GuardEntry × MuleSoft Anypoint

Drop GuardEntry's Flow Gate into any MuleSoft Anypoint integration and every Mule flow step, API call, or Agentforce agent action is evaluated against your security policy before it executes. Two integration surfaces: a Mule sub-flow for traditional iPaaS flows (HTTP Requester Connector), and a MCP Connector for MuleSoft's Agent Fabric autonomous agent platform. Both evaluate the same POST /api/v2/policy-router/evaluate endpoint. Setup takes about 20 minutes.

📄 Integration Overview (PDF)Start setup wizard →

Surface A — Mule Flow Gate

Add the guardentry-policy-gate sub-flow to any Mule application. Set actor type to service.mulesoft.*. Raises GUARDENTRY:BLOCKED on policy violations.

Surface B — Agent Fabric / MCP

Connect the MuleSoft MCP Connector to the GuardEntry MCP server. Every Agentforce agent action is gated before execution. Actor type: agent.mulesoft.*.

Prerequisites

•MuleSoft Anypoint Platform (CloudHub 2.0, Anypoint Runtime Fabric, or on-premises Mule Runtime 4.4+)
•Anypoint Studio 7.16+ or Anypoint Code Builder (for importing the app template)
•A GuardEntry API key — get one free at guardentry.ai/connect
•Outbound HTTPS from your Mule Runtime / CloudHub workers to app.guardentry.ai:443
•(Agent Fabric surface only) Node.js 18+ and the GuardEntry MCP server running locally or hosted

Surface AMule Flow Gate

Import the GuardEntry Flow Gate app template

1. Download GuardEntry_FlowGate_v1.0.0.zip from the in-dashboard wizard at app.guardentry.ai/dashboard/integrations/setup/mulesoft
2. Anypoint Studio: unzip → File → Import → General → Existing Projects into Workspace → Select root directory → browse to guardentry-flowgate/ → Finish
3. CloudHub 2.0 / Runtime Fabric: unzip → cd guardentry-flowgate && mvn clean package -DskipMunitTests → upload target/*.jar to Runtime Manager → Deploy Application

The import adds one Mule sub-flow to your application:

• guardentry-policy-gate — call via Flow Reference from any flow to gate an action

Configure secure properties

The Flow Gate reads three Mule properties at startup.

Property	Value	Notes
`guardentry.api.key`	`ge_k1_…`	From the wizard. Store as a secure property (encrypted).
`guardentry.base.url`	`https://app.guardentry.ai`	Your GuardEntry tenant URL. No trailing slash.
`guardentry.mode`	`balanced`	One of `fast` \| `balanced` \| `strict`. Start with `fast`.

In CloudHub 2.0: set properties in Runtime Manager → Application → Properties. On-premises: add to your mule-artifact.json secure properties file.

Add a Flow Reference to the policy gate

1. In the flow you want to gate, add a Set Variable step before the downstream logic
2. Set the required gate variables:

Variable	Value	Notes
`guardentry_content`	Description of the action	What is this flow step doing? Be descriptive — APR evaluates this string.
`guardentry_actor_type`	`service.mulesoft.<api-name>`	e.g. `service.mulesoft.customer-export` — drives policy lookup
`guardentry_label`	Free-text intent tag	Audit grouping, e.g. `mulesoft.export`
`guardentry_direction`	`ingress` \| `egress`	Use `egress` to catch data leaks on outbound responses

3. Add a Flow Reference step pointing to guardentry-policy-gate
4. Add an Error Handler to your flow to handle GUARDENTRY:BLOCKED and GUARDENTRY:APPROVAL_REQUIRED — typically return 403 to the caller
5. Order/run the flow to send a test call to GuardEntry APR

⚠️Variables guardentry_content and guardentry_actor_type are required. The sub-flow will fail-open (continue without blocking) if it cannot reach GuardEntry APR, so a GuardEntry outage never takes down your integration.

Surface BAgent Fabric / MCP

Connect Agent Fabric via the MuleSoft MCP Connector

MuleSoft Agent Fabric (GA June 2026) supports MCP as the standard agent-to-system protocol. Connect it to the GuardEntry MCP server so every Agentforce agent action is evaluated before execution.

1. Start the GuardEntry MCP server:

cd mcp-server
GUARDENTRY_API_KEY=<your-key> npm run start:http

2. In Anypoint Code Builder, add the MCP Connector configuration from src/mcp-config.json in the downloaded package
3. Set GUARDENTRY_API_KEY and (optionally) GUARDENTRY_MCP_URL for hosted deployments
4. Agents will use actor type agent.mulesoft.<agent-name> — one shared policy per agent type

The GuardEntry MCP server exposes the guardentry_evaluate_action tool, which agents call before any action. Decisions are logged in the GuardEntry dashboard under Policy Router → Decisions.

Actor types

GuardEntry creates one shared policy per unique actorType. Use the dotted prefix convention to scope policies per integration surface:

Source	actorType	Example
Mule flow / API	`service.mulesoft.<api-name>`	`service.mulesoft.customer-export`
Agent Fabric / Agentforce	`agent.mulesoft.<agent-name>`	`agent.mulesoft.order-fulfillment`

Flow variables set after evaluation

The guardentry-policy-gate sub-flow sets these Mule variables that downstream steps can read:

Variable	Description
`vars.guardentry_decision`	`allow` \| `block` \| `require_approval` \| `uncertain` \| `verify` \| `unreachable`
`vars.guardentry_policy_id`	GuardEntry policy UUID — empty string if no policy matched
`vars.guardentry_audit_link`	Deep link to the audit record in GuardEntry dashboard
`vars.guardentry_reviews_link`	Deep link to review queue (populated when `require_approval`)
`vars.guardentry_reasoning`	Human-readable reasoning string from APR
`vars.guardentry_confidence`	Confidence score 0–1 float

Example use cases

Customer data export gate

Gate a Mule flow that exports customer records to external destinations. Set actorType=service.mulesoft.customer-export and pass the destination path and record count in content. APR blocks exports matching PII-exfiltration patterns or outside change windows.

Payment / ERP API gate

Gate outbound calls to payment processors or ERP systems (SAP, NetSuite). Set actorType=service.mulesoft.payment-api and pass the transaction details as content. APR can require approval for high-value transactions against SOC 2 financial controls.

Agentforce agent governance

Gate Agentforce agents built on MuleSoft Agent Fabric. Connect the MCP Connector to GuardEntry so every agent action (web search, API call, record update) is evaluated before execution. Set actorType=agent.mulesoft.order-fulfillment and audit all agent decisions in the GuardEntry dashboard.

Egress data leak detection

Set direction=egress to catch sensitive data leaving your integration — credentials, PII, internal system URLs — before responses are returned to external callers. Use strict mode for LLM-assisted detection of subtler leakage patterns.

Troubleshooting

⚠️Flow continues even when APR returns block — Check that your Error Handler catches GUARDENTRY:BLOCKED. Without an error handler, Mule's default handler may swallow the error. Add on-error-propagate type="GUARDENTRY:BLOCKED" to your flow's error handler.

⚠️"unreachable" decisions — The Mule worker can't reach GuardEntry. Check outbound HTTPS to app.guardentry.ai:443. The Flow Gate fails open on network errors so a GuardEntry outage never blocks your integration.

⚠️All decisions are allow — Your policy may be in observe mode. The 👁 observe badge in your GuardEntry dashboard means violations are logged but not blocked. Switch to enforcement from the policy settings page when ready.

⚠️401 Unauthorized — Check that guardentry.api.key is set correctly and that the key has not been revoked. The key must have readwrite permissions and an integration label of mulesoft.

BMC Control-M Get API key