v0.1.4 · crates.io · Spec v1.0.0-draft published 2026-02-21 · Registry live

The Native Security Layer
for the Model Context Protocol

SIGIL stands for the Sovereign Identity-Gated Interaction Layer.

It seamlessly extends the MCP ecosystem with indispensable zero-trust security. Identify AI callers, intercept sensitive data leaks, enforce host policies, and generate tamper-evident audit trails.

Start Securing Explore Documentation
rust > cargo add sigil-protocol click to copy
Use Cases

What can SIGIL prevent?

Without SIGIL, the Model Context Protocol (MCP) assumes a fully trusted local environment. By wrapping requests in the SIGIL envelope, you can proactively close the security gap between Hosts, Clients, and Servers.

Intercepted

Leaking API Keys to LLMs

The SIGIL SensitivityScanner intercepts secrets, IBANs, or PII before they ever reach the AI model, replacing them securely with opaque vault pointers.

Blocked

Unauthorized Tool Execution

The SecurityPolicy layer gates destructive MCP tools (e.g., drop_table) based on cryptographically verified Host and User identity.

Traced

Shadow IT & Agent Ambiguity

Every MCP JSON-RPC tool request and response is signed and logged by the AuditLogger, creating a tamper-evident record of exactly what agents did on the host.

Verified

Unknown Host Connections

Using the IdentityProvider, a SIGIL-secured MCP Server can mandate that only verified Clients can successfully connect, preventing arbitrary malware from invoking tools.

Stakeholders

Why does SIGIL matter?

SIGIL provides distinct value across the entire MCP ecosystem, from AI application developers to the end-users they serve.

For Agent Builders

Hosts & Clients

Reduce liability and increase trust by enforcing global security policies across all connected servers.

"We can deploy agents knowing they can't leak secrets or run unauthorized commands."

For Tool Builders

Servers

Secure tools by default. Wrap existing MCP servers with auth, scanning, and auditing without rewriting logic.

"We can publish enterprise tools safely, knowing SIGIL handles PII interception."

For End-Users

Humans

Granular transparency and control over what autonomous agents are doing on your behalf.

"I can review exactly what the agent read before I approve this transaction."

Architecture

The SIGIL Envelope

SIGIL acts as a standard extension to the MCP JSON-RPC protocol. It wraps standard tool calls with identity and security metadata, processed seamlessly through a 5-layer zero-trust pipeline.

// 1. Standard Request from an Agent (Host/Client) { "method": "tools/call", "params": { "name": "read_email", "arguments": {} }, "_sigil": { "identity": "eidas:DE/123456789", "trust_level": "High", "policy_approved": true, "audit_id": "550e8400-e29b-41d4-a716-446655440000" } } // 2. Response from the Tool (Server) - Scanned & Intercepted { "result": { "content": [{ "text": "Email from bank: [SIGIL-VAULT: IBAN]" }] }, "_sigil": { "scanned": true, "interceptions": 1 } }
IdentityProvider

🪪 Identity Binding

Bind AI callers to verifiable trust levels (OIDC, eIDAS). Validated seamlessly on the host or server.

SensitivityScanner

🔍 Content Interception

Scan MCP Tool requests and responses for API keys or PII before LLMs process them.

VaultProvider

🔒 Encrypted Vault

Intercepted MCP secrets are encrypted, stored locally, and replaced by opaque LLM-safe pointers.

AuditLogger

📋 Tamper-Evident Audit

Every MCP security event is securely logged with HMAC signatures creating an immutable trace over Agent actions.

SecurityPolicy

🛡️ Policy Enforcement

Declare MCP tool risk classifications and required confirmation gates. Zero-trust by default.

SigilMcpServer

🔌 SIGIL Server Wrapper

Wrap any MCP tool set with all five security layers in 4 lines of rust. Drop-in ready for the ecosystem.

Try It in 3 Minutes

Detect a Leaked Secret in 3 Lines

Install, scan, done. The registry provides 43 verified patterns — no configuration required.

# Cargo.toml [dependencies] sigil-protocol = "0.1" // main.rs use sigil_protocol::registry::RemoteScanner; let scanner = RemoteScanner::from_registry().await?; let hits = scanner.scan("AKIAIOSFODNN7EXAMPLE")?; println!("{hits:?}"); // → [ScanHit { pattern: "aws_access_key_id", severity: Critical }]

Live registry · 43 verified patterns · Frankfurt, EU · free & open source

Go Further — Secure your MCP Server

Wrap your existing Rust MCP toolsets with the full SIGIL intercept pipeline in 4 lines.

use sigil_protocol::mcp_server::{SigilMcpServer, ToolDef}; // Wrap your existing MCP server with SIGIL in 4 lines let scanner = Arc::new(RemoteScanner::from_registry().await?); let audit = Arc::new(FileAuditLogger::open("/var/log/sigil/audit.jsonl")?); let mut server = SigilMcpServer::new("my-tools", "1.0", scanner, audit); server.register_tool_with_trust(banking_tool, TrustLevel::High); // Policies enforced, data scanned, every action logged — automatically let response = server.handle_request(request, caller_trust).await;
Ecosystem

Developer Ecosystem

✅ OpenClaw Skill

OpenClaw

Install the SIGIL skill in OpenClaw to scan every MCP tool call for leaked secrets, enforce policies, and write audit logs — no code required.

bash <(curl -fsSL https://sigil-protocol.org/install.sh)
View OpenClaw Skill →
✅ ZeroClaw Crate

ZeroClaw

Drop in the sigil-zeroclaw Rust crate — implements the ZeroClaw Tool and Observability traits to gate every tool call with SIGIL's 43-pattern scanner.

cargo add sigil-zeroclaw
View ZeroClaw Crate →
Open

Your Project

Building with SIGIL? Open a PR to list your project. Any MCP server, client, or agent host is welcome.

Contribute on GitHub →
🔄 In Progress

SIGIL Inspector

A native developer tool for visualizing security envelopes, policy verdicts, and audit logs locally. Coming soon as a web app.

✅ Live

SIGIL Registry

The did:sigil: DID registry and community-curated crowdsourced scanner + policy registry are live at registry.sigil-protocol.org. 43 verified patterns · 35 security policies. Docs →

Project Status

Where SIGIL is Today

As of February 2026, SIGIL is a live, published open-source protocol with a working Rust implementation, a formal specification, and a reference platform. Here is the honest current state.

✅ Live

Core Library

sigil-protocol v0.1.4 published on crates.io. All five traits implemented and tested with full test coverage.

✅ Published

Formal Specification

SIGIL Protocol Spec v1.0.0-draft published on GitHub and sigil-protocol.org on 2026-02-21. Constitutes public prior art disclosure.

✅ Live

DID Registry

registry.sigil-protocol.org is live resolving did:sigil: identifiers over HTTPS with TLS 1.3. Crowdsourced scanner (43 patterns) and policy registry (35 policies) now included.

✅ Published

Python SDK

sigil-protocol published on PyPI. First-class middleware and tool gating support for LangChain, CrewAI, AutoGen, and mcp-agent.

✅ Published

OpenClaw & ZeroClaw

Official security integrations published for the Claw AI ecosystem. Transparent Observability auditing for ZeroClaw and drop-in skill for OpenClaw.

✅ Available

Node.js / TypeScript SDK

sigil-protocol npm package — RemoteScanner auto-fetches 43+ community patterns at startup, with offline fallback. SigilClient for signed pattern/policy submissions.

🔄 In Progress

SIGIL Inspector UI

Visual developer tool for inspecting live security envelopes, policy verdicts, and audit logs. Available soon as a local web app.

Get Started

Add SIGIL to Your Agent Stack

Dual-licensed: EUPL-1.2 for open-source use. Commercial licence available for proprietary deployments.

View Source crates.io docs.rs 🌐 Live Registry
📄 Specification 🤝 Contributing ⚖️ EUPL-1.2 + Commercial