April 13, 2026

Introducing Arc Relay: an open-source MCP control plane

Arc Relay is the first piece of the Comma Compliance Arc platform you can run today. It is an open-source control plane that sits between your AI clients and your MCP servers - one place for auth, policy, middleware, and per-user access control. MIT licensed, runs in Docker, set up in one command.

The Arc Relay dashboard - every MCP server in one place

Why this exists

MCP is one of the most important things happening in AI tooling. It is the protocol that lets agents call real tools - your CRM, your code, your infrastructure. The trouble is that MCP was originally designed for one developer with a handful of servers. As soon as you have more than one user, more than one machine, or more than a couple of servers, the cracks show up.

We needed a control plane for AI tool use that was usable by a solo dev on day one and still made sense for a team of a hundred. We did not find one we liked, so we built one. That is Arc Relay.

Arc Relay is also the first piece of a bigger platform. We are building Comma Compliance Arc, a compliance fabric for AI and agent activity, and Arc Relay is the first piece of the platform you can take for a spin today. There is more on the homepage, but for this post we will stay focused on Arc Relay.

If you are a solo developer

You probably run multiple agents across multiple machines. Each agent spawns its own in-memory MCP servers per project. You end up with the same Sentry, Shortcut, and GitHub MCPs running four or five times across the same laptop, racing each other for tokens and burning RAM.

With Arc Relay, you run one instance somewhere - your dev machine, a cheap VPS, your home server - and configure your MCPs once. Every agent on every machine connects to the same control plane via a single SSE URL. No more redundant servers. No more reconfiguring every project. One place to look when something breaks. There is a full solo developer journey on the Arc Relay page if you want the details.

If you are a small or mid-size team

The hard part of MCP at team scale is not connecting things - it is governing them. Your devs need GitHub. Marketing needs the CRM. Execs want read-only dashboards. Your accounting agent should be able to write invoices, but absolutely should not be able to delete transactions. Every MCP server has a couple of tools that need to be locked down.

Arc Relay does this with profile-based, per-tool access control. You create profiles - accounting, reporting, engineering, executive - and map specific tools to each profile. The accounting profile gets create_invoice and update_customer on the QuickBooks MCP, but not delete_transaction. The reporting profile gets read-only across all financial MCPs. A trusted admin gets access to the dangerous tools nobody else should be touching.

We call it the 2-of-15 problem. Most MCP servers ship 15 tools, of which 2 are dangerous. Don't give everyone access to those 2. The access control section on the Arc Relay page has examples and screenshots.

Profiles map roles to specific tools. Assign people to profiles.

The other thing we like about this model is that the same tool shows up in multiple profiles at different access levels. Your CRM gets read/write access for marketing, read-only for execs, and lookup-only for the engineering team. We sketched this out in the personas working together section on the Arc Relay page. The overlap is the point - one team uses many tools, many people use the same tools differently, and the single control plane is what brings them together.

If you are a home labber

Your home lab is already a fleet of Docker containers and HTTP services - pfSense, Home Assistant, Sonarr, Radarr, Nextcloud, and whatever else you have wired up over the years. Arc Relay drops in as another container with an Unraid template, a Portainer stack, or plain Docker. Local containerized MCPs get auto-start and health checks. Remote ones flow straight through. Your agents talk to one URL. The home labber journey on the Arc Relay page lists the deploy paths, including the Unraid template.

The middleware pipeline

This is the part that separates Arc Relay from a plain MCP proxy. Every tool call passes through a configurable pipeline before it reaches your servers, and you can enable or disable each stage per-server:

  • Sanitizer - PII redaction in real time. Strip credit card numbers, SSNs, emails, and custom patterns from arguments before they leave your environment.
  • Content Sizer - Prevent context window exhaustion by enforcing per-server response size limits.
  • Alerter - Pattern monitoring for tool calls. Get notified on dangerous patterns or error spikes.
  • Archive - Audit trail of every tool call. Local by default, optional encrypted compliance endpoint for regulated workloads.

Custom middleware support is on the way - you will be able to plug your own logic into the same pipeline alongside the built-ins. See the middleware section on the Arc Relay page for the current state.

Per-server middleware config from the management UI

Get started

The fastest path is one Docker command. No Compose file, no config file - everything else happens in the web UI after it boots. 

docker run -d --name arc-relay -p 8080:8080 \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -v arc-relay-data:/data \
  -e ENCRYPTION_KEY=$(openssl rand -hex 32) \
  -e ADMIN_PASSWORD=changeme \
  ghcr.io/comma-compliance/arc-relay:latest

Open http://localhost:8080, set your admin password, and start adding MCP servers. There are one-click deploy buttons for Render, Heroku, and Railway, plus an Unraid template, on the Arc Relay page. For production, use Compose - the README walks you through it.

Connect Claude Desktop, Cursor, VS Code, or Codex CLI with one URL

Where this does not fit

We are honest about what Arc Relay is and is not. It is a proxy, so it does not maintain session state across requests on behalf of upstream MCPs. If your MCP is stateful or session-heavy in a way that needs the proxy to remember things between calls, this is not the right tool. If you are a giant enterprise with a dedicated platform team running their own service mesh and audit infrastructure, you probably want purpose-built enterprise tooling.

The sweet spot is 1 user to a few hundred users. Solo devs, small teams, home labs, mid-size organizations. The limitations section on the Arc Relay page has the full picture.

Why open source

MCP infrastructure is too important to be locked behind a vendor. The layer that sits between your AI agents and your production tools needs to be inspectable, modifiable, and self-hostable. Arc Relay is MIT licensed because the control plane should be a public good.

Arc Relay also stands on its own. You do not need to be a Comma Compliance customer to use it. Install it, configure it, manage your MCP servers, and never talk to us again if you do not want to. That is a complete product.

The bigger picture

Comma Compliance builds compliance archiving for regulated industries. Our core product captures WhatsApp, Signal, iMessage, and 40+ other channels for SEC and FINRA-regulated firms. Arc Relay is the first piece of Comma Compliance Arc, our platform for capturing and governing AI and agent activity alongside those human channels. There is more on the homepage if that is interesting to you.

But that is a story for the platform pages. For today, Arc Relay is the thing you can run this afternoon.

View on GitHub Explore Arc Relay