Every integration. One MCP gateway.

Connect OpenAPI, GraphQL, and remote MCP sources once. Controller normalizes their operations into one searchable tool catalog with stable addresses across accounts and environments. Agents search and load only the schemas they need through one Streamable HTTP MCP endpoint, whether you expose the complete workspace or a focused toolkit. Credentials stay outside model context, and every bridged call crosses policy before reaching an upstream service.

Six parts, one platform

Controller keeps source discovery, agent execution, and operational control in one system without making them the same concern.

Gateway

Give MCP-compatible agents one stateless endpoint and a compact three-tool execution surface.

Toolkits

Publish focused catalogs for agents that should not see the whole workspace.

Runtime

Run bounded TypeScript with lazy tool discovery and no ambient host access.

Governance

Allow, pause, or block every governed call before credentials reach an adapter.

Deployment

Operate one Bun service with SQLite or PostgreSQL and explicit readiness, auth, and network boundaries.

Connect what you already use

Connect the interfaces your team already maintains. Controller makes them discoverable through one gateway without flattening away what is useful about each source.

Import OpenAPI 3 or Swagger 2 from JSON or YAML. Controller turns operations into searchable tools and preserves their identity as the source changes.

  • * Discover operations and input schemas automatically
  • * Reuse one source across named accounts, environments, or regions
  • * Replace definitions only after the refreshed catalog succeeds
  • * Keep removed operations in history instead of erasing past executions

How Controller works

Bring a source from discovery to governed agent execution in four deliberate steps.

1. Connect a source

Add OpenAPI JSON or YAML, introspect GraphQL, or connect a remote MCP server. Discovery runs before the source replaces the current catalog.

2. Add named connections

Represent accounts, environments, or regions without duplicating the source definition. Credentials stay encrypted behind the gateway.

3. Shape agent access

Expose the connected workspace at /orgs/:organizationId/mcp, or create a focused toolkit from selected connections.

4. Execute through policy

Agents search, describe, and call only the tools they need. Every bridged call crosses policy before credentials or adapters run.

One endpoint. Three gateway tools.

Controller keeps the connected catalog behind one stateless Streamable HTTP MCP endpoint. Agents discover tools first and load only the schemas they need.

Gateway toolRole
skillsInspect the connected catalog and its input schemas
executeRun isolated TypeScript that searches, describes, and calls tools lazily
resumeContinue a policy-paused workflow after approval

The workspace endpoint exposes the complete connected catalog. A toolkit endpoint exposes only selected connections. Both use the same gateway contract, and every invocation still crosses policy.

Agent-authored TypeScript runs in a fresh QuickJS context with no direct network, filesystem, process, module, or secret access. Runs are bounded, and approved workflows resume without replaying completed calls. Read about the runtime boundary.

Control every execution

Controller applies the same policy, approval, credential, and audit model to every governed call.

Default deny

Rules can match tool, connection, actor, environment, risk, wildcard address, and structured arguments. Unmatched calls stop before credentials or adapters run.

Tool call → policy match → Allow / Require approval / Block

Conflicts resolve by priority, specificity, and the safer effect. Common string-obfuscation forms are normalized before argument checks.

Approve, then continue

Checkpoint a workflow for human review and resume it without replaying completed calls.

execute → checkpoint → approve → resume

Credentials after approval

Encrypted connection credentials stay outside model context and are attached only while Controller constructs an approved request.

Decision audit

Record the actor, tool, outcome, reason, and matched policy. Policy decision records omit arguments and results.

Coding-agent coverage

Enroll Codex, Claude Code, Cursor, OpenCode, and other supported coding agents so native tools and external MCP calls cross the same policy check.

Commands still run on the developer machine. Hooks provide cooperative interception, not OS containment.

Read the governance model for policy matching, approvals, scoped API keys, audit behavior, and the client-hook trust boundary.

Works with most coding agents

Any MCP-compatible agent can connect to Controller over Streamable HTTP. First-class native hook and plugin coverage is available for the clients below.

  • Codex
  • Claude Code
  • OpenCode
  • Kilo Code
  • Cursor
  • Cursor Agent
  • VS Code / GitHub Copilot
  • GitHub Copilot CLI
  • Factory Droid
  • Antigravity / Antigravity IDE
  • Devin Desktop / Windsurf
  • Pi
  • Hermes Agent
  • OpenClaw
  • Cline

Open source

Controller is open source under Apache 2.0. The gateway, runtime, policy engine, adapters, and console are developed in public and available to inspect and contribute to.

View the repository →