BASTION
STATUS: ACCEPTING_DESIGN_PARTNERS

Strict governance for AI agent execution.

Bastion is the self-hosted secure MCP gateway for AI coding agents. It enforces identity validation, deterministic access controls, human approval routing, and cryptographic audit logging before any tool call reaches your infrastructure.

[SELF_HOSTED] [SOC2_READY] [ZERO_STANDING_CREDENTIALS]
bin/bastion start --env=production
00:00:00.000 INFO [core] initializing gateway... 00:00:00.012 INFO [policy] loaded 42 active rules 00:00:00.045 INFO [connectors] verifying github oauth... OK 00:00:00.089 INFO [audit] connected to stream: sha256 00:00:00.102 INFO [server] listening on 0.0.0.0:8080 ... 00:01:23.401 WARN [req_11a] risk level HIGH detected 00:01:23.405 INFO [req_11a] suspending for human approval 00:01:23.512 INFO [slack] dispatched approval card 00:02:45.118 INFO [slack] approved by user U8B24C 00:02:45.122 INFO [req_11a] executing tool: github.pr.merge
Module::Audit

Deterministic Execution Tracking

Every tool invocation is evaluated against defined policies before connector execution. Results are serialized to an append-only, hash-chained event stream. Nothing reaches your systems unobserved.

audit-stream.jsonl
STREAMING
1>{"event":"tool.call","tool":"github.issue.list","risk":"low","decision":"allow"}
2>{"event":"policy.eval","tool":"jira.issue.create","rules":["POL-01"],"decision":"allow"}
3|{"event":"approval.req","tool":"github.pr.create","risk":"high","id":"apr_3k","decision":"suspend"}
4>{"event":"approval.ok","id":"apr_3k","via":"slack","approver":"@sarah"}
5!{"event":"tool.deny","tool":"github.pr.merge","rules":["POL-CRIT"],"decision":"deny"}
6_waiting for next block...
Module::Core

Enforcement at the gateway layer.

Security controls are evaluated prior to connector routing. There are no ad-hoc rules inside agents; governance is centralized and deterministic.

01

AUTH::AGENT_IDENTITY

Tool calls require explicit tenant, user, agent, client, and session binding. Anonymous service tokens are rejected at the edge.

02

REGISTRY::TYPED_TOOLS

Canonical registry defining tool capabilities and risk levels (LOW to CRITICAL). Destructive operations require explicit policy opt-in.

03

POLICY::ENGINE

Evaluates deterministic allow, deny, require_approval, and rate_limit rules before routing.

04

GATE::HUMAN_APPROVAL

High-risk mutations (PR merges, production writes) are suspended pending explicit human authorization via Slack or Teams.

05

AUDIT::IMMUTABLE_TRAIL

Append-only, SHA-256 hash-chained event logging. Searchable and exportable via signed webhooks.

06

SECRETS::ISOLATION

Connector credentials never touch the agent, the audit log, or tool output. Total separation of concerns.

Module::Connectors

One policy layer, every connector.

Typed connectors for the tools your agents already call. Auth, rate limiting, and audit logging are inherited automatically — connectors ship with zero bespoke security logic.

github.connector
slack.connector
jira.connector
linear.connector
+ custom_connector.ts — build your own with the Connector SDK. Typed inputs, declared risk levels, policy-aware by default.
Deploy::Pilot

Self-hosted infrastructure deployment.

Bastion deploys entirely within your infrastructure boundary. We are currently onboarding a select group of design partners for beta access. Submit your work identifier to request provisioning.

> ACKNOWLEDGEMENT_SLA: 1_BUSINESS_DAY