Skip to main content
Glama
crunchtools

io.github.crunchtools/airlock

Official
by crunchtools

Trentina

Trentina is a secure MCP gateway that quarantines everything between your AI agents and the outside world — web content, MCP tool responses, LLM API keys, network access, and agent-to-agent communication. Named after the 1377 quarantine system from Ragusa, where incoming ships had to anchor offshore for thirty days before anyone was allowed into the city. Same idea: keep the commerce flowing without letting something dangerous through.

Capabilities

MCP Gateway

Single chokepoint between your agents and all their MCP backends. One endpoint, one bearer token, one audit log — instead of each agent connecting directly to dozens of MCP servers. Backend tools are namespaced automatically (slack__slack_search_messages, github__list_issues_tool) so there are no collisions.

Per-Agent Profiles

Each consumer — Claude Code, Hermes, OpenClaw, or any MCP client — gets its own profile with independent tool access, defense settings, and authentication. Your human-supervised agent can have full tool access while your autonomous agent gets a locked-down subset, all through the same gateway.

Tool Allowlists & Denylists

Control which tools each agent can even see. Tools not in the allowlist are stripped from tools/list responses before they reach the consumer — they never enter the agent's context window. Supports exact names and glob patterns (delete*, *_gmail_*). Reduces both context cost and attack surface.

Parameter Guards

Per-tool argument validation at the gateway level. Restrict what values an agent can pass, not just which tools it can call. Example: "this agent can send email, but only to user@example.com." The call is rejected before it reaches the backend — no tokens spent, no side effects. Deterministic enforcement that doesn't depend on LLM behavior.

Three-Layer Defense Pipeline

Every piece of untrusted content passes through three independent detection layers. Layer 1 strips structural attacks (hidden HTML, invisible Unicode, encoded payloads, exfiltration URLs). Layer 2 runs a Prompt Guard 2 86M classifier to catch instruction overrides. Layer 3 hands sanitized content to a quarantined LLM (Gemini Flash Lite) for semantic analysis — no tools, no memory, minimal blast radius. Each layer catches what the others miss.

Tool Description Compression

MCP servers ship verbose tool descriptions that waste context tokens. Trentina uses an LLM to compress every tool description as it passes through the gateway, caching results in SQLite so the model is only called once per unique description. Real-world results: 154 tools compressed from 62K to 17K characters (72% reduction), saving ~11K tokens per session. The compressed descriptions are fully functional — agents use them without issue.

Gateway Audit Log

Every tool call through the gateway is recorded in SQLite with profile, backend, tool name, success/failure, duration, and error message. The quarantine_stats tool exposes this data for monitoring — tool call counts, error rates, per-backend breakdowns. Data-driven evidence for tightening allowlists and identifying problems.

Cumulative Detection Memory

When Trentina detects prompt injection in a source, it records the source in a SQLite blocklist. Future requests for that source trigger an immediate warning — the system remembers what it's seen before. Blocklist entries include the source URL or content hash, detection timestamp, and risk level.

Web Content Quarantine Tools

Trentina's original capability: safe web fetching, file reading, and web search with prompt injection defense. safe_fetch fails on injection. quarantine_fetch warns but proceeds, extracting content through the Q-Agent. quarantine_search chains Gemini grounding with the full defense pipeline. quarantine_scan does pre-flight detection without returning content.

LLM Key Proxying

Proxy LLM API calls (Gemini, OpenAI, Anthropic) through the gateway so API keys never leave the trusted boundary. Agents send model requests to Trentina, which forwards them with the real credentials. Adding a new provider is a YAML entry, not code. Streaming and non-streaming responses are forwarded transparently.

Matrix Reverse Proxy

Proxy Matrix Client-Server API traffic through the gateway so agents on the internal network can communicate via Matrix without direct internet access. Agents point MATRIX_HOMESERVER at Trentina instead of matrix.org. Long-poll /sync timeouts are tuned automatically.

Cockpit Plugin

Live web dashboard for the defense pipeline, built as a Cockpit plugin with PatternFly 6. Shows layer status, blocklist entries, and pipeline events in real time through the same web console sysadmins already use to manage RHEL systems. Vanilla JavaScript, no React, no build step.

Related MCP server: crawl-mcp-server

Quick Start

# PyPI
pip install mcp-trentina-crunchtools

# uvx (zero-install)
uvx mcp-trentina-crunchtools

# Container (includes Prompt Guard 2 86M classifier)
podman run quay.io/crunchtools/mcp-trentina

Minimal Configuration

# Required for Layer 3 (Q-Agent) and description compression
export GEMINI_API_KEY=your-key

# Enable gateway mode
export TRENTINA_GATEWAY_ENABLED=true
export TRENTINA_PROFILES_PATH=/path/to/profiles.yaml

# Per-profile bearer tokens
export TRENTINA_PROFILE_MYAGENT_TOKEN=your-token

Claude Code

{
  "mcpServers": {
    "trentina": {
      "type": "streamable-http",
      "url": "http://localhost:8019/gateway/myprofile/mcp",
      "headers": {
        "Authorization": "Bearer your-token"
      }
    }
  }
}

Documentation

Document

Description

MCP Gateway

Architecture, routing, namespacing

Per-Agent Profiles

Authentication, profile schema, multi-agent setup

Tool Filtering

Allowlists, denylists, glob patterns

Parameter Guards

Per-tool argument validation

Defense Pipeline

L1/L2/L3 layers, coverage matrix

Description Compression

LLM-powered context reduction

Audit Log

Call recording, stats, monitoring

Blocklist

Cumulative detection memory

Quarantine Tools

Web fetch, read, search, scan

LLM Key Proxying

API key isolation via reverse proxy

Matrix Reverse Proxy

Agent communication via Matrix

Cockpit Plugin

Live defense pipeline dashboard

Internal: Gateway Design

Original design document for contributors

Development

uv sync --all-extras
uv run ruff check src tests
uv run mypy src
uv run pytest -v
podman build -f Containerfile .

License

AGPL-3.0-or-later

Install Server
A
license - permissive license
A
quality
C
maintenance

Maintenance

Maintainers
<1hResponse time
5wRelease cycle
4Releases (12mo)
Commit activity
Issues opened vs closed

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/crunchtools/mcp-trentina'

If you have feedback or need assistance with the MCP directory API, please join our Discord server