol, or MCP) can now connect to Drupal and read or change your content through MCP Server, JSON:API, and GraphQL. That is powerful — and risky. MCP Sentinel is the control plane that sits in front of that access and makes it safe by default: it decides what an agent may touch, redacts what it must not see, records everything it does, and protects content humans are actively editing.

It builds on top of the Acquia-sponsored, Lullabot-maintained mcp_server module and the shared Tool API (drupal/tool). MCP Sentinel does not reinvent the MCP protocol, OAuth, or the tool plugin system — it adds the governance layer those projects intentionally leave to site builders. If you are connecting any AI agent to a real Drupal site, this module is how you keep that connection governed, auditable, and under control.

Features

Enabling MCP Sentinel adds a dedicated governance layer for AI-agent traffic. Its core functionality:

  • Security presets & operation gates — a master on/off switch plus independent read / write / delete / GraphQL-mutation toggles. When access is disabled, MCP requests are refused regardless of credentials.
  • Entity-type allow / deny lists — restrict agents to an allowlist of entity types, or block sensitive ones (users are denied by default). Enforced through Drupal's own access system, so JSON:API and GraphQL reads honor it automatically.
  • Field-level redaction — name fields (for example mail and pass) to hide from agents: stripped from JSON:API/REST output and returned as [REDACTED] in GraphQL. A dedicated cache context keeps agent and public responses cached separately, so redacted data never leaks across the boundary.
  • Audit logging — every agent-driven entity operation and GraphQL query/mutation is written to a dedicated, query-optimized log with user, IP, timestamp, and payload metadata. Configurable retention with automatic pruning.
  • Content locks — prevent agents from overwriting content a human is actively editing, with automatic time-based (TTL) expiry.
  • HMAC-signed webhooks — fire HTTPS-only, HMAC-SHA256-signed notifications to your own systems whenever an agent changes content.
  • Rich context endpoint/drupal-mcp/context exposes a full site schema (content types with fields, vocabularies, media types) so agents can discover your data model before acting; /drupal-mcp/health provides a status probe.
  • Governed Tool plugins — ready-to-use tools for site context, security policy, content locks, node create/update, media creation, workflow transitions, and bulk publish/unpublish/delete — each routed through the same policy, access, and content-lock checks.

When and why would you use it? Use MCP Sentinel any time you want to connect an AI agent or MCP client to a Drupal site that holds real content — especially production. Typical use cases: letting an AI assistant draft or update nodes under strict limits, giving an agent read-only "auditor" access to site content, exposing a safe slice of your data to an external tool while hiding personal data, or keeping a tamper-evident record of everything an agent does. It is safe by default: out of the box users are denied, delete is off, GraphQL mutations are off, password and email fields are redacted, and auditing is on.

Post-Installation

After enabling the module, go to Configuration → Web services → MCP Sentinel (/admin/config/services/mcp-sentinel) to set your policy. There you control the master switch, the read/write/delete/GraphQL-mutation gates, the entity allow/deny lists, the list of redacted fields, audit settings and retention, and the optional HMAC webhook.

Review activity at Reports → MCP Sentinel Audit Log (/admin/reports/mcp-sentinel).

If you are exposing the governed tools to MCP clients, enable the MCP Sentinel Server submodule and register the tools once:

composer require drupal/mcp_sentinel drupal/mcp_server drupal/simple_oauth
drush en mcp_sentinel mcp_sentinel_server mcp_server_tool_bridge -y
drush mcp-sentinel:setup

Useful Drush commands:

  • drush mcp-sentinel:status — show the active policy plus audit/lock counts
  • drush mcp-sentinel:setup — register all tools with mcp_server
  • drush mcp-sentinel:audit-purge — prune audit entries past retention
  • drush mcp-sentinel:lock-clear — release expired content locks

Important: governance applies only to traffic identified as coming from an MCP client. Your public frontend and your site's own JSON:API/GraphQL consumers behave exactly as before — there is zero impact on normal, non-agent traffic. The security, audit, content-lock, redaction, and webhook features all work even without mcp_server installed; the Tool plugins and the MCP-client integration are what require it.

Additional Requirements

  • Drupal 10.3+ or 11
  • Tool API (drupal/tool) — required dependency

To expose the governed tools to AI agents over MCP, you also need MCP Server. For production authentication, Simple OAuth is strongly recommended.

Recommended modules/libraries

  • MCP Server — exposes the governed Tool plugins to MCP clients. Strongly recommended.
  • Simple OAuth — OAuth 2.1 authentication for agent traffic in production.
  • GraphQL Compose — enables the optional MCP Sentinel GraphQL submodule, which extends the same governance (gating, auditing, and field redaction) to your GraphQL endpoint.

Similar projects

MCP Sentinel is purpose-built for governing AI-agent access and does not directly overlap with most existing modules. The most common point of confusion:

  • AI (drupal/ai) solves a different problem. It integrates AI providers and models within Drupal (generating text, embeddings, and so on). MCP Sentinel governs AI agents' access to Drupal — what an external agent may read or change, and how that access is audited. The two are complementary, not competing.
  • MCP Server provides the MCP transport, OAuth, and Tool API bridge. MCP Sentinel builds on top of it to add the security and governance layer that MCP Server intentionally leaves to site builders.

Supporting this Module

This module is maintained by Wilkes & Liberty. Contributions, issues, and patches are welcome through the project issue queue.

Community Documentation

A companion Node.js MCP connector, drupal-mcp-server, pairs with this module — a multi-site MCP connector (JSON:API + GraphQL + Drush bridge) that lets Claude and other MCP clients talk to your Drupal site. MCP Sentinel identifies its requests automatically.

To report a sensitive security issue, contact the Drupal security team at [email protected] rather than the public issue queue.

Activity

Total releases
2
First release
Jun 2026
Latest release
19 hours ago
Release cadence
1 day
Stability
0% stable

Releases

Version Type Release date
1.0.0-beta1 Pre-release Jun 2, 2026
1.0.0-alpha1 Pre-release Jun 1, 2026