The MCP Gateway
Your engineers gave Claude Code, Cursor, and Claude Desktop write access to their filesystem, your Stripe account, your GitHub repos, and your Postgres database. You don't know what those agents are doing with that access. Northbeams does.
10 MCP SERVERS CATALOGUED ● ON‑DEVICE ARGUMENT REDACTION ● AUDIT‑READY LOGS
01 / The blind spot every browser extension has
When an engineer asks Claude Code to "look up the customer in the production database and refund the last charge," the agent doesn't ask the browser. It calls a Postgres MCP, then a Stripe MCP, executes the calls directly, and tells the engineer "done."
The browser extension you bought to govern ChatGPT sees none of it. Neither does your secure web gateway, your CASB, or your endpoint DLP. The agent has more privilege than the engineer who's driving it, and there is no audit log of what it did.
The MCP Gateway is how you put that back under control without turning off the productivity.
02 / How it works
Claude Code
Cursor · Claude Desktop
Northbeams Gateway
On-device proxy
MCP Server
GitHub · Postgres · Stripe
Every tool call passes through a synchronous gate. Allow / warn / block decisions happen before the agent sees a response. Arguments are classified on-device.
create_repo, warn on delete_branch, allow read_file on the GitHub MCP. Same idea for every catalogued server. Strictest action wins when policies overlap.
03 / Ten servers in the catalogue today
Each server ships with a recommended policy. Stripe blocks create_refund and cancel_subscription. Filesystem blocks write_file and edit_file by default. GitHub warns on delete_branch. You can override every default, per tool, per method.
GitHub
Warn on destructive
Filesystem
Block writes
Stripe
Block payments
Postgres
Warn on UPDATE
Slack
Allow read
Google Drive
Warn on share
Puppeteer
Allow read
Brave Search
Allow all
Memory
Allow all
Sequential Thinking
Allow all
Internal MCPs match by package reference and binary basename, not absolute path. /usr/local/bin/acme-mcp, ~/.npm/acme-mcp, and any symlinked version share one policy. No more "which path is it installed at?" friction.
04 / What the audit log looks like
One log, all four surfaces, with the MCP traffic alongside the browser and desktop traffic. Per-user attribution, immutable signed exports for SOC 2 and EU AI Act evidence.
# Northbeams MCP audit log (excerpt) 2026-05-19T08:14:22Z user=ada@acme.com agent=claude-code mcp=github tool=create_pull_request decision=allow args.classified=[ok] 2026-05-19T08:14:31Z user=ben@acme.com agent=cursor mcp=stripe tool=create_refund decision=block reason="policy:stripe.payments=block" 2026-05-19T08:14:47Z user=ada@acme.com agent=claude-desktop mcp=postgres tool=query decision=allow args.classified=[redacted:credential,redacted:email] args.note="2 secrets removed pre-transmission"
05 / The competitive gap
LayerX, Harmonic, Prompt Security, Nightfall, Nudge, and Obsidian all run as browser extensions or cloud DLP. None of them sit in the path between a coding agent and an MCP server. We did the work because we had to: our own engineers were using Claude Code and Cursor every day, and we couldn't see what they were doing.
Most of these vendors are excellent at what they do. They were built before MCP existed, for a world where the AI risk was an employee pasting a contract into ChatGPT in a browser tab. The risk has moved. Coding agents talk to your databases now.
You can keep the DLP you already bought and add Northbeams for the four surfaces it can't reach. Or you can replace everything. Most founding partners do the first thing.
Founding Design Partner Program
50% off Sentinel locked for life. Founder Slack. Weekly roadmap calls. White-glove install. The MCP Gateway is in production today.