{"id":45540156,"url":"https://github.com/oktsec/oktsec","last_synced_at":"2026-04-02T11:46:49.791Z","repository":{"id":339839336,"uuid":"1163563146","full_name":"oktsec/oktsec","owner":"oktsec","description":"Security layer for AI agent-to-agent communication. Every message is signed, inspected, and logged. If it doesn't comply, it doesn't pass. No LLM. No cloud. Single binary. Your infra, your data.","archived":false,"fork":false,"pushed_at":"2026-03-25T01:27:30.000Z","size":3719,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-03-25T03:28:38.954Z","etag":null,"topics":["ai-agents","audit","ed25519","golang","identity","inter-agent","mcp","open-source","proxy","security"],"latest_commit_sha":null,"homepage":"https://oktsec.com","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/oktsec.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2026-02-21T20:21:17.000Z","updated_at":"2026-03-25T01:23:29.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/oktsec/oktsec","commit_stats":null,"previous_names":["oktsec/oktsec"],"tags_count":19,"template":false,"template_full_name":null,"purl":"pkg:github/oktsec/oktsec","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oktsec%2Foktsec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oktsec%2Foktsec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oktsec%2Foktsec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oktsec%2Foktsec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/oktsec","download_url":"https://codeload.github.com/oktsec/oktsec/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/oktsec%2Foktsec/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31305809,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-02T09:48:21.550Z","status":"ssl_error","status_checked_at":"2026-04-02T09:48:19.196Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","audit","ed25519","golang","identity","inter-agent","mcp","open-source","proxy","security"],"created_at":"2026-02-23T03:54:19.988Z","updated_at":"2026-04-02T11:46:49.782Z","avatar_url":"https://github.com/oktsec.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cstrong\u003eOktsec\u003c/strong\u003e — Runtime security for AI agent tool calls\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://github.com/oktsec/oktsec/actions/workflows/ci.yml\"\u003e\u003cimg src=\"https://github.com/oktsec/oktsec/actions/workflows/ci.yml/badge.svg\" alt=\"CI\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://goreportcard.com/report/github.com/oktsec/oktsec\"\u003e\u003cimg src=\"https://goreportcard.com/badge/github.com/oktsec/oktsec\" alt=\"Go Report Card\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://pkg.go.dev/github.com/oktsec/oktsec\"\u003e\u003cimg src=\"https://pkg.go.dev/badge/github.com/oktsec/oktsec.svg\" alt=\"Go Reference\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://github.com/oktsec/oktsec/releases\"\u003e\u003cimg src=\"https://img.shields.io/github/v/release/oktsec/oktsec\" alt=\"GitHub Release\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-Apache%202.0-blue.svg\" alt=\"License\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"#installation\"\u003eInstallation\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#quick-start\"\u003eQuick Start\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#hooks\"\u003eHooks\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#mcp-gateway\"\u003eGateway\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#threat-intel\"\u003eThreat Intel\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#openclaw-support\"\u003eOpenClaw\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#dashboard\"\u003eDashboard\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#detection-rules\"\u003eRules\u003c/a\u003e \u0026middot;\n  \u003ca href=\"#configuration\"\u003eConfig\u003c/a\u003e\n\u003c/p\u003e\n\n---\n\nSee everything your AI agents execute. Monitors MCP tool calls and CLI operations in real-time - intercept, detect, block, audit. **255 detection rules** across 17 categories. Delegation chains with Ed25519-signed authorization tokens. Egress sandboxing for MCP server processes. Dependency auditing against OSV.dev. Tamper-evident audit trail with offline CLI verification. Optional LLM threat intelligence. Discovers and secures **17 MCP clients** automatically. Deterministic 10-stage pipeline. Single binary. Built on the [official MCP SDK](https://github.com/modelcontextprotocol/go-sdk). Aligned with the [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications/).\n\n## What it does\n\nOktsec sits between AI agents and enforces a 10-stage security pipeline:\n\n1. **Rate limiting** — Per-agent sliding-window throttling prevents message flooding (ASI02, ASI10).\n2. **Identity** — Ed25519 signatures verify every message sender. No valid signature, no processing (ASI03).\n3. **Agent suspension** — Suspended agents are immediately rejected, no further processing (ASI10).\n4. **Policy** — YAML-based ACLs control which agent can message which. Default-deny mode rejects unknown senders (ASI03).\n5. **Content scanning** — 255 detection rules catch prompt injection, credential leaks, PII exposure, data exfiltration, MCP attacks, tool-call threats, supply chain risks, and more (ASI01, ASI02, ASI05).\n6. **Intent validation** — Declared intent vs actual content alignment check. Detects agents that say one thing and do another (ASI01).\n7. **BlockedContent enforcement** — Per-agent category-based content blocking escalates verdicts when findings match blocked categories (ASI02).\n8. **Multi-message escalation** — Agents with repeated blocks get their verdicts escalated automatically (ASI01, ASI10).\n9. **Audit** — Every message is logged to SQLite with content hash, sender verification status, policy decision, and triggered rules. Hash-chained with Ed25519 proxy signatures for tamper evidence.\n10. **Anomaly detection** — Background risk scoring with automatic alerts and optional auto-suspension (ASI10).\n\n```\nAgent A → sign → POST /v1/message → [Oktsec] → rate limit → verify → suspend → ACL → scan → intent → blocked content → escalation → deliver/block/quarantine → audit → anomaly\n```\n\n### Supported platforms\n\nAuto-discovers MCP server configurations from **17 clients**:\n\n| Client | Protocol | Notes |\n|--------|----------|-------|\n| Claude Desktop | MCP (stdio) | Wrap + scan |\n| Cursor | MCP (stdio) | Wrap + scan |\n| VS Code | MCP (stdio) | Wrap + scan |\n| Cline | MCP (stdio) | Wrap + scan |\n| Windsurf | MCP (stdio) | Wrap + scan |\n| Claude Code | MCP (gateway) + hooks | Gateway routing + tool-call interception |\n| Zed | MCP (stdio) | Wrap + scan |\n| Amp | MCP (stdio) | Wrap + scan |\n| Gemini CLI | MCP (stdio) | Wrap + scan |\n| Copilot CLI | MCP (stdio) | Wrap + scan |\n| Amazon Q | MCP (stdio) | Wrap + scan |\n| Roo Code | MCP (stdio) | Wrap + scan |\n| Kilo Code | MCP (stdio) | Wrap + scan |\n| BoltAI | MCP (stdio) | Wrap + scan |\n| JetBrains | MCP (stdio) | Wrap + scan |\n| OpenCode | MCP (stdio) | Wrap + scan |\n| **OpenClaw** | **WebSocket** | **Scan only** ([details](#openclaw-support)) |\n\nAdditionally detects and audits [NanoClaw](#nanoclaw-support) mount allowlist configurations.\n\n## Installation\n\n### Quick install\n\n```bash\ncurl -fsSL https://raw.githubusercontent.com/oktsec/oktsec/main/install.sh | bash\n```\n\nInstalls the latest binary to `~/.local/bin`. Customize with environment variables:\n\n```bash\nVERSION=v0.11.0 curl -fsSL https://raw.githubusercontent.com/oktsec/oktsec/main/install.sh | bash\nINSTALL_DIR=/usr/local/bin curl -fsSL https://raw.githubusercontent.com/oktsec/oktsec/main/install.sh | bash\n```\n\n### Pre-built binaries\n\nDownload from the [releases page](https://github.com/oktsec/oktsec/releases).\n\n### From source\n\n```bash\ngo install github.com/oktsec/oktsec/cmd/oktsec@latest\n```\n\n### Docker\n\n```bash\ndocker pull ghcr.io/oktsec/oktsec:latest\ndocker run -p 8080:8080 ghcr.io/oktsec/oktsec\n```\n\nWith config and key persistence:\n\n```bash\ndocker run -p 8080:8080 \\\n  -v ./oktsec.yaml:/home/oktsec/oktsec.yaml \\\n  -v ./keys:/home/oktsec/keys \\\n  -v oktsec-data:/home/oktsec/data \\\n  ghcr.io/oktsec/oktsec serve --config /home/oktsec/oktsec.yaml\n```\n\nDocker Compose (recommended for multi-agent setups):\n\n```bash\ndocker compose up -d\n```\n\nSee [`docker-compose.yml`](docker-compose.yml) for the full example.\n\nFor using Oktsec alongside **Docker Sandboxes** (isolated micro VMs for AI agents), see the dedicated guide: [Oktsec + Docker Sandboxes](guides/docker-sandboxes.md). Oktsec supports forward proxy mode (`forward_proxy.enabled: true`) for use with Docker Sandbox's `--network-proxy` flag — all outbound HTTP traffic is scanned transparently.\n\n## Quick start\n\n### One-command setup (recommended)\n\n```bash\noktsec run\n```\n\nThat's it. If no config exists, `oktsec run` auto-discovers all MCP clients on your machine, generates a config with sensible defaults, creates Ed25519 keypairs, wraps every MCP server through the security proxy, connects Claude Code via gateway + hooks, and starts the proxy + gateway + dashboard. If a config already exists, it just starts serving. All state lives in `~/.oktsec/` (config, keys, database, secrets).\n\nOktsec starts in **observe mode** — it logs everything but blocks nothing. Review activity in the dashboard at `http://127.0.0.1:8080/dashboard` using the access code shown in your terminal. Restart your MCP clients (Claude Desktop, Cursor, etc.) to activate.\n\nTo enable **enforcement mode** (block malicious requests with JSON-RPC errors):\n\n```bash\noktsec run --enforce\n# or for a single server:\noktsec proxy --enforce --agent filesystem -- npx @mcp/server-filesystem /data\n```\n\nCheck deployment health at any time:\n\n```bash\noktsec doctor\n```\n\n### Step-by-step setup (if you prefer control)\n\n```bash\noktsec discover                    # See what's installed\noktsec wrap claude-desktop         # Wrap one client at a time\noktsec run                         # Auto-setup (if needed) + start proxy + dashboard\n```\n\n### Manual setup\n\n```bash\n# Generate agent keypairs\noktsec keygen --agent research-agent --agent analysis-agent --out ./keys/\n\n# Create config\ncat \u003e oktsec.yaml \u003c\u003cEOF\nversion: \"1\"\nserver:\n  port: 8080\nidentity:\n  keys_dir: ./keys\n  require_signature: true\nagents:\n  research-agent:\n    can_message: [analysis-agent]\n  analysis-agent:\n    can_message: [research-agent]\nEOF\n\n# Start the proxy\noktsec serve\n```\n\n### Send a message\n\nMessages must be signed with the sender's Ed25519 private key. The signature covers `from + to + content + timestamp`:\n\n```bash\ncurl -X POST http://localhost:8080/v1/message \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"from\": \"research-agent\",\n    \"to\": \"analysis-agent\",\n    \"content\": \"Summarize the quarterly report\",\n    \"signature\": \"\u003cbase64-ed25519-signature\u003e\",\n    \"timestamp\": \"2026-02-22T10:00:00Z\"\n  }'\n```\n\nResponse:\n```json\n{\n  \"status\": \"delivered\",\n  \"message_id\": \"550e8400-e29b-41d4-a716-446655440000\",\n  \"policy_decision\": \"allow\",\n  \"rules_triggered\": [],\n  \"verified_sender\": true\n}\n```\n\n## Hooks\n\nOktsec intercepts tool calls from any MCP client that supports HTTP hooks — not just MCP traffic. Every `Read`, `Write`, `Bash`, `WebSearch`, and any other tool call passes through the 255-rule security pipeline before execution.\n\n```\nClaude Code (any tool call)\n    │\n    ├── PreToolUse → POST /hooks/event → 255 rules → allow/block\n    │\n    ├── Tool executes (if allowed)\n    │\n    └── PostToolUse → POST /hooks/event → audit log\n```\n\n`oktsec run` configures hooks automatically for Claude Code. For other clients, point HTTP hooks at:\n\n```\nPOST http://127.0.0.1:9090/hooks/event\n```\n\nHeaders:\n- `X-Oktsec-Agent: \u003cagent-name\u003e` — Agent identity\n- `X-Oktsec-Client: \u003cclient-name\u003e` — Client identifier\n\nThe hooks handler runs the same scanner as the proxy pipeline and logs every tool call to the audit trail. In enforcement mode, blocked tool calls return an error before execution.\n\n### Why hooks matter\n\nMCP stdio wrapping intercepts only MCP tool calls. Hooks intercept **everything** — file reads, shell commands, web searches, code edits — any tool the client exposes. This gives full visibility into agent behavior regardless of protocol.\n\n## MCP gateway\n\nOktsec can run as a **Streamable HTTP MCP gateway** that fronts one or more backend MCP servers, intercepting every `tools/call` with the full security pipeline. Built on the [official MCP SDK](https://github.com/modelcontextprotocol/go-sdk) (v1, Tier 1).\n\n```bash\noktsec gateway --config ./oktsec.yaml\n```\n\nThe gateway sits between your agents and their MCP servers:\n\n```\nAgent  ──►  Oktsec Gateway  ──►  Backend MCP Server(s)\n             │\n             ├─ Rate limit\n             ├─ Agent ACL check\n             ├─ Content scan (255 rules)\n             ├─ Tool policies (spend limits, rate limits, approval)\n             ├─ Rule overrides\n             ├─ Verdict (allow/block/quarantine)\n             ├─ Audit log\n             └─ Webhook notification\n```\n\nConfigure backend MCP servers in `oktsec.yaml`:\n\n```yaml\ngateway:\n  enabled: true\n  port: 9090\n  endpoint_path: /mcp\n  scan_responses: true    # also scan what backends return\n\nmcp_servers:\n  filesystem:\n    transport: stdio\n    command: npx\n    args: [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/tmp\"]\n  github:\n    transport: http\n    url: https://api.github.com/mcp\n```\n\nFeatures:\n- **Tool discovery** — Automatically discovers and exposes tools from all backends\n- **Tool namespacing** — Conflicting tool names get prefixed (`backend_toolname`)\n- **Per-agent tool allowlists** — Restrict which tools each agent can access\n- **Per-tool policies** — Spending limits, rate limits, and approval thresholds per tool\n- **Response scanning** — Optionally scan backend responses before returning to the agent\n- **Auto-port** — Falls back to adjacent ports if the configured one is busy\n- **Embedded mode** — `oktsec run` starts proxy + gateway in a single process\n\n### Tool policies\n\nDefine per-tool spending limits, rate limits, and approval thresholds:\n\n```yaml\nagents:\n  finance-agent:\n    tool_policies:\n      create_payment:\n        max_amount: 10000\n        daily_limit: 50000\n        require_approval_above: 5000\n        rate_limit: 10     # max calls per minute\n      read_transactions:\n        rate_limit: 100\n```\n\n### Egress policies\n\nControl outbound network access per agent and per tool. Inspired by NVIDIA NemoClaw's policy model.\n\n```yaml\nagents:\n  research-agent:\n    egress:\n      integrations: [\"github\", \"slack\"]    # Auto-load domain allowlists\n      allowed_domains: [\"arxiv.org\"]       # Additional domains\n      blocked_domains: [\"evil.com\"]        # Always blocked\n      tool_restrictions:\n        WebFetch: [\"arxiv.org\", \"api.github.com\"]  # WebFetch limited\n        Bash: []                                     # No egress for Bash\n```\n\n16 built-in integration presets: Slack, GitHub, Telegram, Discord, Jira, Linear, Notion, Stripe, OpenAI, Anthropic, Supabase, Firebase, npm, PyPI, Docker, Hugging Face. Configure from the dashboard agent detail page or YAML.\n\n## Threat Intel\n\nOptional async LLM analysis layer on top of the deterministic pipeline. Connects to any provider: Claude, OpenAI, Gemini, Ollama, OpenRouter, Groq, Together, or any OpenAI-compatible endpoint.\n\nWhen the pipeline detects something suspicious — a content scan with findings, an intent mismatch, a pattern of escalation — the triage module samples the message and enqueues it for background analysis. The selected model generates a case that appears in the dashboard. The operator reviews it, dismisses it, or confirms it. If confirmed, the system proposes a new detection rule that can be approved or rejected from the rules panel.\n\nKey design constraint: **never blocks, never makes verdict decisions.** The deterministic pipeline handles all real-time decisions. The LLM layer only generates investigation cases for human review.\n\n```yaml\nllm:\n  enabled: true\n  provider: openai          # openai, claude, webhook\n  model: gpt-4o-mini        # any model the provider supports\n  api_key_env: OPENAI_API_KEY\n  triage:\n    sample_rate: 0.05        # sample 5% of flagged messages\n  budget:\n    daily_limit: 20          # USD\n    monthly_limit: 500\n```\n\nFeatures:\n- **Multi-provider** — OpenAI-compatible (Ollama, Groq, Together, Azure, LM Studio, vLLM), Anthropic Claude, custom webhook\n- **Fallback provider** — Secondary LLM on primary failure\n- **Budget controls** — Daily and monthly spending caps with hard limits\n- **Triage pre-filter** — Sample rate, sensitive keyword detection, new agent pair detection\n- **Rule generation** — LLM proposes rules with pattern, category, severity for human approval\n\n## OpenClaw support\n\n[OpenClaw](https://github.com/openclaw/openclaw) is the largest AI agent platform (300K+ users, 140K GitHub stars). It gives agents access to filesystem, shell, email, calendar, browser, and messaging channels (WhatsApp, Telegram, Slack, Discord). CrowdStrike documents it as \"a powerful AI backdoor agent capable of taking orders from adversaries.\" Every DM is a prompt injection vector.\n\n**OpenClaw does not use MCP.** It has its own WebSocket gateway (`ws://127.0.0.1:18789`) and JSON5 config at `~/.openclaw/openclaw.json`. Oktsec detects, parses, and analyzes OpenClaw installations with a dedicated scanner.\n\n### Scan an OpenClaw installation\n\n```bash\noktsec scan-openclaw\noktsec scan-openclaw --path ~/.openclaw/openclaw.json\n```\n\nOutput:\n```\nScanning OpenClaw installation: /home/user/.openclaw/openclaw.json\n\n  Risk Level: CRITICAL\n\n  [!] tools.profile is \"full\" with no deny list — agents have unrestricted tool access\n  [!] gateway.bind is \"0.0.0.0\" — WebSocket gateway exposed to network\n  [!] dmPolicy is \"open\" — any external message can reach agents (prompt injection vector)\n  [!] messaging channels configured (slack, telegram) — each is a prompt injection attack surface\n  [!] no agents have sandbox enabled — all agents run with full host access\n\n────────────────────────────────────────────────────────────\n\nSummary:\n  Config risk:     CRITICAL\n  Risk factors:    5\n  Workspace files: 2 scanned\n  Content issues:  3 finding(s)\n```\n\n### Risk checks\n\nThe risk assessor checks 7 patterns:\n\n| Check | Severity | Trigger |\n|-------|----------|---------|\n| Full tool profile | Critical | `tools.profile == \"full\"` without deny list |\n| Exec without sandbox | Critical | `exec`/`shell` in tools.allow, no sandboxed agents |\n| Path traversal in $include | Critical | `..` in `$include` paths |\n| Exposed gateway | High | `gateway.bind` is `0.0.0.0`, `lan`, or `::` |\n| Open DM policy | High | `dmPolicy == \"open\"` |\n| No sandbox | High | No agents have `sandbox: true` |\n| Messaging channels | Medium | Any channels configured (attack surface) |\n\n### OpenClaw detection rules\n\n7 dedicated rules in the `openclaw-config` category:\n\n| Rule | Severity | Description |\n|------|----------|-------------|\n| `OCLAW-001` | Critical | Full tool profile without restrictions |\n| `OCLAW-002` | High | Gateway exposed to network |\n| `OCLAW-003` | High | Open DM policy |\n| `OCLAW-004` | Critical | Exec/shell tool without sandbox |\n| `OCLAW-005` | Critical | Path traversal in `$include` |\n| `OCLAW-006` | High | Gateway missing authentication |\n| `OCLAW-007` | High | Hardcoded credentials in config |\n\n### Why wrap doesn't work for OpenClaw\n\nMCP clients use stdio — oktsec can wrap the command and intercept JSON-RPC traffic. OpenClaw uses a WebSocket gateway, so the wrapping model doesn't apply. Running `oktsec wrap openclaw` returns a clear error pointing to `scan-openclaw` instead.\n\n## NanoClaw support\n\n[NanoClaw](https://github.com/nanoclaw/nanoclaw) is a lightweight alternative to OpenClaw focused on filesystem access for AI agents. It uses a mount allowlist (`~/.config/nanoclaw/mount-allowlist.json`) to control which directories agents can read and write.\n\nOktsec auto-detects NanoClaw installations and audits them for security misconfigurations:\n\n```bash\noktsec discover    # Detects NanoClaw automatically\noktsec audit       # Includes NanoClaw checks\n```\n\n### NanoClaw checks\n\n6 checks in the deployment audit:\n\n| Check | Severity | Trigger |\n|-------|----------|---------|\n| NC-MNT-001 | Critical | Mount allowlist missing or unparseable |\n| NC-MNT-002 | High | `nonMainReadOnly` is false (write access to all mounts) |\n| NC-MNT-003 | Critical | Dangerous root paths (`/`, `~`, `$HOME`) in allowlist |\n| NC-MNT-004 | Medium | No blocked file patterns configured |\n| NC-SEC-001 | High | Allowlist file has loose permissions |\n| NC-MNT-005 | High | `allowReadWrite` on sensitive paths (`/etc`, `/var`, `~`) |\n\n## Onboarding flow\n\n### Discover\n\nScans your machine for MCP server configurations, OpenClaw, and NanoClaw installations:\n\n```bash\noktsec discover\n```\n\nOutput:\n```\nFound 2 MCP configuration(s):\n\n  Cursor  /home/user/.cursor/mcp.json\n    ├── filesystem           npx -y @mcp/server-filesystem /data\n    ├── database             node ./db-server.js\n    └── github               npx -y @mcp/server-github\n\n  OpenClaw  /home/user/.openclaw/openclaw.json\n    ├── openclaw-gateway     openclaw gateway 0.0.0.0\n    ├── assistant            openclaw agent assistant\n    └── channel-slack        openclaw channel slack\n\n  OpenClaw risk: CRITICAL\n    [!] tools.profile is \"full\" with no deny list — agents have unrestricted tool access\n    [!] no agents have sandbox enabled — all agents run with full host access\n\n  Run 'oktsec scan-openclaw' for full analysis.\n\n  NanoClaw  ~/.config/nanoclaw/mount-allowlist.json\n    └── mount-allowlist   6 paths configured\n\nTotal: 6 MCP servers across 3 clients\n\nRun 'oktsec run' to generate configuration and start observing.\n```\n\nSupported clients: Claude Desktop, Cursor, VS Code, Cline, Windsurf, Claude Code, Zed, Amp, Gemini CLI, Copilot CLI, Amazon Q, Roo Code, Kilo Code, BoltAI, JetBrains, OpenCode, OpenClaw.\n\n### Init\n\n`oktsec run` auto-generates config and Ed25519 keypairs for each discovered server on first launch. For manual control:\n\n```bash\noktsec run                         # Auto-generates config at ~/.oktsec/config.yaml if missing\noktsec run --config ./oktsec.yaml  # Use a specific config path\n```\n\nEach server is auto-classified by risk level based on its capabilities:\n- **Critical** — database, postgres, mysql, sqlite, mongo, redis\n- **High** — filesystem, git, github, browser, puppeteer, playwright, openclaw\n- **Medium** — slack, discord, email, messaging\n- **Unknown** — everything else (defaults to observe)\n\n### Wrap / Unwrap\n\nModifies MCP client configs to route server traffic through `oktsec proxy`:\n\n```bash\noktsec wrap cursor                # Observe mode (log only)\noktsec wrap --enforce cursor      # Enforcement mode (block malicious requests)\noktsec unwrap cursor              # Restore original client config\n```\n\nBefore wrap:\n```json\n{ \"command\": \"npx\", \"args\": [\"-y\", \"@mcp/server-filesystem\", \"/data\"] }\n```\n\nAfter wrap:\n```json\n{ \"command\": \"oktsec\", \"args\": [\"proxy\", \"--agent\", \"filesystem\", \"--\", \"npx\", \"-y\", \"@mcp/server-filesystem\", \"/data\"] }\n```\n\nWith `--enforce`:\n```json\n{ \"command\": \"oktsec\", \"args\": [\"proxy\", \"--agent\", \"filesystem\", \"--enforce\", \"--\", \"npx\", \"-y\", \"@mcp/server-filesystem\", \"/data\"] }\n```\n\n### Stdio proxy\n\nThe `proxy` command wraps an MCP server process, intercepting its JSON-RPC 2.0 stdio traffic. Every message is scanned through the Aguara engine and logged to the audit trail:\n\n```bash\noktsec proxy --agent filesystem -- npx @mcp/server-filesystem /data\noktsec proxy --enforce --agent database -- node ./db-server.js\n```\n\nIn **observe mode** (default), all messages are forwarded regardless of scan results. In **enforcement mode** (`--enforce`), blocked client→server requests are not forwarded — instead, a JSON-RPC 2.0 error response is injected back to the client:\n\n```json\n{\"jsonrpc\":\"2.0\",\"id\":42,\"error\":{\"code\":-32600,\"message\":\"blocked by oktsec: IAP-001\"}}\n```\n\nServer→client responses are always forwarded (observe-only). This is what `oktsec wrap` configures automatically for each server.\n\n## Deployment audit\n\nThe `audit` command checks your oktsec deployment and any detected agent platforms for security misconfigurations. It runs checks across Oktsec, OpenClaw, NanoClaw, and discovered MCP servers, and outputs a health score with remediation guidance:\n\n```bash\noktsec audit\noktsec audit --json\noktsec audit --sarif    # SARIF v2.1.0 for CI integration\n```\n\nOutput:\n```\nDeployment Security Audit\n═════════════════════════\n\n  Health Score: 72 / 100 (Grade: C)\n\n  Oktsec (16 checks)\n  ──────────────────\n  [CRITICAL] require_signature is false — messages accepted without verification\n             Fix: Set identity.require_signature: true in oktsec.yaml\n\n  [HIGH]     default_policy is \"allow\" — unknown agents can send messages\n             Fix: Set default_policy: deny in oktsec.yaml\n\n  OpenClaw (18 checks)\n  ────────────────────\n  [CRITICAL] tools.profile is \"full\" with no deny list\n             Fix: openclaw config set tools.profile restricted\n\n  Summary: 2 critical, 3 high, 1 medium, 35 passed\n```\n\nThe `status` command provides a quick health summary:\n\n```bash\noktsec status\n```\n\n## MCP server mode\n\nOktsec can run as an MCP tool server, giving AI agents direct access to security operations:\n\n```bash\noktsec mcp --config ./oktsec.yaml\n```\n\nAdd to your MCP client config:\n```json\n{\n  \"mcpServers\": {\n    \"oktsec\": {\n      \"command\": \"oktsec\",\n      \"args\": [\"mcp\", \"--config\", \"./oktsec.yaml\"]\n    }\n  }\n}\n```\n\nAvailable tools (6):\n\n| Tool | Description |\n|---|---|\n| `scan_message` | Scan content for prompt injection, credential leaks, PII, and 255 threat patterns |\n| `list_agents` | List all agents with their ACLs and content restrictions |\n| `audit_query` | Query the audit log with filters (status, agent, limit) |\n| `get_policy` | Get the security policy for a specific agent |\n| `verify_agent` | Verify an Ed25519 signature from an agent using their registered public key |\n| `review_quarantine` | List, inspect, approve, or reject quarantined messages |\n\n## Dashboard\n\nReal-time web UI for monitoring agent activity. Protected by a GitHub-style local access code.\n\n```bash\noktsec run\n```\n\n```\n  oktsec\n  ────────────────────────────────────────\n  API:        http://127.0.0.1:8080/v1/message\n  Dashboard:  http://127.0.0.1:8080/dashboard\n  Health:     http://127.0.0.1:8080/health\n  ────────────────────────────────────────\n  Access code:  48291057\n  ────────────────────────────────────────\n  Mode: observe  |  Agents: 6\n```\n\nThe access code is generated fresh each time the server starts. Sessions expire after 8 hours. The server binds to `127.0.0.1` by default (localhost only). Use `--bind 0.0.0.0` to expose it on the network.\n\n### Pages\n\n- **Overview** — Hero stats, pipeline health bar, live event feed (SSE) alongside security status, activity sparkline, top threats and agent risk.\n- **Events** — Audit log with latency and rules columns, tab filters (All / Quarantine / Blocked), search, event detail with pipeline summary bar, JSON syntax highlighting, full audit chain.\n- **Notifications** — Webhook channel CRUD, alert configuration summary, alert history with delivery status.\n- **Agents** — Card grid with risk scores, message counts, key status. Add Agent form at top. Detail page with communication partners, recent messages, LLM threat intelligence, tool policies.\n- **Rules** — Category card grid with severity breakdown, drill-down to individual rules, per-rule enforcement overrides, per-category webhook triggers, custom rule creation, LLM-suggested rules.\n- **Rule Detail** — Patterns, examples, inline test sandbox, enforcement override.\n- **Security Posture** — Deployment audit: health score and grade, per-product findings (Oktsec, OpenClaw, MCP Servers), AI-enhanced analysis banner, remediation guidance, SARIF export.\n- **Graph** — Agent communication topology with deterministic layout, node threat scores (betweenness centrality), edge health, shadow edge detection.\n- **AI Analysis** — LLM threat cases with confirm/dismiss workflow, triage configuration, provider test connection, budget tracking, rule generation.\n- **Gateway** — Backend MCP server CRUD, gateway configuration, tool discovery, health checks.\n- **Settings** — Single-page layout with Security (mode, policy, server info), Protection (quarantine, behavior monitoring, rate limiting, intent validation), and Advanced (egress proxy) sections.\n- **Sessions** — Session inventory with search, threat filters, and trace timeline.\n\n### Sessions\n\nTrack and analyze agent sessions across time. Sessions are grouped by MCP session ID with aggregated stats.\n\n- **Session inventory** — `/dashboard/sessions` page with search, threat filter (All / With threats / Clean), JSON/CSV export\n- **Session trace** — Timeline of tool calls per session with 2-column layout: timeline left, AI analysis right\n- **AI session analysis** — One-click analysis via Claude or OpenAI. Identifies threat actors, assesses risk level, recommends specific actions with links to dashboard pages. Persisted as audit evidence with model name and timestamp\n- **Agent sessions** — Agent detail page shows related sessions with risk scores\n\n### Quarantine queue\n\nMessages triggering high-severity rules are held for human review. Quarantined messages return HTTP 202 with a `quarantine_id`. Reviewers can approve or reject from the dashboard, CLI, or MCP tool. Items auto-expire after a configurable period.\n\n```bash\noktsec quarantine list                         # List pending items\noktsec quarantine detail \u003cid\u003e                  # View full content and triggered rules\noktsec quarantine approve \u003cid\u003e --reviewer ops  # Approve and deliver\noktsec quarantine reject \u003cid\u003e --reviewer ops   # Reject permanently\n```\n\n## Agent identity\n\nEvery agent gets an Ed25519 keypair:\n\n```bash\noktsec keygen --agent my-agent --out ./keys/\n# Creates: keys/my-agent.key (private, stays with the agent)\n#          keys/my-agent.pub (public, copied to the proxy)\n```\n\nThe proxy loads all `.pub` files from the configured `keys_dir` at startup. When a message arrives:\n\n1. Look up the sender's public key\n2. Verify the signature covers `from + to + content + timestamp`\n3. If invalid: reject (403), no further processing\n4. If valid: continue to ACL check and content scan\n\nSigning is ~50us, verification is ~120us.\n\n### Key management\n\n```bash\noktsec keys list                                # List all registered keypairs\noktsec keys rotate --agent my-agent             # Generate new keypair, revoke old\noktsec keys revoke --agent my-agent             # Revoke without replacement\n```\n\n### Gradual onboarding\n\nSet `require_signature: false` to deploy Oktsec as a content scanner first. Messages without signatures are accepted but logged as `verified_sender: false`. Enable signatures when ready.\n\n## Configuration\n\nConfig resolution (first match wins):\n\n1. `--config` flag (explicit path)\n2. `$OKTSEC_CONFIG` environment variable\n3. `./oktsec.yaml` (backward compatibility)\n4. `~/.oktsec/config.yaml` (default)\n\n```yaml\nversion: \"1\"\n\nserver:\n  port: 8080\n  bind: 127.0.0.1         # Default: localhost only\n  log_level: info          # debug, info, warn, error\n  require_intent: false    # Enable intent validation (stage 6)\n\nidentity:\n  keys_dir: ./keys         # Directory with .pub files\n  require_signature: true  # Reject unsigned messages\n\ndefault_policy: deny       # \"allow\" (default) or \"deny\" — reject unknown senders\n\ncustom_rules_dir: ./custom-rules  # Directory for org-specific YAML detection rules\n\nagents:\n  research-agent:\n    can_message: [analysis-agent]        # ACL: allowed recipients\n    blocked_content: [credentials, pii]  # Content categories to always block for this agent\n    allowed_tools: [read_file, search]   # MCP tool allowlist (empty = all allowed)\n    description: \"Research and data gathering\"\n    tags: [research, data]\n    tool_policies:\n      create_payment:\n        max_amount: 10000                # Max single-call amount\n        daily_limit: 50000               # Max daily aggregate\n        require_approval_above: 5000     # Quarantine if above threshold\n        rate_limit: 10                   # Max calls per minute\n  analysis-agent:\n    can_message: [research-agent, reporting-agent]\n    suspended: false                     # Set to true to reject all messages\n\nquarantine:\n  enabled: true\n  expiry_hours: 24         # Auto-expire pending items\n  retention_days: 30       # Auto-purge audit entries older than N days (0 = keep forever)\n\nrate_limit:\n  per_agent: 100           # Max messages per window (0 = disabled)\n  window: 60               # Window size in seconds\n\nanomaly:\n  check_interval: 60       # Seconds between risk checks\n  risk_threshold: 50       # Risk score (0-100) to trigger alert\n  min_messages: 5          # Minimum messages before evaluating risk\n  auto_suspend: false      # Suspend agent when threshold exceeded\n\nforward_proxy:\n  enabled: false\n  scan_requests: true        # Scan outgoing request bodies\n  scan_responses: false      # Scan upstream response bodies\n  max_body_size: 1048576     # 1 MB\n  allowed_domains: []        # Whitelist (empty = all allowed)\n  blocked_domains: []        # Blacklist (takes precedence)\n\ngateway:\n  enabled: true\n  port: 9090\n  endpoint_path: /mcp\n  scan_responses: true       # Scan backend responses\n\nmcp_servers:\n  filesystem:\n    transport: stdio\n    command: npx\n    args: [\"-y\", \"@modelcontextprotocol/server-filesystem\", \"/tmp\"]\n\nllm:\n  enabled: false\n  provider: openai           # openai, claude, webhook\n  model: gpt-4o-mini\n  api_key_env: OPENAI_API_KEY\n  triage:\n    sample_rate: 0.05\n  budget:\n    daily_limit: 20\n    monthly_limit: 500\n\nrules:                       # Per-rule enforcement overrides\n  - id: block-relay-injection\n    severity: critical\n    action: block           # block, quarantine, allow-and-flag, ignore\n    notify: [slack-security] # Named channels or raw URLs\n    template: \"🚨 *{{RULE}}* — {{RULE_NAME}}\\n• *Severity:* {{SEVERITY}} | *Category:* {{CATEGORY}}\\n• *Agents:* {{FROM}} → {{TO}}\\n• *Match:* '{{MATCH}}'\"\n\ncategory_webhooks:           # Default webhooks for entire categories (rules inherit these)\n  - category: credential-leak\n    notify: [slack-security]\n  - category: prompt-injection\n    notify: [slack-security]\n\nwebhooks:\n  - name: slack-security    # Named channel (referenced in rules.notify)\n    url: https://hooks.slack.com/services/xxx\n    events: [blocked, quarantined, agent_risk_elevated]\n```\n\nValidate your config:\n```bash\noktsec verify --config oktsec.yaml\n```\n\n## Detection rules\n\nOktsec includes **255 detection rules** across 17 categories:\n\n| Source | Count | Categories |\n|--------|-------|------------|\n| [Aguara](https://github.com/garagon/aguara) built-in | 187 | prompt-injection, credential-leak, exfiltration, command-execution, mcp-attack, mcp-config, supply-chain, supply-chain-exfil, ssrf-cloud, indirect-injection, unicode-attack, third-party-content, external-download |\n| Inter-agent protocol (IAP) | 17 | inter-agent (includes IAP-016/017 for CVE exploit transfer) |\n| IPI Arena (IPI) | 13 | inter-agent (from [arXiv:2603.15714](https://arxiv.org/abs/2603.15714)) |\n| Container escape (CE) | 12 | container-escape (from [SandboxEscapeBench](https://arxiv.org/abs/2603.02277)) |\n| Tool-call (TC) | 11 | tool-call (includes TC-011 persistence detection) |\n| OpenClaw (OCLAW) | 15 | openclaw-config |\n\n### Inter-agent protocol rules\n\n| Rule | Severity | Description |\n|------|----------|-------------|\n| `IAP-001` | Critical | Relay injection (agent-to-agent hijacking) |\n| `IAP-002` | High | PII in agent messages |\n| `IAP-003` | Critical | Credentials in agent messages |\n| `IAP-004` | High | System prompt extraction via agent |\n| `IAP-005` | High | Privilege escalation between agents |\n| `IAP-006` | High | Data exfiltration via agent relay |\n| `IAP-007` | Critical | Tool description prompt injection |\n| `IAP-008` | Critical | Tool description data exfiltration |\n| `IAP-009` | High | Tool description privilege escalation |\n| `IAP-010` | High | Tool description shadowing |\n| `IAP-011` | Critical | Tool description hidden commands |\n| `IAP-012` | High | Tool name typosquatting |\n| `IAP-013` | High | Authority impersonation with urgent action |\n| `IAP-014` | Critical | Sensitive data transfer to external endpoint |\n| `IAP-015` | High | Elevated privilege request for production |\n| `IAP-016` | High | CVE exploit knowledge transfer between agents |\n| `IAP-017` | High | Container escape instruction transfer |\n\n### Container escape rules\n\n12 rules derived from the [SandboxEscapeBench](https://arxiv.org/abs/2603.02277) paper (UK AI Security Institute). Detect reconnaissance and exploitation patterns frontier models use to escape Docker containers.\n\n| Rule | Severity | Description |\n|------|----------|-------------|\n| `CE-001` | High | Docker socket probe |\n| `CE-002` | Medium | Capability enumeration |\n| `CE-003` | High | Host filesystem probe |\n| `CE-004` | Critical | Cgroup escape preparation |\n| `CE-005` | Medium | Kernel recon with exploit context |\n| `CE-006` | High | Namespace escape attempt |\n| `CE-007` | Critical | Privileged container abuse |\n| `CE-008` | Critical | Runc exploit pattern (CVE-2019-5736) |\n| `CE-009` | High | Kernel module injection |\n| `CE-010` | High | eBPF exploitation |\n| `CE-011` | Critical | Docker API abuse |\n| `CE-012` | Critical | Kernel memory exploit signatures (Dirty Pipe/COW) |\n\n### Tool-call rules\n\n| Rule | Severity | Description |\n|------|----------|-------------|\n| `TC-001` | Critical | Path traversal in tool arguments |\n| `TC-002` | High | Sensitive file access attempt |\n| `TC-003` | Critical | Write to system directory |\n| `TC-004` | Critical | SSRF via fetch tool |\n| `TC-005` | Critical | Shell injection in tool arguments |\n| `TC-006` | High | Credential pattern in tool content |\n| `TC-007` | Medium | Bulk directory enumeration |\n| `TC-008` | High | Suspicious URL pattern in fetch |\n| `TC-009` | High | Scope escape via absolute path |\n| `TC-010` | Medium | Excessive file content in write |\n| `TC-011` | Critical | Persistence mechanism installation (systemd, crontab, sysmon) |\n\n### OpenClaw rules\n\n15 rules in the `openclaw-config` category (OCLAW-001 through OCLAW-015), covering full tool profiles, exposed gateways, open DM policies, exec without sandbox, path traversal, missing authentication, hardcoded credentials, and more.\n\n```bash\noktsec rules                     # List all 255 rules\noktsec rules --explain CE-004    # Explain a container escape rule\noktsec rules --explain IAP-001   # Explain a specific rule\noktsec rules --explain TC-001    # Explain a tool-call rule\noktsec rules --explain OCLAW-001 # Explain an OpenClaw rule\n```\n\nAdditionally, the [deployment audit](#deployment-audit) runs 41 deeper checks (18 for OpenClaw, 7 for NanoClaw, 16 for Oktsec) that analyze config structure, permissions, and runtime settings.\n\n## Audit log\n\nEvery message is logged to SQLite (`oktsec.db`) with:\n- Content hash (SHA-256)\n- Signature verification status\n- Public key fingerprint\n- Policy decision\n- Rules triggered\n- Latency\n- Hash chain link (tamper-evident)\n\n```bash\noktsec logs                          # Last 50 entries\noktsec logs --status blocked         # Only blocked messages\noktsec logs --unverified             # Messages without valid signature\noktsec logs --agent research-agent   # Filter by agent\noktsec logs --since 1h              # Last hour\n```\n\n### Performance\n\nAnalytics queries use a 24-hour time window with covering indexes. All dashboard queries complete in under 10ms regardless of total database size.\n\n| Metric | Value |\n|--------|-------|\n| Write throughput | ~90K inserts/sec (batched) |\n| Query latency | \u003c6ms (at 1M+ rows) |\n| DB size | ~400 MB per 1M entries |\n\n## Observability\n\n### Prometheus metrics\n\nOktsec exposes Prometheus metrics at `GET /metrics`:\n\n| Metric | Type | Description |\n|--------|------|-------------|\n| `messages_total` | Counter | Messages processed (by verdict, agent) |\n| `message_latency` | Histogram | Pipeline processing latency |\n| `rules_triggered` | Counter | Rule matches (by rule_id) |\n| `llm_analysis_total` | Counter | LLM analyses performed (by provider) |\n| `llm_analysis_latency` | Histogram | LLM response latency |\n| `llm_tokens_used` | Counter | Token consumption (by provider) |\n| `llm_budget_spent` | Counter | Spending tracking (by provider) |\n| `llm_queue_depth` | Gauge | Current analysis queue length |\n\n### SARIF export\n\nExport deployment audit findings in SARIF v2.1.0 for CI integration:\n\n```bash\noktsec audit --sarif \u003e results.sarif\n```\n\n### CSV / JSON export\n\nExport audit trail from the dashboard or CLI:\n\n```bash\n# From dashboard: GET /dashboard/api/export/csv\n# From dashboard: GET /dashboard/api/export/json\n```\n\n## CLI reference\n\n```\noktsec run [--port N] [--bind ADDR] [--enforce] [--skip-wrap]  # Auto-setup + serve (recommended)\noktsec doctor                                            # Check deployment health (config, secrets, DB, keys, port, rules)\noktsec discover                                          # Scan for MCP servers, OpenClaw, NanoClaw\noktsec wrap [--enforce] [--all | \u003cclient\u003e]               # Route MCP client(s) through oktsec proxy\noktsec unwrap \u003cclient\u003e                                   # Restore original client config\noktsec connect \u003cserver\u003e                                  # Register MCP server with gateway\noktsec disconnect \u003cserver\u003e                               # Unregister MCP server from gateway\noktsec scan-openclaw [--path ~/.openclaw/openclaw.json]  # Analyze OpenClaw installation\noktsec proxy [--enforce] --agent \u003cname\u003e -- \u003ccmd\u003e [args]  # Stdio proxy for single MCP server\noktsec serve [--config oktsec.yaml] [--port 8080] [--bind 127.0.0.1]  # Start proxy + dashboard\noktsec gateway [--config oktsec.yaml]                    # Start gateway (standalone)\noktsec mcp [--config oktsec.yaml]                        # Run as MCP tool server\noktsec keygen --agent \u003cname\u003e [--agent \u003cname\u003e...] --out \u003cdir\u003e\noktsec keys list|rotate|revoke [--agent \u003cname\u003e]\noktsec verify [--config oktsec.yaml]                     # Validate config file\noktsec logs [--status \u003cstatus\u003e] [--agent \u003cname\u003e] [--unverified] [--since \u003cduration\u003e]\noktsec rules [--explain \u003crule-id\u003e]\noktsec quarantine list|detail|approve|reject [--status \u003cstatus\u003e] [\u003cid\u003e]\noktsec agent list                                        # List agents with status\noktsec agent suspend \u003cname\u003e                              # Suspend an agent\noktsec agent unsuspend \u003cname\u003e                            # Unsuspend an agent\noktsec audit [--json] [--sarif]                          # Deployment security audit (41 checks)\noktsec status                                            # Health score, detected products, top issues\noktsec enforce [on|off]                                  # Toggle enforce/observe mode\noktsec env [list|set|unset]                              # Manage environment variables\noktsec version\n```\n\n## API\n\n### `POST /v1/message`\n\nSend a message through the proxy.\n\n| Field | Type | Required | Description |\n|---|---|---|---|\n| `from` | string | yes | Sender agent name |\n| `to` | string | yes | Recipient agent name |\n| `content` | string | yes | Message content |\n| `signature` | string | no* | Base64 Ed25519 signature |\n| `timestamp` | string | no | RFC3339 timestamp |\n| `metadata` | object | no | Arbitrary key-value pairs |\n\n*Required when `require_signature: true`\n\n### `GET /v1/quarantine/{id}`\n\nPoll quarantine status for a held message.\n\n### `POST /hooks/event`\n\nSubmit a tool-call event for scanning. Used by MCP client hooks.\n\n### `GET /health`\n\nReturns `{\"status\": \"ok\", \"version\": \"0.11.0\"}`.\n\n### `GET /metrics`\n\nPrometheus metrics endpoint.\n\n### `GET /dashboard`\n\nWeb UI for monitoring agent activity. Protected by access code shown at startup.\n\n## Go SDK\n\nThe `sdk` package provides a Go client for sending messages through the oktsec proxy:\n\n```go\nimport \"github.com/oktsec/oktsec/sdk\"\n\n// Without signing (observe mode)\nc := sdk.NewClient(\"http://localhost:8080\", \"my-agent\", nil)\nresp, err := c.SendMessage(ctx, \"recipient\", \"hello\")\n// resp.Status: \"delivered\", resp.PolicyDecision: \"allow\", resp.RulesTriggered: [...]\n\n// With Ed25519 signing\nkp, _ := sdk.LoadKeypair(\"./keys\", \"my-agent\")\nc := sdk.NewClient(\"http://localhost:8080\", \"my-agent\", kp.PrivateKey)\nresp, err := c.SendMessage(ctx, \"recipient\", \"hello\")\n\n// With metadata\nresp, err := c.SendMessageWithMetadata(ctx, \"recipient\", \"hello\", map[string]string{\n    \"task_id\": \"abc-123\",\n})\n\n// Health check\nhealth, err := c.Health(ctx)\n```\n\nInstall: `go get github.com/oktsec/oktsec/sdk`\n\n### Python SDK\n\nPublished on [PyPI](https://pypi.org/project/oktsec/) as `oktsec`:\n\n```bash\npip install oktsec\n```\n\n```python\nfrom oktsec import OktsecClient\n\nclient = OktsecClient(\"http://localhost:8080\", \"my-agent\")\nresp = await client.send_message(\"recipient\", \"hello\")\n\n# With Ed25519 signing\nclient = OktsecClient(\"http://localhost:8080\", \"my-agent\", key_path=\"./keys/my-agent.key\")\n```\n\n## OWASP Top 10 for Agentic Applications\n\nOktsec is aligned with the [OWASP Top 10 for Agentic Applications](https://genai.owasp.org/resource/owasp-top-10-for-agentic-applications/):\n\n| # | Category | Coverage | How |\n|---|----------|----------|-----|\n| ASI01 | Excessive Agency / Goal Hijack | **Strong** | Multi-message verdict escalation, content scanning, intent validation, LLM threat analysis |\n| ASI02 | Tool Misuse | **Strong** | Stdio enforcement, BlockedContent per-agent, rate limiting, tool-call rules, tool policies |\n| ASI03 | Privilege Escalation | **Strong** | Ed25519 identity, default-deny policy, ACLs, per-agent tool allowlists |\n| ASI04 | Supply Chain | **Strong** | Dependency auditing (OSV.dev), egress sandboxing, rug-pull detection, Aguara SC-EX rules, TC-002 credential coverage |\n| ASI05 | Unsafe Code Execution | **Strong** | Stdio enforcement blocks tool calls, tool-call rules (TC-001–TC-010), hooks interception |\n| ASI07 | Inter-Agent Communication | **Strong** | Signed messages, ACLs, content scanning, hash-chained audit trail, graph analysis |\n| ASI10 | Rogue Agents | **Strong** | Agent suspension, rate limiting, anomaly detection, auto-suspend, LLM triage |\n\n## Built on\n\n- **[Aguara](https://github.com/garagon/aguara)** — Security scanner for AI agent skills and supply chain threats (187 detection rules, context-aware scanning, supply chain exfiltration detection, incident response commands)\n- **[MCP Go SDK](https://github.com/modelcontextprotocol/go-sdk)** — Official Tier 1 Go SDK for Model Context Protocol (v1, Linux Foundation governance, semver stability)\n- **Go stdlib** — `crypto/ed25519`, `net/http`, `log/slog`, `crypto/sha256`\n- **[modernc.org/sqlite](https://pkg.go.dev/modernc.org/sqlite)** — Pure Go SQLite (no CGO)\n- **[prometheus/client_golang](https://github.com/prometheus/client_golang)** — Prometheus metrics\n\n## Contributing\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, code style, and pull request process.\n\nFor security vulnerabilities, see [SECURITY.md](SECURITY.md).\n\n## License\n\nApache License 2.0. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foktsec%2Foktsec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Foktsec%2Foktsec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Foktsec%2Foktsec/lists"}