MCP Sentinel provides a security and governance layer for Drupal sites that allow AI agents to interact with content. It controls what AI agents can access, hides sensitive fields, logs all actions in a tamper-evident log, limits data retrieval, and protects content being edited by humans. It also includes a dashboard for monitoring these activities.
MCP Sentinel is the governance layer for Drupal sites that expose content to AI agents over the Model Context Protocol (MCP), JSON:API, and GraphQL. It decides what an agent may touch, hides what it must not see, records everything it does, and protects content people are editing — so you don't have to build that control yourself.
It sits on top of MCP Server and the Tool API and adds only the governance those projects leave to the site builder. It does not reimplement the protocol, OAuth, or the tool system.
How governance triggers. It applies to traffic on the validated OAuth agent channel — a designated consumer, or an agent scope on the request's token, checked server-side and never from a header. Your public frontend and your own cookie-session admin work are untouched. Each agent's role selects a policy profile, and every action is attributed to its account.
What it does
- Policy profiles per role — gates, redaction, limits, quotas, and IP rules live on a reusable config entity; the agent's role selects which profile applies.
- Operation gates — a master switch plus independent read, write, delete, and GraphQL-mutation toggles.
- Open-redirect guard — stop an agent from pointing a redirect off-domain (secure by default, with a per-profile host allowlist).
- Entity allow / deny lists — restrict agents to specific entity types, or block sensitive ones (users are blocked by default). Enforced through Drupal's own access system, so JSON:API and GraphQL honour it automatically.
- Field redaction — hide fields like
mailorpassfrom agent requests: stripped from JSON:API/REST, returned as[REDACTED]in GraphQL, and cached separately so nothing leaks across the boundary. - PII redaction (opt-in) — scan field values for emails, phone numbers, SSNs, and card numbers and mask the matches.
- Audit log — every operation and GraphQL query recorded with user, IP, time, and payload metadata; filterable, exportable to CSV or JSON, with automatic retention pruning.
- Tamper-evident trail — each row is hash-chained (HMAC-SHA256 when keyed via a Key entity);
drush mcp-sentinel:audit-verifydetects any change. Optional at-rest encryption and SIEM streaming. - Change diffs — updates record which fields changed; redacted fields never enter the trail.
- Rate limits and quotas — throttle agent traffic per profile, keyed on the resolved user ID so one token can't saturate the server.
- Exfiltration guards — cap result counts and response size so a single call can't bulk-export your content.
- IP allowlisting — restrict agent connections to specific addresses or CIDR blocks (trusted-proxy aware).
- Anomaly detection — cron rules over the audit log raise alerts by log, email, or webhook, with per-rule debounce. No rules are enabled by default.
- Content locks — stop agents from overwriting content a person is editing, with TTL expiry.
- Webhooks — queue-backed, HTTPS-only, HMAC-signed delivery with retries, an SSRF guard, and one-click replay.
- Context endpoint —
/drupal-mcp/contextexposes your content model so agents can discover it before acting;/drupal-mcp/healthis a status probe. - Governed Tool plugins — ready-made tools for content, media, workflow transitions, bulk actions, and schema discovery, each run through the same checks.
- Dashboard — a read-only console at
/admin/reports/mcp-sentinelwith posture, alerts, top agents, and denied-by-policy panels.
Submodules
- Server (
mcp_sentinel_server) — registers the Tool plugins with MCP Server and wires per-tool OAuth scopes. - GraphQL (
mcp_sentinel_graphql) — extends gating, auditing, and redaction to the GraphQL Compose endpoint. - Approval (
mcp_sentinel_approval) — queues destructive operations for human approval instead of running them immediately.
Requirements
- Drupal 10.3+ or 11
- Tool API, Key, Simple OAuth with Consumers, and Encrypt
- Recommended: MCP Server, which exposes the tools to MCP clients
- Optional: GraphQL Compose for the GraphQL submodule
Audit, redaction, content locks, and webhooks all work without MCP Server installed.
Quick start
composer require drupal/mcp_sentinel drupal/mcp_server drupal/simple_oauth drush en mcp_sentinel mcp_sentinel_server mcp_server_tool_bridge -y drush mcp-sentinel:setup
Configure at Configuration → Web services → MCP Sentinel, and review activity at Reports → MCP Sentinel.
Companion connector
drupal-mcp-connector is a Node.js MCP connector (multi-site, JSON:API + GraphQL, Drush bridge) that pairs with MCP Sentinel and appears by its X-MCP-Client label in the audit log.
Security
Covered by Drupal's security advisory policy. Report issues through the project issue queue.
Maintainers
Maintained by Jeremy Michael Cerda, sponsored by Wilkes & Liberty, LLC.