Install, connect, and run HydraSentry
HydraSentry secures the memory layer before your agent acts. Install the MCP server, point your client at it, optionally bring your own model key, and every risky retrieval is scored, blocked, and certified. Everything below is real and copy-ready.
Install
HydraSentry ships as a stdio MCP server. Install it from PyPI with pip (Python 3.11+):
pip install hydrasentry-mcp
Connect your agent
Point any MCP-compatible client (Claude Desktop, Cursor, your own runtime) at the installed server by adding it to your MCP client config. No account, no sign-in, no key to mint.
{
"mcpServers": {
"hydrasentry": {
"command": "hydrasentry-mcp"
}
}
}Restart your MCP client. From then on, every risky memory your agent retrieves is scored, certified, and lands in the public incident console. Open the console to watch findings arrive.
The 7 MCP tools
The gateway exposes a fixed surface of seven tools. The read tools run unauthenticated; the write tools require the shared MCP secret, so a poisoned skill can never quarantine memory or schedule scans on its own. This is the firewall: the unsafe action is gated before your agent can fire it.
Bring your own model key (optional)
By default, real runs use the platform model. To run against your own model and key instead, open Settings and paste a provider key. It is stored only in your browser's localStorage and sent per-request on a run; it is never persisted on our backend. Grab a key from your provider:
Usage
The fastest way to see HydraSentry work is the live attack on the homepage: it replays the same task on clean vs poisoned context, traces the taint through the memory graph, blocks the unsafe action through MCP, and seals the block into a Memory Integrity Certificate. Then explore the cockpit:
- Context Graph - run a live HydraDB query_paths traversal and inspect the tainted path
- MCP Gateway - call the seven tools and watch the firewall gate the write tools
- OWASP ASI Top-10 - the self-verified coverage map, recomputed against the running code
- Results Center - the finding, the certificate, and the downloadable evidence report
Public API
Every value-path surface is backed by a public endpoint you can call directly. The live backend base URL is:
https://backend-three-puce-75.vercel.app
The full MCP tool surface is also reachable over HTTP under /mcp/* (one route per tool); the write tools require the X-MCP-Secret header.