{"id":34547474,"url":"https://github.com/apathy-ca/sark","last_synced_at":"2026-05-27T22:37:15.871Z","repository":{"id":325269905,"uuid":"1100278623","full_name":"apathy-ca/sark","owner":"apathy-ca","description":"Zero-trust gateway for AI systems. OPA policies, audit logging, authentication (OIDC/LDAP/SAML), MCP/HTTP/gRPC adapters. FastAPI + Rust extensions. Production-ready.","archived":false,"fork":false,"pushed_at":"2026-05-24T06:06:36.000Z","size":43414,"stargazers_count":1,"open_issues_count":31,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-24T08:11:56.534Z","etag":null,"topics":["ai-governance","api-gateway","audit-logging","authentication","authorization","fastapi","llm-security","mcp","model-context-protocol","opa","policy-engine","python","rust","security","zero-trust"],"latest_commit_sha":null,"homepage":"https://github.com/apathy-ca/sark/blob/main/docs/QUICK_START.md","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apathy-ca.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":"docs/governance/HOME_GOVERNANCE.md","roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":"COPYRIGHT","agents":null,"dco":null,"cla":null}},"created_at":"2025-11-20T04:29:04.000Z","updated_at":"2026-05-18T19:20:25.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/apathy-ca/sark","commit_stats":null,"previous_names":["apathy-ca/sark"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/apathy-ca/sark","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apathy-ca%2Fsark","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apathy-ca%2Fsark/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apathy-ca%2Fsark/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apathy-ca%2Fsark/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apathy-ca","download_url":"https://codeload.github.com/apathy-ca/sark/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apathy-ca%2Fsark/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33586820,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-27T02:00:06.184Z","response_time":53,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-governance","api-gateway","audit-logging","authentication","authorization","fastapi","llm-security","mcp","model-context-protocol","opa","policy-engine","python","rust","security","zero-trust"],"created_at":"2025-12-24T07:29:36.892Z","updated_at":"2026-05-27T22:37:15.866Z","avatar_url":"https://github.com/apathy-ca.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# SARK (Security Audit and Resource Kontroler)\n\n**Enterprise-Grade Multi-Protocol AI Governance Platform**\n\n\u003e *\"He's not any kind of user, SARK, he's a program.\"* —MCP, probably\n\nSARK provides zero-trust governance for AI deployments at scale. Built for Model Context Protocol (MCP), with support for **MCP, HTTP/REST, gRPC, and custom protocols** through a universal adapter interface.\n\n**Target Scale:** 50,000+ employees, 10,000+ AI resources\n\n📖 **[Quick Start](docs/QUICK_START.md)** | **[Changelog](CHANGELOG.md)** | **[Full Documentation](docs/)**\n\n---\n\n## What is This?\n\n**The Problem:** AI assistants accessing enterprise systems (databases, APIs, cloud infrastructure) without governance creates security chaos—no visibility, no control, no audit trail.\n\n**The Solution:** SARK sits between AI and your systems, providing:\n- 🔐 **Authentication** - OIDC, LDAP, SAML, API Keys\n- 🛡️ **Authorization** - Policy-based access control (OPA)\n- 📊 **Audit** - Complete trail of every AI action\n- ⚡ **Performance** - \u003c100ms p95 latency, 847 req/s sustained\n\n**Example:** Developer asks AI \"Show P0 bugs for my team\" → AI uses MCP → SARK validates auth \u0026 policy → If approved, executes → Logs everything.\n\n📖 **[What is MCP?](docs/MCP_INTRODUCTION.md)** | **[Architecture](docs/ARCHITECTURE.md)** | **[Use Cases](docs/USE_CASES.md)**\n\n---\n\n## Quick Start\n\n**Prerequisites:**\n- Python 3.11+\n- Rust 1.92+ ([install Rust](https://rustup.rs/)) - Required for building native extensions\n\n```bash\n# 1. Clone and setup\ngit clone --recurse-submodules \u003crepository-url\u003e\ncd sark\n# If you already cloned without --recurse-submodules:\n# git submodule update --init\npython3.11 -m venv venv \u0026\u0026 source venv/bin/activate\npip install -e \".[dev]\"\n\n# 2. Build Rust extensions\nmaturin develop\n\n# 3. Start services\ndocker compose --profile full up -d\n\n# 4. Access UI and API\n# UI: http://localhost:5173 (admin/password)\n# API: http://localhost:8000/docs\n```\n\n**Next Steps:**\n- 📖 **[15-Minute Quick Start](docs/QUICK_START.md)** - Complete getting started guide\n- 💻 **[Development Guide](docs/DEVELOPMENT.md)** - Development workflow and standards\n- 🎓 **[Tutorials](tutorials/)** - Step-by-step examples\n- 📚 **[API Reference](docs/API_REFERENCE.md)** - Complete API documentation\n\n---\n\n## Features\n\n### Multi-Protocol Support\n- **MCP** - SSE and HTTP transports functional (stdio in development)\n- **HTTP/REST** - OpenAPI discovery, 5 auth strategies\n- **gRPC** - Reflection-based, mTLS support\n- **Custom** - Plugin system for any protocol\n\n### Enterprise Security (v1.3.0 Enhanced)\n- **Authentication** - OIDC, LDAP, SAML, API Keys\n- **Authorization** - OPA policy engine, ReBAC+ABAC\n- **Audit** - Immutable logs, SIEM integration (Splunk, Datadog)\n- **Federation** - Cross-organization governance with mTLS\n- **🆕 Prompt Injection Detection** - 20+ patterns, entropy analysis, 30x faster\n- **🆕 Anomaly Detection** - Behavioral baselines, real-time alerts\n- **🆕 Secret Scanning** - 25+ patterns, automatic redaction, 50x faster\n- **🆕 MFA** - TOTP/SMS/Push/Email for critical actions\n- **🆕 Network Controls** - Kubernetes policies, egress filtering\n\n### Production Ready\n- ✅ 64% test coverage (improving to 85%), 1 low-severity vulnerability (Windows-only, dev dependency)\n- ✅ \u003c100ms p95 latency, 847 req/s sustained throughput\n- ✅ Kubernetes-native, Helm charts, Terraform modules\n- ✅ 100+ pages of documentation\n\n📖 **[Features Overview](docs/FEATURES.md)** | **[Security](docs/SECURITY.md)** | **[Performance](docs/PERFORMANCE.md)**\n\n---\n\n## Web UI\n\nModern React UI for managing AI governance:\n\n- 📊 Dashboard with metrics\n- 🖥️ Server/resource management\n- 📝 Policy editor (Rego syntax)\n- 📜 Audit log viewer\n- 🔑 API key management\n\n```bash\ncd frontend \u0026\u0026 npm install \u0026\u0026 npm run dev\n# Access: http://localhost:5173\n```\n\n📖 **[UI User Guide](docs/UI_USER_GUIDE.md)** | **[UI Deployment](docs/DEPLOYMENT.md#ui-deployment)**\n\n---\n\n## Deployment\n\n### Development\n```bash\ndocker compose --profile full up -d\n```\n\n### Production\n```bash\n# Kubernetes with Helm\nhelm install sark ./helm/sark -n production --create-namespace\n\n# Or with kubectl\nkubectl apply -f k8s/\n```\n\n### Cloud Platforms\n- AWS EKS, GCP GKE, Azure AKS\n- Terraform modules included for all platforms\n\n### Home Deployment (v1.7.0)\n\nLightweight deployment for home networks and low-resource environments:\n\n```bash\n# Quick start with Docker\nmake home-up\n\n# Or with Docker Compose directly\ndocker compose -f docker-compose.home.yml up -d\n```\n\n- **Target:** 512MB RAM, single core\n- **Database:** SQLite (instead of PostgreSQL)\n- **Platform:** OPNsense plugin or Docker\n- **Features:** Family governance (bedtime, parental controls, cost limits)\n\n📖 **[Home Deployment Guide](docs/deployment/HOME_DEPLOYMENT.md)** | **[Policy Cookbook](docs/policies/POLICY_COOKBOOK.md)**\n\n### Enterprise Deployment\n\nFull-featured deployment with PostgreSQL, Redis, and external OPA:\n\n```bash\n# Kubernetes with Helm\nhelm install sark ./helm/sark -n production --create-namespace\n```\n\n📖 **[Deployment Guide](docs/DEPLOYMENT.md)** | **[Terraform Guide](terraform/README.md)** | **[Production Readiness](docs/PRODUCTION_READINESS.md)**\n\n---\n\n## Documentation\n\n### Getting Started\n- **[Quick Start](docs/QUICK_START.md)** - 15-minute setup\n- **[MCP Introduction](docs/MCP_INTRODUCTION.md)** - What is MCP?\n- **[Architecture](docs/ARCHITECTURE.md)** - System design\n- **[Use Cases](docs/USE_CASES.md)** - Real-world examples\n\n### Deployment \u0026 Operations\n- **[Deployment Guide](docs/DEPLOYMENT.md)** - Production deployment\n- **[Monitoring](docs/MONITORING.md)** - Observability setup\n- **[Operations Runbook](docs/OPERATIONS_RUNBOOK.md)** - Day-2 operations\n\n### Development\n- **[Development Guide](docs/DEVELOPMENT.md)** - Setup and workflow\n- **[API Reference](docs/API_REFERENCE.md)** - Complete API docs\n- **[Contributing](CONTRIBUTING.md)** - Contribution guidelines\n\n### Security \u0026 Compliance\n- **[Security Guide](docs/SECURITY.md)** - Security best practices\n- **[OPA Policy Guide](docs/OPA_POLICY_GUIDE.md)** - Policy authoring\n- **[Audit \u0026 Compliance](docs/AUDIT_COMPLIANCE.md)** - Compliance features\n\n📚 **[Full Documentation Index](docs/README.md)**\n\n---\n\n## Project Status\n\n🚀 **v1.7.0 - Current Release** (Released Feb 2, 2026)\n\n**New in v1.7.0 - YORI Home Deployment:**\n- ✅ **Home Deployment Profile** - 512MB RAM, single-core target for home networks\n- ✅ **Governance Modules** - Allowlist, time rules, emergency override, consent tracking\n- ✅ **Policy Templates** - Bedtime, parental controls, privacy, cost limits\n- ✅ **Analytics Services** - Token tracking, cost calculation, usage reporting\n- ✅ **OPNsense Plugin** - Web UI dashboard, service management, policy configuration\n- ✅ **Comprehensive Tests** - Unit, integration, and OPA policy tests\n\n**v1.6.0 - Polish \u0026 Validation:**\n- ✅ **Security Hardening** - 96% vulnerability remediation (24/25 CVEs fixed)\n- ✅ **Test Infrastructure** - 39 tests fixed, 100% pass rate for export + tools routers\n- ✅ **Dependency Cleanup** - Eliminated ecdsa, migrated to PyJWT[crypto]\n- ✅ **Bug Fixes** - Keyword detection for snake_case, FastAPI route ordering\n- ✅ **Documentation** - Comprehensive release notes, migration guides\n\n**v1.5.0 - Production Readiness:**\n- ✅ **Gateway Transport Implementations** (HTTP, SSE, stdio)\n- ✅ **Security Fixes** (LDAP injection, CSRF, credentials)\n- ✅ **Frontend Authentication UI** (Login, MFA, API key management)\n- ✅ **E2E Integration Tests** (Complete user flow testing)\n- ✅ **Performance Benchmark Infrastructure** (Locust, pytest-benchmark)\n\n**v1.4.0 - Rust Foundation:**\n- ✅ **Embedded Rust OPA engine** (4-10x faster policy evaluation)\n- ✅ **Rust in-memory cache** (10-50x faster than Redis)\n- ✅ **Feature flags \u0026 gradual rollout** (0% → 100% with instant rollback)\n- ✅ **2.4x higher throughput** (2,100+ req/s)\n- ✅ **2.3x faster requests** (42ms p95, down from 98ms)\n- ✅ **100% backwards compatible** with v1.3.0\n- ✅ Automatic Python fallback for safety\n- ✅ Comprehensive migration and performance documentation\n\n**Completed (v1.3.0):**\n- ✅ Enterprise authentication (OIDC, LDAP, SAML, API Keys)\n- ✅ Policy-based authorization (OPA)\n- ✅ MCP Gateway integration (opt-in)\n- ✅ SIEM integration (Splunk, Datadog)\n- ✅ **Prompt injection detection** (20+ patterns, 30x faster than target)\n- ✅ **Behavioral anomaly detection** (30-day baseline, real-time alerts)\n- ✅ **Secret scanning \u0026 redaction** (25+ patterns, 50x faster than target)\n- ✅ **MFA for critical actions** (TOTP, SMS, Push, Email)\n- ✅ **Network security controls** (NetworkPolicies, egress filtering)\n- ✅ Comprehensive testing (350+ unit, 530+ integration, 2200+ performance)\n- ✅ Complete documentation (100+ pages)\n- ✅ Production deployment guides\n\n**Future Roadmap:**\n- **v1.8.0** - OPNsense plugin submission to official repository\n- **v1.9.0** - Local LLM support (Ollama integration)\n- **v2.0.0** - GRID Reference Implementation (protocol abstraction, federation, cost attribution)\n\n📖 **[Roadmap](docs/ROADMAP.md)** | **[Changelog](CHANGELOG.md)**\n\n---\n\n## Requirements\n\n- Python 3.11+\n- Docker with Docker Compose v2\n- PostgreSQL 15+, Valkey 7+ (Redis-compatible)\n- Open Policy Agent 0.60+\n- Kong Gateway 3.8+ (production)\n- Kubernetes 1.28+ (production)\n\n📖 **[Requirements](docs/REQUIREMENTS.md)**\n\n---\n\n## GRID Protocol\n\nSARK is the **reference implementation of GRID Protocol Specification v0.1**.\n\n**GRID** (Governed Resource Interaction Definition) is a universal governance protocol for machine-to-machine interactions—protocol-agnostic, federated, zero-trust, policy-first.\n\n**SARK v1.1.0 Compliance:** 85% of GRID v0.1 specification\n\n📖 **[Gap Analysis](docs/specifications/GRID_GAP_ANALYSIS_AND_IMPLEMENTATION_NOTES.md)** - Detailed compliance matrix\n\n📖 **[GRID Specification](docs/specifications/GRID_PROTOCOL_SPECIFICATION_v0.1.md)** | **[Gap Analysis](docs/specifications/GRID_GAP_ANALYSIS_AND_IMPLEMENTATION_NOTES.md)**\n\n---\n\n## Related Projects\n\n### YORI - Home LLM Gateway (Integrated in v1.7.0)\n\n**YORI** (Your Observant Router Intelligence) provides zero-trust LLM governance for home networks. As of v1.7.0, YORI's home deployment profile is **integrated directly into SARK**.\n\n**Deployment Options:**\n- **SARK Home Profile** - Use `make home-up` or the OPNsense plugin (recommended)\n- **Standalone YORI** - See [YORI repository](https://github.com/apathy-ca/yori) for standalone builds\n\n**Features:**\n- **Target:** OPNsense routers, home users (512MB RAM, 1 CPU)\n- **Database:** SQLite (lightweight, no external dependencies)\n- **Policies:** Bedtime rules, parental controls, privacy protection, cost limits\n- **Governance:** Allowlist, time-based rules, emergency override, consent tracking\n- **Analytics:** Token tracking, cost estimation, usage reports\n\nYORI reuses SARK's battle-tested Rust core (`grid-opa`, `grid-cache`) via PyO3 bindings, bringing enterprise-grade policy evaluation to resource-constrained home routers.\n\n📖 **[YORI Repository](https://github.com/apathy-ca/yori)** | **[Project Plan](docs/v2.0/YORI_PROJECT_PLAN.md)**\n\n---\n\n## Contributing\n\nWe welcome contributions! See **[CONTRIBUTING.md](CONTRIBUTING.md)** for:\n- Code style and standards\n- Development workflow\n- PR process\n- Multi-agent collaboration guidelines\n\n---\n\n## License\n\nMIT License - see **[LICENSE](LICENSE)** file for details.\n\n**Copyright** © 2025 James Henry. All rights reserved.\n\n---\n\n**Built with ❤️ for enterprise AI governance at scale.**\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapathy-ca%2Fsark","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapathy-ca%2Fsark","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapathy-ca%2Fsark/lists"}