{"id":49308486,"url":"https://github.com/cullis-security/cullis","last_synced_at":"2026-05-13T13:01:05.815Z","repository":{"id":347801365,"uuid":"1195337761","full_name":"cullis-security/cullis","owner":"cullis-security","description":"Trust infrastructure for AI agents across organizations. Verified identity, explicit authorization, cryptographic audit trail.","archived":false,"fork":false,"pushed_at":"2026-05-06T23:29:02.000Z","size":10479,"stargazers_count":0,"open_issues_count":23,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-06T23:39:17.864Z","etag":null,"topics":["ai-agents","api-gateway","cryptography","dpop","e2e-encryption","fastapi","federated-identity","iam","mcp","mtls","multi-agent-systems","pki","python","self-hosted","spiffe","trust-broker","workload-identity","zero-trust"],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cullis-security.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":"NOTICE","maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-29T14:51:00.000Z","updated_at":"2026-05-06T23:00:15.000Z","dependencies_parsed_at":null,"dependency_job_id":"0f846ec2-82a8-4bbe-80e9-33776d8bc9d3","html_url":"https://github.com/cullis-security/cullis","commit_stats":null,"previous_names":["daenaihax/agent-trust-network","daenaihax/cullis"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/cullis-security/cullis","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cullis-security%2Fcullis","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cullis-security%2Fcullis/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cullis-security%2Fcullis/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cullis-security%2Fcullis/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cullis-security","download_url":"https://codeload.github.com/cullis-security/cullis/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cullis-security%2Fcullis/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32795416,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-08T08:22:46.396Z","status":"ssl_error","status_checked_at":"2026-05-08T08:22:45.650Z","response_time":54,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","api-gateway","cryptography","dpop","e2e-encryption","fastapi","federated-identity","iam","mcp","mtls","multi-agent-systems","pki","python","self-hosted","spiffe","trust-broker","workload-identity","zero-trust"],"created_at":"2026-04-26T11:00:52.579Z","updated_at":"2026-05-13T13:01:05.807Z","avatar_url":"https://github.com/cullis-security.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\"branding/cullis-mark.svg\" alt=\"Cullis\" width=\"120\"\u003e\u003cbr\u003e\u003cbr\u003e\n  \u003cstrong\u003eCullis — Zero-trust identity and audit for AI agents.\u003c/strong\u003e\u003cbr\u003e\n  Start air-gapped in your organization. Scale to cross-company federation without redeploy.\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-FSL--1.1--Apache--2.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://www.python.org/downloads/\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.11-blue.svg\" alt=\"Python\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/cullis-security/cullis/actions\"\u003e\u003cimg src=\"https://img.shields.io/github/actions/workflow/status/cullis-security/cullis/ci.yml?branch=main\u0026label=CI\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"#status\"\u003e\u003cimg src=\"https://img.shields.io/badge/status-early--stage%20%C2%B7%20research-orange.svg\" alt=\"Status: early-stage\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\n\u003e 📖 **Why Cullis exists, architecture deep-dives, use cases, deployment patterns → [cullis.io](https://cullis.io)**\n\u003e\n\u003e This README is the engineer's entry point: what it is, how to run it, how the code is laid out. Everything else lives on the site.\n\n---\n\n## Status\n\n\u003e [!WARNING]\n\u003e **Early-stage research project — not production-ready.**\n\u003e\n\u003e Cullis is in active study and prototyping. The architecture is real and\n\u003e the demo runs end-to-end on a laptop, but the codebase has not been\n\u003e externally security-audited, and APIs may still break without notice.\n\u003e\n\u003e Use it to learn, explore, prototype, and contribute — not yet to handle\n\u003e real users, real credentials, or real traffic.\n\n---\n\n## What Cullis is\n\nAI agents act on your behalf — they make decisions, move data, and\nincreasingly talk to each other. When something goes wrong, three questions\nmatter: **who was it, what were they allowed to do, and what did they actually do?**\n\nCullis gives each agent a cryptographic identity, enforces policy at the\norganization boundary, and records every action in a tamper-evident\nhash-chain. The same binary runs standalone inside your organization or\nfederated across companies — no redeploy between the two.\n\n---\n\n## Three components\n\n| | **Cullis Connector** | **Cullis Mastio** | **Cullis Court** |\n|---|---|---|---|\n| **Where it runs** | User's laptop | Your organization | Cross-org network |\n| **Owned by** | End user | Your org admin | Network operator |\n| **What it does** | User identity + MCP↔Cullis translation | Agent certs, policy, local audit, tool reverse-proxy | Org registry, trust federation, cross-org routing |\n\nThe **Connector** is a desktop app that turns any MCP client (Claude\nDesktop, Cursor, Cline) into a Cullis-aware agent. The **Mastio** is the\nauthority that governs agents inside a single organization. The **Court**\nfederates Mastios across different organizations.\n\nThe Mastio runs in two modes — **standalone** (air-gapped, single-org,\nno external dependency) or **federated** (attached to a Court, reaches\nagents in other companies). Same binary, admin action switches between\nthem, no agent re-enrollment.\n[Deployment patterns → cullis.io](https://cullis.io).\n\n---\n\n## Quickstart — single host (bundles)\n\nFor a single-host evaluation: a Mastio + multi-user Frontdesk chat in two\ncommands, no repo clone needed. Both bundles pull the published images\nfrom `ghcr.io` and configure themselves with sensible defaults.\n\n**Requirements**: Docker Engine with Compose v2, ~2 GB RAM.\n\n```bash\n# 1. Mastio (org gateway + first-boot Org CA + dashboard on :9443)\ncurl -L https://github.com/cullis-security/cullis/releases/download/mastio-v0.3.2-rc3/cullis-mastio-bundle.tar.gz | tar xz\ncd cullis-mastio-bundle \u0026\u0026 ./deploy.sh\n\n# 2. Frontdesk (multi-user chat on :8080, enrolls against the Mastio above)\ncd ..\ncurl -L https://github.com/cullis-security/cullis/releases/download/frontdesk-bundle-v0.2.0-rc3/cullis-frontdesk-bundle.tar.gz | tar xz\ncd cullis-frontdesk-bundle \u0026\u0026 ./deploy.sh\n```\n\n\u003e **Why pinned tags, not `releases/latest/`?** GitHub's `Latest` marker\n\u003e points to a single release across the whole repo. Cullis ships two\n\u003e independent bundles (Mastio + Frontdesk) with separate version\n\u003e trains; a `releases/latest/download/cullis-frontdesk-bundle.tar.gz`\n\u003e URL 404s the moment a Mastio release becomes Latest. Newer versions\n\u003e are at \u003chttps://github.com/cullis-security/cullis/releases\u003e.\n\nThe Mastio dashboard is at `https://localhost:9443/proxy/login` (self-signed\nTLS, accept the warning); the Frontdesk SPA is at `http://localhost:8080`.\nSee [`packaging/mastio-bundle/README.md`](packaging/mastio-bundle/README.md)\nand [`packaging/frontdesk-bundle/README.md`](packaging/frontdesk-bundle/README.md)\nfor production overrides (custom hostname, oauth2-proxy + IDP, image pinning).\n\n## Quickstart — full enterprise stack (sandbox)\n\nBoot the full enterprise stack — Court + 2 Mastios + 3 agents + 2 MCP servers\nin 2 organizations, wired with SPIRE, Keycloak, Vault and Postgres — then\nreplay intra-org and cross-org traffic.\n\n**Requirements**: Docker Engine with Compose v2, ~6 GB free disk, ~4 GB RAM.\n\n```bash\ngit clone https://github.com/cullis-security/cullis\ncd cullis\n./sandbox/demo.sh full\n```\n\nReplay scenarios (stack must be up):\n\n```bash\n./sandbox/demo.sh mcp-catalog     # intra-org: agent → MCP tool call (Org A)\n./sandbox/demo.sh mcp-inventory   # intra-org: agent → MCP tool call (Org B)\n./sandbox/demo.sh oneshot-a-to-b  # cross-org: A2A encrypted message A → B\n./sandbox/demo.sh oneshot-b-to-a  # cross-org: A2A encrypted message B → A\n./sandbox/demo.sh guide           # open the onboarding walkthrough\n```\n\nSee [`sandbox/GUIDE.md`](sandbox/GUIDE.md) for the\nstep-by-step onboarding — attach-CA flow, Mastio counter-signature pin\n(ADR-009), Connector Desktop enrollment, MCP resource registration.\n\nFor single-user install, download the [Connector desktop\napp](https://github.com/cullis-security/cullis/releases).\n\n---\n\n## Key features\n\n- **x509 PKI + SPIFFE per-agent identity** — each agent gets a cert\n  signed by its organization's CA, with `spiffe://org/agent` SAN\n- **ECC end-to-end encryption** — ECDH P-256 key exchange, AES-256-GCM\n  payload, ECDSA signatures\n- **DPoP token binding (RFC 9449)** — every token bound to an ephemeral\n  EC key\n- **Default-deny federated policy** — PDP webhook or OPA per organization,\n  both orgs must allow on cross-org traffic\n- **Local hash-chain audit** — append-only, SHA-256 chain, never leaves\n  the organization\n- **Self-service org onboarding** — invite tokens, attach-CA for existing\n  PKIs, automatic Org CA generation\n- **KMS backends** — local filesystem (dev), HashiCorp Vault KV v2 (prod)\n\n---\n\n## SDK\n\n```python\nfrom cullis_sdk.client import CullisClient\n\nclient = CullisClient(\"https://mastio.example.com\")\nclient.login(\"alice\", \"acme\", \"agent.pem\", \"agent-key.pem\")\n\nagents = client.discover(capabilities=[\"supply\"])\nsession_id = client.open_session(\"widgets::supplier\", \"widgets\", [\"supply\"])\nclient.send(session_id, \"acme::alice\", {\"order\": \"100 units\"}, \"widgets::supplier\")\n```\n\nTypeScript SDK in [`sdk-ts/`](sdk-ts/). MCP server exposing Cullis as a\nset of tools (so any MCP-compatible LLM becomes a Cullis agent) in\n`cullis_sdk/mcp_server.py`.\n\n---\n\n## Project layout\n\n```\napp/               Cullis Court (network control plane)\nmcp_proxy/         Cullis Mastio (org trust authority)\ncullis_connector/  Cullis Connector (desktop app)\ncullis_sdk/        Python SDK + MCP server\nsdk-ts/            TypeScript SDK\nalembic/           Court database migrations\nsandbox/           Public quickstart demo (SPIRE, Keycloak, Vault, Postgres)\ndeploy/            Helm chart, Docker Compose, env templates\nenterprise-kit/    BYOCA guide, OPA policy bundles, PDP template\ndocs/              cullis.io site source + ops runbook\ntests/             Unit, integration, e2e tests\ndemo_network/      Test infrastructure for the CI smoke gate (federation\n                   + standalone matrix). Not a user-facing demo.\n```\n\n\u003e [!NOTE]\n\u003e `app/` and `mcp_proxy/` are legacy directory names that predate the\n\u003e Court / Mastio rebrand. The on-disk paths and the brand names refer to\n\u003e the same components. Python package imports follow the same legacy\n\u003e (`from app import ...` for Court, `from mcp_proxy import ...` for\n\u003e Mastio). Each directory has its own README with a per-component\n\u003e overview.\n\nRuntime: Python 3.11 · FastAPI · PostgreSQL 16 · Redis · HashiCorp Vault · cryptography · PyJWT · OpenTelemetry + Jaeger · OPA · Docker · Helm.\n\n---\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, PR workflow, and code conventions.\n\nSecurity vulnerabilities: [SECURITY.md](SECURITY.md) for private reporting.\n\n## Contact\n\n| | |\n|---|---|\n| General, partnerships, demos | [hello@cullis.io](mailto:hello@cullis.io) |\n| Security (private) | [security@cullis.io](mailto:security@cullis.io) · [SECURITY.md](SECURITY.md) |\n| Bugs, feature requests | [GitHub Issues](https://github.com/cullis-security/cullis/issues) |\n| Discussion | [GitHub Discussions](https://github.com/cullis-security/cullis/discussions) |\n\n## License\n\nSplit licensing:\n\n- **Court (`app/`) and Mastio (`mcp_proxy/`)** — [FSL-1.1-Apache-2.0](LICENSE). Non-competing use permitted (internal deployments, services, research, modifications, forks). Each release becomes [Apache 2.0](LICENSE-APACHE-2.0) two years after publication.\n- **Python SDK (`cullis_sdk/`)** — [Apache 2.0](cullis_sdk/LICENSE). Permissive, permanent.\n- **TypeScript SDK (`sdk-ts/`)** — [MIT](sdk-ts/LICENSE). Permissive, permanent.\n- **Integration templates (`enterprise-kit/`)** — [Apache 2.0](enterprise-kit/LICENSE). Permissive, permanent.\n\nSee [NOTICE](NOTICE) for the component-by-component map.\n\n---\n\n\u003e Architecture deep-dives, use cases, deployment patterns, and the project's reason for existing all live at **[cullis.io](https://cullis.io)**.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcullis-security%2Fcullis","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcullis-security%2Fcullis","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcullis-security%2Fcullis/lists"}