What is Gig'MCP?
Gig'MCP is an open-source, security-first MCP (Model Context Protocol) gateway. It runs community MCP servers in kernel-enforced sandboxes and injects your credentials at the network boundary — so one compromised tool can never expose your keys.
You connect your MCP client (Claude Code, Cursor, ...) to a single gateway endpoint. The gateway aggregates sandboxed MCP servers behind it and handles authentication, credential storage, and egress control for all of them.
The problem
Today, every MCP server you install:
- holds your raw API keys in its environment or config,
- has unrestricted network access — it can send those keys anywhere,
- has unrestricted filesystem access on your machine,
- is configured separately in every client you use.
Community MCP servers are useful and plentiful, but each one is third-party code you're handing your credentials to. A single malicious or compromised server — or a prompt-injected dependency — can exfiltrate every key it was given.
How Gig'MCP solves it
Gig'MCP's model is: MCP servers are untrusted; the kernel is the boundary; keys live only on the trusted side.
- Sandbox. Each server runs as a bubblewrap child process inside the gateway container, with its own user, PID, mount, and network namespaces, a seccomp-BPF filter, and a capability drop to uid 65534 with zero capabilities. No host filesystem, cleared environment.
- Placeholder credentials. The sandbox receives only a placeholder token in its environment — never the real key.
- Egress proxy. Each sandbox's network namespace has exactly one route: the gateway's embedded MITM egress proxy. The proxy identifies which sandbox is calling by the connection's source IP (unforgeable — each sandbox can only source its own /30), checks the destination domain against the server's manifest allowlist, and only then swaps the placeholder for the real key.
- Vault. Real credentials are stored envelope-encrypted (per-secret DEKs, XChaCha20-Poly1305, wrapped by a master key that never touches the database). See vault.
- Registry. Servers come from a curated, PR-gated registry of digest-pinned OCI images with author-declared entitlement manifests. CI publishes a signed
index.jsonthat the gateway verifies before trusting any entry. - Dashboard. A Next.js dashboard manages servers, profiles, credentials, and users against the gateway's REST API.
The full request flow: client calls a tool → gateway routes to that user's sandbox instance → server makes an HTTPS call with the placeholder token → the only route is the proxy → proxy resolves identity from the source IP, checks the allowlist, swaps in the vault-decrypted key, forwards, and writes an audit log entry.
Who it's for
- Self-hosters and homelab operators who want to use community MCP servers without handing them credentials. Deploys with Docker Compose on any Linux host (on macOS, it runs inside Docker — bubblewrap and network namespaces are Linux-only).
- Teams that want one managed MCP endpoint per profile, with multi-user auth (OIDC/SSO today; local login is in the design), roles, and an audit trail, instead of per-client config sprawl.
- Anyone who refuses to upload API keys to a third party. Credentials can stay entirely on your own hardware.
Compared to running MCP servers directly
| Running servers directly | Gig'MCP | |
|---|---|---|
| Who holds your API keys | Every server process | The encrypted vault, outside the sandbox |
| Network access | Unrestricted | Manifest-declared egress allowlist, enforced by the proxy |
| Filesystem access | Your whole machine | Private mount namespace, no host filesystem |
| Trust model | Trust every author | Kernel sandbox + proxy make trust unnecessary |
| What runs | Whatever the package manager fetched | Digest-pinned OCI image, exactly what was reviewed |
| Client config | Repeated per client, per server | One gateway endpoint per profile |
| Audit | None | Per-request log of user, server, domain, method |
Project status
Gig'MCP is under active development. The egress proxy and credential vault are complete: bearer auth, bubblewrap sandboxing, SQLite storage, the embedded MITM proxy, and the envelope-encrypted vault all ship today, with one bundled echo server. Registry-driven installs, multi-user auth, and the dashboard are landing per the project's design record. The registry catalogs 221 planned manifests, but their image digests are placeholders pending CI builds — placeholder digests are not installable.
Next steps
- Quickstart — bring up the gateway with Docker Compose and connect Claude Code.
- Configuration — the full environment variable reference.
- Security model — threat model and residual risks.
- System overview — how the pieces fit in detail.