Governed AI for Drupal
Mission impact
The problem
Drupal is powerful — and that power makes everyday work slow. Auditing content, fixing metadata, cleaning taxonomy, finding stale pages: still mostly manual, one screen at a time.
Meanwhile, your team is already reaching for AI. The real question isn't whether AI touches your content — it's how to allow it without handing an agent the keys to production. Ungoverned AI access to a CMS is a liability. No access is a missed opportunity. You shouldn't have to choose.
The solution: two layers, one outcome
Productivity at the edge. Authority at the source.
- Drupal MCP Connector — an open-source bridge that connects any AI assistant (via the open Model Context Protocol) to one or more Drupal sites. It turns "find every article missing a meta description" into a single operation instead of an afternoon of clicking.
- MCP Sentinel — a Drupal module that governs that access from inside Drupal: it decides what each agent may read, write, or delete, redacts sensitive fields, and records every action in a tamper-evident audit log. It never trusts a client's word about who it is.
Each is useful alone. Together they're a governed AI interface to Drupal — fast for the people doing the work, controlled for the people accountable for the system.
Who it's for
- Content & editorial teams — bulk audits and fixes in seconds, not afternoons.
- Platform & DevOps — a standard, multi-site way to "add AI" without opening a hole.
- Security & compliance — allow AI and prove control: attribution, audit, data-loss prevention.
- Digital agencies — one interface across many client sites; independent governance per site.
- Regulated organizations (government, higher-ed, healthcare) — a controlled, auditable on-ramp to AI.
What you can do
Ask in plain language; get structured, governed action:
"List every published page missing a meta description."
"Unpublish all Event articles older than six months."
"Show every user who hasn't logged in for 90 days."
"Run an SEO and accessibility audit on the article content type."
"Create 10 draft product nodes from this structured data."
Under the hood: 66 tools across 9 modules (content, taxonomy, users, media, entities, reports, and more), dual-protocol JSON:API + GraphQL, 10 read-only audit reports, and an optional SSH Drush bridge for admin operations — all reachable from any MCP-compatible assistant.
Why it's safe
MCP Sentinel enforces governance inside Drupal, where it can't be bypassed by any client:
- Server-authoritative authorization — every gate is decided from the authenticated role and OAuth scopes (
mcp:read/mcp:write). A client header can never grant authority or escape governance. - Attribution — AI activity is tied to a real, governed account. Never anonymous "system" activity.
- Tamper-evident audit — every action is logged in an HMAC-chained record; altering history breaks verification.
- Data-loss prevention — sensitive fields are redacted before content ever leaves Drupal.
- Containment — content locks protect in-progress human edits; rate, quota, and IP limits bound blast radius; read-only profiles remove write capability entirely.
The Connector adds a second layer of guardrails at the edge — read-only and PII-redacting presets in one line of config — so honest mistakes are stopped before they reach the wire. Two layers, two trust domains: defense in depth.
How they work together
The Connector and Sentinel align through a published Integration Contract (v1.0) rather than tight coupling — so each can evolve independently. The Connector proposes; Drupal disposes. The client's identity label is recorded for audit only; the server's resolved identity is what actually decides anything.
AI assistant → Connector (edge guardrails) → OAuth-authenticated Drupal → Sentinel (authoritative governance) natural language presets · redaction JSON:API / GraphQL role+scope authz · audit · DLP
Open by design
Trust tooling should be inspectable. Both products are open source — you can read exactly how authorization is decided, how the audit chain is computed, and where your data can and cannot go. Adopt one, the other, or both, and verify each.
- Drupal MCP Connector — MIT-licensed (Node.js).
- MCP Sentinel — GPL-2.0-or-later, on Drupal.org as
drupal/mcp_sentinel.
Built by Jeremy Michael Cerda and Wilkes & Liberty, LLC. Actively developed and open source — see the repositories for current capabilities and status.
Get started
- Evaluate the platform — drupal-mcp-connector · drupal.org/project/mcp_sentinel
- Talk to us — Wilkes & Liberty, LLC
Outcomes
Key capabilities
Server-authoritative authorization
Every read, write, and delete is decided inside Drupal from the authenticated role and OAuth scopes (mcp:read/mcp:write). A client-supplied header can never grant authority or escape governance.Mission benefit: Authority can't be spoofed or bypassed.Tamper-evident audit
Every governed action is recorded and attributed to a real account in an HMAC-chained log. Altering history breaks verification — so the record is trustworthy after the fact.Mission benefit: Provable accountability for AI activity.Data-loss prevention
Field-level redaction strips PII and internal fields before content ever leaves Drupal, keeping sensitive data out of AI context windows by policy — not by hope.Mission benefit: Sensitive data stays inside the boundary.Natural-language operations, dual-protocol
The Drupal MCP Connector exposes 66 governed tools — content, taxonomy, users, media, entities, and reports — over JSON:API and GraphQL to any MCP-compatible assistant.Mission benefit: Hours of manual work become a single request.Defense-in-depth across two trust domains
Connector presets stop honest mistakes at the edge; Sentinel enforces authority at the source. The two stay aligned through a versioned Integration Contract (v1.0).Mission benefit: Ergonomic guardrails and authoritative control.Containment by design
Content locks protect in-progress human edits; rate, quota, and IP limits bound blast radius; read-only profiles remove write capability entirely.Mission benefit: A confused or compromised agent can't run wild.