Arbitus — Open-Source Security Proxy for AI Agents and MCP Servers

Arbitus is an open-source security proxy that sits between AI agents and MCP servers. It enforces per-agent policies — auth, rate limiting, payload filtering, and audit — before any tool call reaches the upstream server. Arbitus é um proxy de segurança open-source que fica entre agentes de IA e servidores MCP. Ele aplica políticas por agente — autenticação, rate limiting, filtragem de payload e auditoria — antes que qualquer chamada de ferramenta chegue ao servidor upstream.

Agent (Cursor, Claude, etc.)
        │  JSON-RPC
        ▼
      arbitus     ← auth, rate limit, HITL, payload filter, audit
        │
        ▼
  MCP Server (filesystem, database, APIs...)

Available on crates.io and GitHub. Full documentation at arbitus-gateway.xyz. Disponível no crates.io e no GitHub. Documentação completa em arbitus-gateway.xyz.

cargo install arbitus

Features Funcionalidades

Auth & Access Control

Per-agent allowlist/denylist with glob wildcards. API key, JWT/OIDC, or mTLS. Agents only see the tools, resources, and prompts they are allowed to call. Allowlist/denylist por agente com glob wildcards. API key, JWT/OIDC ou mTLS. Agentes só veem as ferramentas, recursos e prompts que têm permissão para usar.

Rate Limiting

Per-agent sliding window, per-tool limits, and per-IP limit. Standard X-RateLimit-* headers included. Janela deslizante por agente, limites por ferramenta e por IP. Headers X-RateLimit-* padrão incluídos.

Human-in-the-Loop (HITL)

Suspend tool calls until an operator approves or rejects via REST API. Keeps humans in control of sensitive operations. Suspende chamadas de ferramentas até um operador aprovar ou rejeitar via REST API. Mantém humanos no controle de operações sensíveis.

Payload & Response Filtering

Block or redact sensitive patterns in requests and responses. Encoding-aware: Base64, percent-encoding, Unicode. Bloqueie ou redija padrões sensíveis em requisições e respostas. Ciente de encodings: Base64, percent-encoding, Unicode.

Audit Log

Every request recorded with X-Request-Id. Fan-out to SQLite, webhook, stdout, or OpenLineage. CloudEvents 1.0 support for SIEM ingestion. Cada requisição registrada com X-Request-Id. Fan-out para SQLite, webhook, stdout ou OpenLineage. Suporte a CloudEvents 1.0 para SIEM.

OPA / Rego Policy Engine

Evaluate every tools/call against a Rego policy file. Input exposes agent, tool, arguments, and client IP for fine-grained control. Avalia cada tools/call contra um arquivo de política Rego. O input expõe agente, ferramenta, argumentos e IP do cliente para controle fino.

Observability

Prometheus-compatible /metrics, OpenTelemetry traces, circuit breaker, config hot-reload on SIGUSR1, and a /dashboard audit viewer. Métricas compatíveis com Prometheus, traces via OpenTelemetry, circuit breaker, hot-reload de config no SIGUSR1 e viewer /dashboard.

Deployment

Multi-arch Docker image, Helm chart with sidecar pattern, TLS/mTLS, stdio and HTTP+SSE transport, graceful shutdown. Imagem Docker multi-arch, Helm chart com padrão sidecar, TLS/mTLS, transporte stdio e HTTP+SSE, desligamento gracioso.