Markdown Content - MCP-Airlock Is Now Trentina: The 1377 Quarantine That Inspired Our Rename

---
# MCP-Airlock Is Now Trentina: The 1377 Quarantine That Inspired Our Rename

**URL:** https://crunchtools.com/trentina/
Date: 2026-06-23
Author: fatherlinux
Post Type: post
Summary: MCP-Airlock is becoming Trentina — named after the 1377 quarantine system from Ragusa that inspired its architecture. Same three-layer defense, same gateway, better name.Continue Reading "MCP-Airlock Is Now Trentina: The 1377 Quarantine That Inspired Our Rename" →
Categories: Articles, Software
Tags: AI/ML, Generative AI, Open Source Software, Python, Security
Featured Image: https://crunchtools.com/wp-content/uploads/2026/06/gemini_gen_20260623_155435_504fc7ac.png
---

I've been expanding MCP-Airlock well beyond its original scope for the past few months, and the name stopped fitting a while ago. When I first built it in March, it was a straightforward tool for safe web fetching — sanitize content before it hits your agent's context window. Since then it's grown into a full MCP gateway with per-consumer profiles, tool allowlists, and parameter-level access controls that can restrict things like email recipients on a per-agent basis. That's not an airlock anymore, and I think continuing to call it one would be misleading about what the project actually does.

There's also a practical problem: the name collides with another MCP gateway project that already exists. It was a good name, and I don't blame them for picking it, but two projects with the same name in the same space creates confusion that nobody benefits from. Between the scope expansion and the naming collision, it was time for something new.

## Why Trentina

I read a [Bloomberg article](https://www.bloomberg.com/opinion/articles/2026-06-23/ai-agents-demand-a-rethinking-of-how-work-gets-done) this morning that crystallized the name I'd been looking for. The piece was about how AI agents are forcing organizations to rethink their workflows, and the author reached back to 1377 to make the point. The city of Ragusa, near modern-day Dubrovnik on the Dalmatian coast, had built something genuinely progressive for the era — an open shipping system where anyone could dock and trade. Commerce flowed freely, and the city prospered because of it. Then the plague arrived, and they had a problem that probably felt familiar to anyone running AI agents today: how do you keep the system open without letting something dangerous through?

Rather than closing the ports entirely, which would have killed the commerce that made the city viable, they designated a set of abandoned islands offshore. Every incoming ship had to anchor there for thirty days before anyone was allowed into the city. They called this *Trentina*, from the Italian *trenta* — thirty. The concept worked so well that they later extended the isolation period to forty days, *quaranta*, and that's where the English word quarantine comes from. I think most people assume quarantine is some kind of medical term that emerged from modern epidemiology, but it's actually a 14th-century trade policy from a Dalmatian port city that figured out how to keep doing business while managing existential risk.

When I dug into that story, it struck me how much their problem — figuring out how to let trade flow without letting the plague in — mirrors the headaches we're dealing with in MCP security. Your agent needs to fetch web pages, read files, call APIs, but every one of those interactions is a potential vector for prompt injection, and you can't just board up the ports and refuse to let anything through. What you actually need is a process for handling untrusted things safely.

## What Trentina Actually Does

The way it works is pretty mechanical, which I think is a feature and not a bug. Trentina takes untrusted content — web pages, files, search results — and holds it in isolation while multiple layers of inspection run against it, kind of like making a ship sit offshore while the harbor master checks for signs of plague. Layer 1 strips the structural attacks: hidden HTML, invisible Unicode, encoded payloads, fake LLM delimiters. Layer 2 runs a classifier to catch behavioral manipulation that structural analysis misses. Layer 3 hands the sanitized content to a quarantined LLM instance — deliberately a smaller, less capable model that's hardened against prompt injection. Dumber models are actually better for this job, because they're less susceptible to the elaborate social engineering and persona hijacking that larger models fall for. The Q-Agent has no tools and no memory, which means even if an attacker does manage to manipulate it, the blast radius is minimal. It extracts the useful information while the dangerous instructions stay on the island.

But the part that really outgrew the "airlock" name is the gateway. Trentina now sits between your agents and all of their MCP backends, acting as a policy engine that controls who can do what with which tools. Each consumer — whether that's Claude Code, an OpenClaw instance, or a Hermes agent — gets its own profile with explicit tool allowlists and parameter guards. You can say "this agent can send email, but only to these three recipients" or "this agent can access GitHub but can't force-push." When you're doing that kind of fine-grained argument validation on every tool call, calling the thing an "airlock" felt like calling a refinery a pipe. Technically there are pipes involved, but you're missing the point of what the system actually does.

## What's Changing

We're renaming the project from **MCP-Airlock** to **Trentina**. The Python package goes from `mcp-airlock-crunchtools` to `mcp-trentina-crunchtools`, the container image moves from `quay.io/crunchtools/mcp-airlock` to `quay.io/crunchtools/mcp-trentina`, and the GitHub repo will go from `crunchtools/mcp-airlock` to `crunchtools/mcp-trentina`.

Don't worry about your existing setup — we're not yanking the rug out from under anyone. GitHub provides automatic redirects when you rename a repository, and the old PyPI package will get a final release that depends on the new one and prints a deprecation notice. All your existing `profiles.yaml` configurations, environment variables, and tool calls keep chugging along. If you have Airlock deployed today, nothing breaks tomorrow.

## What's Not Changing

The architecture stays the same — I'm not redesigning the engine, I'm putting a new badge on the hood. The three-layer defense pipeline, the Q-Agent isolation model, the gateway proxy, the parameter guards — all of it carries over unchanged. Your deployment keeps working while we transition the naming over the coming weeks.

## The Broader Point

I think Bloomberg's article gets the bigger picture right — AI agents are forcing organizations to rethink their workflows in fundamental ways, not just bolt some automation onto what they already have. And I'm pretty convinced that security is the area where the rethinking needs to happen most urgently. The [Clinejection attack](https://grith.ai/blog/clinejection-when-your-ai-tool-installs-another) earlier this year compromised roughly 4,000 developer machines through a prompt injection embedded in a GitHub issue title. The agent had tool access and processed untrusted input in the same context, and nobody had built a Trentina for it.

Ragusa could've just boarded up the ports and called it a day, but they didn't — they figured out a practical way to keep the commerce flowing without letting something kill everybody, and I think that's exactly the kind of thinking we need for AI agent security. Not "don't let agents touch the internet" but "build a system that makes it safe for them to," and that's what Trentina does.

The full scope of the rename is tracked in [GitHub issue #19](https://github.com/crunchtools/mcp-airlock/issues/19). If you're running Airlock today, keep running it — the transition will be gradual and backwards-compatible.
```
`pip install mcp-trentina-crunchtools`
```

```
`podman run quay.io/crunchtools/mcp-trentina`
```

---

## Categories

- Articles
- Software

---

## Navigation

- [Home](https://crunchtools.com/)
- [Articles](https://crunchtools.com/category/articles/)
- [Events](https://crunchtools.com/category/events/)
- [News](https://crunchtools.com/category/news/)
- [Presentations](https://crunchtools.com/category/presentations/)
- [Software](https://crunchtools.com/software/)
- [Beaver Backup](https://crunchtools.com/software/beaver-backup/)
- [Check BGP Neighbors](https://crunchtools.com/software/check-bgp-neighbors-nagios/)
- [Chev](https://crunchtools.com/software/chev-check-vulnerabilities-script/)
- [Graph BGP Neighbors](https://crunchtools.com/software/grpah-bgp-neighbors/)
- [Graph MySQL Stats](https://crunchtools.com/software/graph-mysql-stats/)
- [Graph Sockets Pipes Files](https://crunchtools.com/software/graph-sockets-pipes-files/)
- [MCP Servers](https://crunchtools.com/software/mcp-servers/)
- [Petit](https://crunchtools.com/software/petit/)
- [Racecar](https://crunchtools.com/software/racecar/)
- [Shiva](https://crunchtools.com/software/shiva/)
- [About](https://crunchtools.com/about/)

## Tags

- AI/ML
- Generative AI
- Open Source Software
- Python
- Security