dome-gate

Interceptor chain orchestration for MCPDome -- the core proxy that wires all security layers together.

What it does

• Runs the MCPDome proxy loop, sitting between the MCP client and server on stdio.
• Orchestrates the full inbound interceptor chain in order: authentication (Sentinel), rate limiting and budgets (Throttle), authorization (Policy), and injection scanning (Ward).
• Handles outbound interception for schema pinning, detecting tool definition drift between the first and subsequent tools/list responses.
• Records every decision (allow, deny, rate-limit, injection) to the hash-chained audit ledger.
• Supports transparent pass-through mode for zero-enforcement deployments.

Usage

[dependencies]
dome-gate = "0.1"

use dome_gate::{Gate, GateConfig};

let gate = Gate::new(config, authenticators, policy_engine, rate_config, budget_config, ledger);
gate.run_stdio("mcp-server", &["--stdio"]).await?;

Part of MCPDome

This crate is part of MCPDome, a security gateway for the Model Context Protocol. See the main repository for full documentation.

License

Apache-2.0