Multiple SSE MCP servers behind a permissioning sidecar enforcing PERM-UNIFY-R1 (Call/Read/Write/Grant + epochs + IFC witnesses)
# Install dependencies
make install-deps
# Set your Morph API key
export MORPH_API_KEY="your-api-key-here"
# Run the complete demo
make demo- Morph VM spins up with MCP devbox
- 3 MCP servers install (filesystem, git, http)
- Permissioning sidecar starts with PERM-UNIFY-R1 policy
- Authenticated HTTP endpoints expose via Morph Cloud
- Client configs generate for Claude Desktop & Cursor
- Copy configs to your MCP clients
- Connect via supergateway (stdioβSSE bridge)
- Enjoy authenticated, policy-enforced MCP access
This demo creates a production-ready MCP infrastructure on Morph Cloud:
- Morph VM with MCP development environment
- 2-3 MCP servers (filesystem, git, http)
- Authenticated HTTP services (bearer token auth)
- Permissioning sidecar with policy enforcement
- PERM-UNIFY-R1 schema (roles, tools, epochs, witnesses)
- Reverse proxy with request logging
- CERT-V1 records for audit trails
- Ready configs for Claude Desktop & Cursor
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β Claude/Cursor β β Supergateway β β Morph Cloud β
β (MCP Client) βββββΊβ (stdioβSSE) βββββΊβ (HTTP Service) β
βββββββββββββββββββ ββββββββββββββββββββ βββββββββββββββββββ
β
βΌ
ββββββββββββββββββββ
β Permissioning β
β Sidecar β
β (Policy Check) β
ββββββββββββββββββββ
β
βΌ
ββββββββββββββββββββ
β MCP Servers β
β βββββββββββββββ β
β βfilesystem β β
β βgit β β
β βhttp β β
β βββββββββββββββ β
ββββββββββββββββββββ
mcp-sidecar-demo/
βββ setup/
β βββ setup_mcp.py # One-liner VM creation & setup
βββ config/
β βββ policy.yaml # PERM-UNIFY-R1 policy schema
βββ clients/
β βββ claude-desktop.json # Claude Desktop MCP config
β βββ cursor.json # Cursor MCP config
βββ Makefile # Easy commands for demo
βββ instance_info.json # Generated instance details
βββ README.md # This file
- Morph Cloud account (sign up)
- Python 3.8+ with pip
- Node.js (for npx/supergateway)
- MORPH_API_KEY environment variable
# Clone the repo
git clone https://github.com/SentinelOps-CI/mcp-sidecar-demo.git
cd mcp-sidecar-demo
# Install dependencies
make install-deps
# Set your API key
export MORPH_API_KEY="your-morph-api-key"
# Run the demo
make demoAfter running make demo, you'll have:
- Running Morph VM with MCP infrastructure
- 3 authenticated HTTP endpoints:
https://mcp1.http.cloud.morph.so/mcp1/ssehttps://mcp2.http.cloud.morph.so/mcp2/ssehttps://mcp3.http.cloud.morph.so/mcp3/sse
- Client configs ready for Claude Desktop & Cursor
- Permissioning sidecar enforcing PERM-UNIFY-R1 policy
make help # Show all available commands
make setup # Create VM and setup MCP servers
make test # Run smoke tests
make logs # Show sidecar logs and permits
make epoch-rotate # Demonstrate epoch rotation
make status # Check instance status
make clean # Stop instance and cleanupThe sidecar implements a minimal but complete permission schema:
epochs:
epoch-1:
active: true
expires_at: "2025-12-31T23:59:59Z"
permissions: [read, write, call, grant]
roles:
default:
epochs: [epoch-1]
tools: [filesystem, git, http]
permissions: [read, write, call]
witnesses:
sidecar-v1:
type: "sidecar"
capabilities: [policy_enforcement, request_logging, cert_generation]- Client request β Morph Cloud HTTP service
- Authentication β Bearer token validation
- Policy check β Sidecar validates permissions
- Decision β Allow/deny based on epoch + role
- Logging β Request logged with CERT-V1 record
- Proxy β Forward to appropriate MCP server
See the power of time-based permissions in action:
# Run the epoch rotation demo
make epoch-rotateWhat happens:
- Start: Access allowed with
epoch-1(active) - Rotate: Switch to
epoch-2(inactive) - Result: Access denied (epoch inactive)
- Activate: Enable
epoch-2 - Success: Access restored with new epoch
Output example:
π Demonstrating epoch rotation...
Current epoch: epoch-1 (active)
Testing access...
π Rotating to epoch-2...
β
Epoch rotated to epoch-2
Testing access with new epoch...
π Epoch rotation demo completed!
make logsShows:
- Sidecar logs (policy decisions)
- Request permits (JSONL format)
- MCP server logs
- CERT-V1 audit records
{
"timestamp": "2025-01-20T10:30:00Z",
"request_id": "req-1705750200000000000",
"method": "GET",
"path": "/mcp1/sse",
"client_ip": "192.168.1.100",
"decision": "permitted",
"epoch": "epoch-1",
"witness": "sidecar-v1",
"cert_record": "CERT-V1:permitted:epoch-1:2025-01-20T10:30:00Z"
}- Copy
clients/claude-desktop.jsonto your Claude Desktop config - Update
MORPH_API_KEYin the config - Restart Claude Desktop
- MCP servers appear in your tools
- Copy
clients/cursor.jsonto your Cursor MCP config - Update
MORPH_API_KEYin the config - Restart Cursor
- Access MCP servers via the command palette
The configs use supergateway to bridge:
- stdio (what Claude/Cursor expect)
- SSE (what Morph Cloud provides)
Snapshots are tagged for easy management:
{
"role": "mcp-demo",
"epoch": "1",
"created_at": "2025-01-20T10:00:00Z"
}To rotate epochs:
- Stop instance from current snapshot
- Start instance from new epoch snapshot
- Update policy in sidecar
- Restart sidecar with new configuration
"MORPH_API_KEY not set"
export MORPH_API_KEY="your-api-key""morphcloud SDK not found"
pip install morphcloud"npx not available"
# Install Node.js from https://nodejs.org/Instance not starting
make status # Check instance status
make logs # View sidecar logsEnable verbose logging:
# Set environment variable
export MORPH_DEBUG=1
# Run setup
make setup- VM Specs: 2 vCPUs, 2GB RAM, 2GB disk
- Startup Time: ~2-3 minutes (first time)
- Response Time: <100ms (sidecar overhead)
- Concurrent Users: 10+ (configurable)
- Horizontal: Add more MCP servers
- Vertical: Increase VM resources
- Load Balancing: Multiple sidecar instances
# Clone and setup
git clone https://github.com/SentinelOps-CI/mcp-sidecar-demo.git
cd mcp-sidecar-demo
# Install dev dependencies
pip install -e ".[dev]"
# Run tests
make test- Go sidecar: Performance and simplicity
- Python setup: Rapid prototyping
- Morph Cloud: Managed infrastructure
- Supergateway: Proven SSE bridge
MIT License - see LICENSE file for details.
- Morph Labs for the amazing cloud platform
- MCP Community for the protocol specification
- Supergateway for the SSE bridge implementation
Questions? Issues? Open an issue