Skip to main content

Trust Model

Tollgate provides a security layer between AI agents and MCP servers. This document explains the trust model and security guarantees.

Architecture

AI Agent (Claude, etc.)

    Tollgate

   MCP Server

  Backend Resource
Tollgate acts as a transparent proxy, intercepting all MCP traffic between the AI agent and the upstream server.

Security Guarantees

Policy Enforcement

  • All tool calls are evaluated - No bypass mechanism exists
  • Policies are evaluated locally - No external API calls
  • Fail-closed by default - If policy evaluation fails, access is denied

Audit Trail

  • Complete logging - Every tool call is recorded
  • Tamper-evident - SQLite database with integrity checks
  • PII redaction - Sensitive data redacted by default

No Network Dependencies

  • Runs entirely locally - No cloud services
  • No telemetry - Usage data never leaves your machine
  • Works offline - No internet required

Threat Model

What Tollgate Protects Against

ThreatProtection
AI agent exceeding scopePolicy-based access control
Accidental destructive operationsAnalyzer detection + denial
Unreviewed database modificationsPrompt-based approval
Audit trail gapsComplete logging

What Tollgate Does NOT Protect Against

ThreatWhyMitigation
Malicious MCP serverTollgate trusts upstream responsesUse trusted servers only
Compromised Tollgate binaryAttacker has local accessVerify package integrity
Social engineering approvalUser approves malicious operationTrain users, use strict policies

Trust Boundaries

Trusted Components

  1. Tollgate binary - Assumed to be uncompromised
  2. Configuration file - Assumed to be correct
  3. Local filesystem - Assumed to be secure

Untrusted Components

  1. AI agent - May attempt unauthorized operations
  2. Tool arguments - May contain malicious content
  3. User input in prompts - May be manipulated

Verification

Open Source

Tollgate is open source. Audit the code yourself: 
# Clone and review
git clone https://github.com/dotsetlabs/cli
cd cli/src/tollgate

# Or read online
https://github.com/dotsetlabs/cli/tree/main/src/tollgate

Package Verification

Verify npm package integrity: 
# Check package signature
npm audit signatures @dotsetlabs/cli

# Compare with source
npm pack @dotsetlabs/cli --dry-run

Security Best Practices

Configuration

  1. Use deny-by-default policies 
    defaults:
  action: deny
  2. Be specific about allowed operations 
    tools:
  "query":
    action: allow
  "*":
    action: deny
  3. Use analyzers for smart decisions 
    tools:
  "execute":
    analyzer: sql
    risks:
      dangerous: deny

Operations

  1. Review audit logs regularly 
    dotset tollgate logs -n 100
  2. Export logs for long-term retention 
    dotset tollgate export -f json -o audit-$(date +%Y%m%d).json
  3. Monitor for anomalies
    • Unusual tool calls
    • High denial rates
    • Repeated dangerous operations

Deployment

  1. Use fail-closed mode in production 
    dotset tollgate start -s postgres --failure-mode fail-closed
  2. Restrict file permissions 
    chmod 600 tollgate.yaml
chmod 600 ~/.dotset/tollgate.db
  3. Run with minimal privileges
    • Don’t run as root
    • Use dedicated service user

Incident Response

If you suspect a security incident:
  1. Export audit logs immediately 
    dotset tollgate export -f json -o incident-$(date +%s).json
  2. Review all tool calls 
    dotset tollgate logs -n 10000 | grep -v "allow"
  3. Check for policy violations 
    dotset tollgate export --risk dangerous -f json
  4. Rotate any exposed credentials

Reporting Security Issues

Report security vulnerabilities to: Please do not open public issues for security vulnerabilities.