One control plane for AI tool use.
Arc Relay is the first piece of the Comma Compliance Arc platform - an open-source MCP control plane that sits between your AI clients and your tools. Built for solo devs, small teams, home labbers, and mid-size orgs. MIT licensed.
Who is Arc Relay for?
One control plane for AI tool use - built for teams that are 1 to a few hundred users. Solo devs, small teams, home labbers, mid-size orgs. The everybody-else of MCP.
Built for
- - Solo developers running multiple agents and machines
- - Small to mid-size teams sharing MCP infrastructure
- - Home labbers wiring up their self-hosted stack
- - Organizations from 1 to a few hundred users
- - Anyone who wants per-user, per-tool access control without an enterprise sales cycle
Not the right fit if you
- - Are a giant enterprise with dedicated platform teams already running their own tool orchestration
- - Need stateful or session-heavy MCPs that maintain state across requests
- - Are looking to replace a large, complex internal system - this is a focused tool, not a magic bullet
See limitations below for more.
Journey 1
Solo developer
Run across multiple machines. Reuse MCPs across projects. Stop spawning a separate MCP server for every agent.
The pain
You run four agents. Each one spawns its own in-memory MCP servers. Congratulations - you have a ton of races, you burn a ton of RAM, and you have no shared state. That is not great. Worse, when you switch machines, you have to set everything up again.
The fix
Run one Arc Relay instance. Configure your MCPs there - Sentry, Shortcut, GitHub, your own custom servers. Every agent on every machine connects to the same control plane via a single SSE URL. One source of truth, no duplicated processes.
Example stack
Get started in one command:
docker run -d --name arc-relay -p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v arc-relay-data:/data \
-e ENCRYPTION_KEY=$(openssl rand -hex 32) \
-e ADMIN_PASSWORD=changeme \
ghcr.io/comma-compliance/arc-relay:latestJourney 2
Small to mid-size team
Shared MCP infrastructure with per-user access control. Everyone gets the tools they need at the permission level they should have.
The pain
Your devs need GitHub and the staging database. Marketing needs the CRM and Webflow. Execs want read-only dashboards. With direct MCP, everyone gets all of it - including the dangerous tools nobody should be calling. And every laptop is its own configuration island.
The fix
One Arc Relay instance for the whole team. Define profiles. Map tools to profiles. Accounting writes to QuickBooks. Reporting gets read-only across financial MCPs. The two dangerous tools out of fifteen go to trusted admins only. Everyone signs in, gets their tools, and the dangerous stuff stays off-limits to people who do not need it.
Deploy with one click
Spin up Arc Relay on your favorite host. Configuration happens in the web UI after deploy.
One-click deploys spin up Arc Relay against the public repo template. Fork the repo to customize before deploying.
Journey 3
Home labber
One control plane for your self-hosted stack. Wire up the MCPs your agents need against the services you already run.
Why it fits
Your home lab is a fleet of Docker containers, plus services that already speak HTTP. Arc Relay's Docker lifecycle manager auto-starts and recovers your local MCPs, while remote MCPs (the ones already exposed by your hosted services) flow straight through. One spot to wire it all up, one URL for every agent.
Example MCP servers
Unraid template
One-click install via the Community Applications template.
Portainer / Proxmox / vanilla Docker
Single container, mounts the Docker socket. Drops into your existing stack.
Personas working together
One team uses many tools. Many people use the same tools differently. The single control plane is what brings them together.
Dev
Engineer profile
- - pfSense
- - Sentry
- - Shortcut
- - GitHub
- - Codex CLI integrations
- - CRM (read/write)
GTM
Marketing profile
- - Webflow
- - CRM (read/write)
- - Marketing email
- - Enrichment tools
- - Otter (meeting notes)
Exec
Executive profile
- - Otter (meeting notes)
- - CRM (read-only)
- - Dashboard reporting
- - Email summaries
The overlap is the point.
Devs and execs both touch Otter. Everyone uses the CRM at different access levels. Marketing reads from the dev tools. Arc Relay routes each person to the right tools at the right level - from one place, with one audit trail.
How the pieces fit
Arc Relay is a proxy. Local containerized MCPs get full lifecycle management. Remote hosted MCPs flow straight through. Everything is governed by the same middleware, auth, and audit trail.
MCP Clients
Arc Relay
Auth - Policy - Per-user, per-tool access
Middleware pipeline
Docker Lifecycle Management
Auto-start, health checks, auto-recovery
Local / Containerized MCPs
Direct passthrough for remote MCPs
No lifecycle management needed
Remote / Hosted MCPs
Docker lifecycle only applies to local containers you want Arc Relay to manage. Remote hosted MCPs go through the same middleware and auth, just without the container layer.
The middleware pipeline
Every tool call passes through a configurable middleware pipeline before reaching your servers. Enable, disable, or configure each stage per-server.
Sanitizer
PII redaction in real time. Strip credit card numbers, SSNs, emails, phone numbers, and custom patterns from tool call arguments before they reach external services.
Content Sizer
Prevent context window exhaustion. Set max response sizes per server or per tool. Truncate or reject responses that would blow out your context budget.
Alerter
Pattern monitoring for tool calls. Get notified when specific tools are used, when arguments match patterns, or when error rates spike.
Archive
Audit trail of every tool call. User, timing, arguments, results, and status. Local by default. Optional encrypted compliance endpoint for regulated environments.
Pluggable and custom middleware
The four built-in middlewares are the starting point. Your specific compliance, security, or business logic can plug in alongside them. Arc Relay supports writing custom middleware in Go, with a stable interface and the same per-server enable/configure model as the built-ins.
Use cases we have seen:
- Your own PII or secret patterns - tuned to your data
- Custom transformations on tool arguments or responses
- Enrichment - adding context the upstream MCP cannot see
- Per-tenant logic for multi-customer deployments
- Approval workflows for high-risk tools
Custom middleware support is being finalized - check the GitHub repository for the latest interface and examples.
Tool-level access control
Per-user, per-tool permissions. Profile-based roles. Risky tools restricted to people who should actually be calling them.
Accounting profile
QuickBooks write access
- + create_invoice
- + update_customer
- + list_transactions
- - delete_transaction
- - void_invoice
Reporting profile
Read-only across financials
- + list_invoices
- + get_balance_sheet
- + query_transactions
- - everything else
Trusted admin
Risky tools allowed
- + execute_sql
- + run_command
- + delete_records
- + everything else
The 2 of 15 problem. Most MCP servers ship 15 tools where 2 are dangerous. Don't give everyone access to those 2. Arc Relay lets you gate the dangerous tools to trusted users while keeping the safe ones available to the whole team.
Full management UI included
Server dashboard, request logs, multi-client connect, user/role management, invite-based onboarding. Complex MCP infrastructure with a simple interface.
Get started
The easiest path is one Docker command. The advanced path is a Compose file.
Easiest - one command
docker run -d --name arc-relay -p 8080:8080 \
-v /var/run/docker.sock:/var/run/docker.sock \
-v arc-relay-data:/data \
-e ENCRYPTION_KEY=$(openssl rand -hex 32) \
-e ADMIN_PASSWORD=changeme \
ghcr.io/comma-compliance/arc-relay:latest
Then open http://localhost:8080 and finish setup in the web UI.
One-click hosts
One-click deploys spin up Arc Relay against the public repo template. Fork the repo to customize before deploying.
Advanced - Docker Compose
For production deployments where you want the config in version control.
services:
arc-relay:
image: ghcr.io/comma-compliance/arc-relay:latest
ports:
- "8080:8080"
volumes:
- ./config.toml:/etc/arc-relay/config.toml
- /var/run/docker.sock:/var/run/docker.sock
- arc-data:/data
restart: unless-stopped
volumes:
arc-data:[server]
host = "0.0.0.0"
port = 8080
[database]
path = "/data/arc-relay.db"
[docker]
socket = "unix:///var/run/docker.sock"
network = "arc-relay"
[encryption]
key = "generate-with-openssl-rand-hex-32"
[auth]
session_secret = "generate-a-real-secret"
admin_password = "changeme"Works standalone. No account required.
Arc Relay runs fully independent with local storage. No SaaS dependency, no vendor lock-in. The GitHub README has full production deployment guidance.
Sync to your projects
The Arc Relay CLI syncs your managed servers to local projects. One command updates all your .mcp.json files so every project picks up your central config.
Where Arc Relay does not fit
We are honest about what this tool is. It is not a magic bullet for every MCP problem.
Stateful or session-heavy MCPs
Arc Relay is a proxy with per-request semantics. It does not maintain session state on behalf of the upstream MCP, and tools that need long-running connections, in-memory state between calls, or local files persisted across a session are awkward to proxy. Arc Relay can still launch them via Docker, but the proxy will not hold their state for them. If that is your MCP, run it directly or build the state into your own infrastructure.
Replacing enterprise tool orchestration
If your org is, say, a Fortune 500 with three platform teams already running their own service mesh, policy engine, IAM stack, and audit pipeline - and what you actually need is to plug MCP into all of that - you want purpose-built enterprise tooling and a long integration project, not a single self-hosted control plane. Arc Relay was not built to replace those systems and will not pretend to.
The sweet spot
1 user to a few hundred users. Solo devs, small teams, home labs, mid-size orgs. Larger than that and you probably need purpose-built enterprise infrastructure - or a conversation with us about the broader Arc platform.
Start managing your MCP servers
Open source, MIT licensed. Running in 5 minutes with Docker.