What is the Oktsec MCP Gateway?

The Oktsec MCP Gateway is a new operational mode introduced in v0.6.0. It runs as a Streamable HTTP server that fronts multiple backend MCP servers, applying the full 9-step security pipeline on every tool call: rate limiting, identity verification, suspension check, ACL enforcement, content scanning with 169 detection rules, blocked content filtering, audit logging, anomaly detection, and per-agent tool allowlists with automatic namespacing and response scanning.

What security hardening shipped in Oktsec v0.6.0?

Oktsec v0.6.0 closes four security vectors: SSRF protection blocking 21 RFC special-use CIDR ranges with post-DNS validation and alternative IP encoding detection; credential redaction across 15 regex patterns covering Anthropic, GitHub, AWS, Slack, and more; replay protection with a 5-minute timestamp freshness window; and symlink plus file-size hardening via a new internal/safefile package with Lstat checks on config files, audit databases, and key directories.

What is the official MCP SDK migration?

Oktsec v0.6.0 migrated from the community mark3labs/mcp-go v0.44 library to the official modelcontextprotocol/go-sdk v1.4.0 maintained under Linux Foundation governance. This is a Tier 1 SDK with semver stability guarantees. All MCP server, client, and transport code was rewritten, and zero community SDK forks remain across the entire Oktsec stack.

Oktsec v0.6.0: MCP Gateway, Security Hardening & Coordinated Stack Release

Coordinated release across the entire stack

Today we are shipping Oktsec v0.6.0, Aguara v0.4.0, and Aguara MCP v0.3.0 simultaneously. This is the first fully coordinated release across all three projects. Every binary, every library, every transport layer has been migrated from community MCP forks to the official modelcontextprotocol/go-sdk v1.4.0 under Linux Foundation governance. Zero community forks remain.

For Oktsec specifically, v0.6.0 is the largest release to date. It introduces a fourth operational mode -- the MCP Gateway -- alongside proxy, audit, and MCP server modes. It closes four distinct security vectors that were absent from the previous release. And it triples MCP client discovery from 6 to 17 supported clients.

This post covers everything that shipped. If you are evaluating Oktsec for production deployment, this is the release that makes the case.

MCP Gateway Mode

The headline feature. The new oktsec gateway command starts a Streamable HTTP server that fronts multiple backend MCP servers. Agents connect to the gateway. The gateway discovers tools from all connected backends, applies the full security pipeline, and proxies approved calls downstream.

MCP Agents (Claude, Cursor, VS Code, custom)

Streamable HTTP

▼

oktsec gateway :9090/mcp

rate limit identity suspension ACL content scan blocked filter audit log anomaly response scan

stdio / HTTP

▼

Backend MCP Servers (N backends)

filesystem, database, API, payments, custom...

Gateway capabilities at a glance:

Tool discovery across backends

The gateway connects to all configured backend MCP servers and aggregates their tool schemas into a single unified catalog presented to agents.

Automatic namespacing

Tools from different backends are automatically namespaced to prevent collisions. Two backends exposing read_file remain distinct and routable.

Per-agent tool allowlists

Each agent identity receives a specific set of permitted tools. Unlisted tools are rejected with a JSON-RPC error before the call reaches any backend.

Response scanning

Backend responses pass through the content scanner before returning to the client. Poisoned database results, injected payloads in API responses -- caught at the boundary.

9-step security pipeline

Every tool call traverses: rate limit, identity verification, suspension check, ACL, content scan (169 rules), blocked content filter, audit log, and anomaly detection.

Auto-port fallback

If the configured port is occupied, the gateway automatically selects the next available port and logs the change. No manual intervention required during startup.

This is a new operational mode alongside the existing proxy, audit, and MCP server modes. Each mode addresses a different deployment topology. The gateway is designed for environments where multiple backend MCP servers need centralized security enforcement with a single control plane.

Security Hardening

Four security vectors closed in this release. Each represents an attack surface that was either unprotected or absent from prior versions.

SSRF Protection

21 RFC special-use CIDR ranges blocked: RFC 1918 private ranges, loopback, link-local, TEST-NET, Carrier-Grade NAT, multicast, IPv6 ULA, Teredo, 6to4, and NAT64. Post-DNS validation via safeDialContext prevents DNS rebinding. Alternative IP encodings -- hex, octal, packed decimal -- are detected and rejected. Applied to both webhook delivery and forward proxy CONNECT tunneling.

Credential Redaction

15 regex patterns detect and redact secrets: Anthropic API keys, GitHub tokens, AWS access keys, Slack tokens, GitLab tokens, Stripe keys, SendGrid keys, PEM private keys, and JWTs. Keys appear as sk-ant-api*** in the audit trail, API responses, and webhook payloads. Secrets never leave the system boundary in cleartext.

Replay Protection

A 5-minute timestamp freshness window rejects replayed messages. If an attacker captures a valid signed request and resubmits it, the timestamp check fails before any other pipeline stage executes. Eliminates an entire class of replay-based attacks against the Ed25519 identity layer.

Symlink & File-Size Hardening

New internal/safefile package enforces file-size limits and symlink rejection. Config files: 1 MB max. Keypairs: 64 KB max. Lstat checks on the audit database, config files, and public key directories reject symlinks before any read or write operation. Prevents path traversal via symlink chains.

Combined effect: SSRF, credential leakage, replay attacks, and symlink-based file manipulation are now blocked at the infrastructure layer. These protections apply to all four operational modes -- proxy, audit, MCP server, and gateway.

Expanded MCP Client Discovery

Oktsec auto-discovers MCP client configuration files on the local system to enable one-command integration. In v0.6.0, supported clients expanded from 6 to 17:

Claude Desktop Cursor VS Code Cline Windsurf OpenCode Zed Amp Gemini CLI Copilot CLI Amazon Q Claude Code Roo Code Kilo Code BoltAI JetBrains Junie

17 MCP clients supported

+11 New in v0.6.0

1 Command to integrate

0 Manual config required

This covers the major MCP-capable editors, IDEs, and CLI tools currently in production use. When new clients adopt the MCP protocol, Oktsec adds discovery support in the next release.

Dashboard & Webhook Enhancements

Redesigned UI

The dashboard login, 404 page, and root splash have been fully redesigned. The visual refresh aligns the monitoring interface with the operational gravity of the data it presents.

Agent metrics

Risk scores -- Per-agent risk assessment based on triggered rule severity and frequency
Traffic stats -- Request volume, blocked vs. allowed ratios, latency distributions
Communication partners -- Which backends each agent communicates with and how often
Top triggered rules -- The most frequently triggered detection rules per agent, ranked by category

Events page

Agent filter -- Scope the event stream to a specific agent identity
Time-range filter -- Narrow events to a specific window for forensic investigation

Overview dashboard

Detection rate % -- Percentage of total requests that triggered at least one detection rule
Unsigned % -- Percentage of requests arriving without Ed25519 identity signatures
Average latency -- End-to-end pipeline processing time across all modes

Webhook improvements

Webhook payloads now include rule_name, category, and match fields for every triggered detection rule. Named webhook channels allow routing different event types to different destinations -- critical alerts to PagerDuty, audit events to Slack, compliance records to S3.

Official MCP SDK Migration

The entire codebase has migrated from mark3labs/mcp-go v0.44 to modelcontextprotocol/go-sdk v1.4.0. This is the official Go SDK maintained under the Linux Foundation's Model Context Protocol organization -- Tier 1 status with semver stability guarantees.

The migration was not a find-and-replace. All MCP server code, client code, and transport handling was rewritten. A new internal/mcputil helper package encapsulates common patterns for tool registration, request parsing, and response construction.

The governance shift matters. Community forks like mark3labs/mcp-go provided valuable early momentum, but they carry inherent risks: no guaranteed maintenance cadence, no formal security review process, no commitment to backward compatibility. The official SDK provides all three.

Zero community forks remain across the entire stack. Oktsec, Aguara, and Aguara MCP all run on the same official SDK. A single upstream fix propagates everywhere.

Coordinated Engine Upgrades

The Oktsec release ships alongside coordinated updates to the Aguara detection engine and monitoring platform:

Aguara v0.4.0 -- 153 detection rules (+5 new), file and memory hardening with the same internal/safefile package, official SDK migration
Aguara MCP v0.3.0 -- Same SDK migration to modelcontextprotocol/go-sdk v1.4.0, scan timeout enforcement, error message sanitization to prevent information leakage
Aguara Watch -- 42,969 MCP skills tracked across 7 registries (+2 new registries), 99% Grade A security ratings across the monitored skill population

The Aguara-specific details are covered in the dedicated release post: Aguara v0.4.0: Coordinated Release.

By the Numbers

Metric	Before	After	Delta
Detection rules	159	169	+10
MCP clients discovered	6	17	+11
Operational modes	3	4	+gateway
SSRF CIDR blocks	0	21	+21
Credential redaction patterns	0	15	+15
Community SDK references	3	0	eliminated

169 Detection rules

4 Operational modes

17 MCP clients discovered

21 SSRF CIDR blocks

What's Next

The next release cycle focuses on production readiness and expanding into regulated environments:

Binary releases via GoReleaser -- Pre-built binaries for Linux, macOS, and Windows. No Go toolchain required for deployment. Homebrew tap and APT repository on the same timeline.
Gateway authentication -- API key and mTLS authentication for the gateway endpoint. The current header-based agent identity model works for local and development deployments; production environments need stronger authentication primitives at the transport layer.
Targeting 200+ detection rules -- New categories across both engines covering supply chain attacks, tool schema manipulation, and multi-step exfiltration patterns. The detection engine is being restructured for dynamic rule loading without restart.
Regulated environments. Payment systems, healthcare data flows, and compliance-driven verticals where every message between agents needs cryptographic attribution and a tamper-proof audit trail. The MCP Gateway's 9-step pipeline and SARIF output map directly to these requirements.

Every component ships under the same coordinated release cadence. When Aguara gains new detection rules, Oktsec gains them in the same release. When the SDK receives a security patch, the entire stack updates together.

The security pipeline is production-ready. If your AI agents are connecting to databases, APIs, payment systems, or file servers without a security layer in between, you have a problem. Every one of those connections is an attack surface. Oktsec sits in the middle and enforces security on every single call. Identity, policy, content scanning, audit. Nothing passes through without being checked.

If you're building agents for payment systems, healthcare data flows, or any regulated environment where every interaction needs identity, traceability, and a complete audit log: I want to hear about your use case.

Get started

One binary. Four operational modes. 169 detection rules. Deploy in minutes, secure from day one.

GitHub Aguara Scanner Let's talk