mcp-bastion
Proxies and manages connections to the GitHub MCP server, providing tools for repository management, issue tracking, and other GitHub API operations.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mcp-bastionshow me the status of all connected servers"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
๐ก๏ธ mcp-bastion
A reliability & security proxy for the Model Context Protocol (MCP).
Self-healing connections, runtime tool-security, and a compliance-mapped audit trail for your MCP servers.
mcp-bastion sits between your MCP client (Claude Code, Cursor, Cline, Windsurf, Zed, Claude
Desktop, or any MCP-compliant agent) and your MCP servers. It is client-agnostic โ it works with
any compliant client through configuration alone, with zero client-specific code โ and non-invasive:
your servers run unchanged, and removing Bastion is a one-line config revert.
๐ Launch story: Medium ยท dev.to
Contents
Related MCP server: Secure MCP Server
Why
When an MCP server disconnects mid-session, the agent only sees a generic "No such tool available" error โ indistinguishable from a tool that never existed โ and it cannot reconnect; only a human can. Long agent sessions silently lose capabilities and fail in confusing ways.
Bastion closes that gap. It health-checks every server, auto-reconnects with backoff, and โ crucially โ exposes control tools so the agent itself can inspect connection health and recover a dropped server without human intervention.
Bastion now spans three layers: reliability (v0.1), runtime security (v0.2 โ tool pinning / rug-pull & poisoning detection), and audit & compliance (v0.3 โ pluggable sinks mapped to NIST AI RMF / OWASP LLM Top 10). See the roadmap.
How it works
Today your client connects directly to each server. With Bastion, your client connects to Bastion, which connects to those same servers on your behalf โ so it sits in the tool-call path and can add reliability (and, later, security) transparently.
Before: Client โโถ server A / server B / server C
After: Client โโถ mcp-bastion โโถ server A
โโถ server B
โโถ server CBastion is a standard MCP server to your client and a standard MCP client to each upstream. Because it speaks the protocol faithfully, it works with every compliant client automatically โ the only per-client difference is where you put a few lines of config.
Features
๐ Client-agnostic โ one binary, config-only integration; no per-client plugins.
โป๏ธ Self-healing โ health checks + capped exponential-backoff auto-reconnect for stdio servers.
๐งญ Agent-recoverable โ
bastion__statusandbastion__reconnectlet the agent detect and fix drops itself, instead of hitting an opaque "no such tool" wall.๐งฉ Transparent aggregation โ merges many servers into one, with per-server tool namespacing to prevent collisions and tool-shadowing.
๐ฌ Legible failures โ a dropped server yields an actionable message, not a crash.
๐ก๏ธ Runtime security (new in v0.2) โ pins each tool's definition and blocks "rug pulls" (a server changing a tool after approval); heuristically inspects descriptions for poisoning; detects cross-server shadowing. See Runtime security.
๐ Audit & compliance (new in v0.3) โ structured, tamper-evident audit events to pluggable sinks (console / file / webhook), mapped to NIST AI RMF & OWASP LLM Top 10. See Audit & compliance.
๐ชถ Non-invasive & reversible โ your servers run unchanged; uninstall is a config revert.
๐งฑ Enterprise-grade codebase โ strict TypeScript, layered architecture, ESLint + Prettier, and unit + end-to-end tests.
Quick start
1. Add Bastion to your client, pointing it at a config file:
// your client's mcpServers config
{
"mcpServers": {
"bastion": {
"command": "npx",
"args": ["-y", "mcp-bastion", "--config", "bastion.config.json"],
},
},
}2. List your real servers in bastion.config.json (moved verbatim from the client):
{
"servers": {
"github": { "command": "npx", "args": ["-y", "@modelcontextprotocol/server-github"] },
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/path/to/dir"],
},
},
"reconnect": { "auto": true },
"healthCheck": { "enabled": true },
}3. Restart your client. Your tools now appear namespaced (e.g. github__create_issue) alongside
Bastion's control tools. See bastion.config.example.json for the
full set of options.
Demo
See the whole thing in action โ a server crashing mid-session and healing itself:
npm run demoIt boots Bastion in front of a server that crashes on command, shows the agent getting an actionable
"reconnect" message instead of a cryptic error, and then the connection auto-recovering with no human
involved. To record it as a GIF: asciinema rec demo.cast -c "npm run demo" && agg demo.cast assets/demo.gif.
Control tools
Bastion injects control tools so the agent can manage connections and review security itself, using only standard MCP calls:
Tool | Purpose |
| Health of every proxied server: connected / disconnected / reconnecting / failed, tool counts, last error. |
| Reconnect a named server (argument: |
| Per-tool security report: pin status (approved vs changed), poisoning findings, and shadowing. |
| Re-approve a changed tool (arguments: |
| Audit summary of recent activity mapped to NIST AI RMF / OWASP LLM Top 10 (requires |
Configuration
Key | Type | Default | Description |
| map | โ | Upstream servers to proxy (required, at least one). |
| string | โ | Executable to launch (e.g. |
| string[] |
| Arguments to |
| map | โ | Env overrides merged over the process env. |
| string | โ | Working directory for the spawned process. |
| boolean |
| Auto-reconnect after an unexpected disconnect. |
| number |
| Max attempts before giving up ( |
| number |
| Initial backoff, doubled each attempt. |
| number |
| Backoff ceiling. |
| boolean |
| Enable periodic liveness probing. |
| number |
| Interval between probes. |
| number |
| Per-probe timeout. |
|
|
| How upstream tool names are exposed. |
| string |
| Separator used by the |
| boolean |
| Pin tool definitions and detect later changes. |
|
|
| Action when a pinned tool's definition changed. |
| boolean |
| Run poisoning heuristics on tool descriptions. |
|
|
| Action on a high-severity poisoning finding. |
| boolean |
| Record an audit event for every tool call. |
|
|
| How tool arguments are recorded. |
| boolean |
| Hash-chain events so tampering is detectable. |
| array | console | Destinations: |
|
|
| Local subprocess or remote endpoint. |
| string | โ | Remote MCP URL (required for |
| map | โ | Headers for |
|
|
| Serve Bastion over stdio or Streamable HTTP. |
| string / number |
| Bind address for |
Transports
Bastion speaks two transports on both faces:
stdio (default) โ the client spawns Bastion, and Bastion spawns local servers.
Streamable HTTP โ connect to remote MCP servers (
servers.<name>withtransport: "http", aurl, and optional authheaders), and/or serve Bastion over HTTP to multiple/remote clients (listen.mode: "http", or--http <port>).
HTTP upstreams configured without an authentication header are flagged (authenticated: false) in
bastion__status and warned at connect time.
Runtime security
New in v0.2. Bastion adds a security layer in the tool-call path (an interceptor pipeline), enabled by default:
Rug-pull detection (tool pinning). Each tool's definition is pinned on first use. If a server later changes that definition, the tool is blocked (
onRugPull: "block") until you review it and re-approve withbastion__approve. This catches a server that looks benign at install time and turns malicious afterward.Poisoning inspection. Tool names and descriptions are scanned for manipulation heuristics (instruction override, secret access, data exfiltration, covert instructions, embedded directives, hidden/zero-width characters). Because heuristics can false-positive, the default is
warn(logged and reported, not blocked); setonPoisoning: "block"to enforce.Shadowing. When two servers expose a tool with the same name, it's surfaced in the report.
Review everything with the bastion__security tool. These checks apply to local stdio servers today;
authentication checks for remote servers arrive with HTTP transport support.
Audit & compliance
New in v0.3, opt-in. Enable audit to record a structured, versioned event for every tool call โ
including calls blocked by the security layer:
"audit": {
"enabled": true,
"includeArgs": "redacted", // none | redacted | full
"tamperEvident": true, // hash-chain events
"sinks": [
{ "type": "file", "path": "./bastion-audit.jsonl" },
{ "type": "webhook", "url": "https://collector.example/v1/audit" }
]
}Pluggable sinks.
console(stderr JSONL),file(JSONL append),webhook(batched POST), andotlp(native OpenTelemetry logs export โ point it at an OTel Collector to fan out to any SIEM/cloud backend). The sink interface makes new destinations additive.Compliance mapping. Each event is mapped to NIST AI RMF functions and OWASP LLM Top 10 categories;
bastion__compliancereturns an aggregate report of recent activity.Tamper-evidence. With
tamperEvident, events are hash-chained; the exportedverifyChainhelper detects any retroactive edit or deletion.Redaction. Arguments are omitted by default; set
includeArgstoredactedto keep structure while masking sensitive keys.
Client setup
The steps are identical for every client โ only the config file location differs:
Client | Where to add the |
Claude Code | project |
Cursor |
|
Claude Desktop |
|
Cline |
|
Windsurf |
|
Gradual adoption: you don't have to route every server through Bastion โ put only your flaky or untrusted servers behind it and leave the rest connected directly.
Architecture
Bastion is organized into clear layers with a one-directional dependency flow, so each concern is independently testable and easy to evolve:
src/
โโโ cli.ts # thin CLI entrypoint (parse โ wire โ serve)
โโโ index.ts # public library API
โโโ errors.ts # error hierarchy (BastionError, โฆ)
โโโ config/ # schema (Zod) + loader
โโโ core/ # domain: upstream connection lifecycle, aggregation & routing
โโโ proxy/ # client-facing MCP server + control tools
โโโ observability/ # logging (audit sinks in v0.3)
โโโ internal/ # small cross-cutting utilitiesDesign details โ including the client-agnostic rationale, the interceptor pipeline, and the audit-sink strategy โ live in the project's design docs.
Development
npm install
npm run check # format:check + lint + typecheck + test (the full gate)
npm test # unit + end-to-end (in-memory transport) tests
npm run build # bundle to dist/ (CLI + library)
npm run dev -- --config bastion.config.jsonScript | Does |
| Bundle CLI + library with |
| Run the CLI from source with |
|
|
| ESLint (flat config). |
| Prettier. |
| Vitest. |
| Everything above, as one gate. |
Roadmap
Version | Theme | Highlights |
v0.1 โ | Reliability | Aggregating proxy, auto-reconnect, |
v0.2 โ | Runtime security | Tool-definition pinning (rug-pull detection), poisoning inspection, shadowing detection. |
v0.3 โ | Audit & compliance | Pluggable audit sinks (console / file / webhook), NIST AI RMF / OWASP LLM Top 10 mapping. |
Both stdio and Streamable HTTP transports are supported (see Transports).
Contributing
Contributions are very welcome โ this project is built to be community-owned. Please read CONTRIBUTING.md for the dev setup, project layout, and PR workflow, and our Code of Conduct.
In short: open an issue for non-trivial changes, keep PRs focused with tests, and make sure
npm run check passes (CI runs it on Node 18/20/22). Good first areas: additional client setup
recipes, more upstream test fixtures, and Streamable HTTP transport support.
Security
mcp-bastion is security-adjacent software, so we hold it to a high bar. Please report
vulnerabilities privately โ do not open a public issue. See SECURITY.md for
the disclosure process.
License
Apache-2.0 ยฉ mcp-bastion contributors
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Gowthaman90/mcp-bastion'
If you have feedback or need assistance with the MCP directory API, please join our Discord server