{"id":32009924,"url":"https://github.com/thirdkeyai/symbiont","last_synced_at":"2026-04-14T02:00:41.224Z","repository":{"id":305801342,"uuid":"1017091274","full_name":"ThirdKeyAI/Symbiont","owner":"ThirdKeyAI","description":"Rust-native runtime for executing AI agents and tools under explicit policy, identity, and audit controls.","archived":false,"fork":false,"pushed_at":"2026-04-10T04:28:12.000Z","size":3496,"stargazers_count":40,"open_issues_count":0,"forks_count":7,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-10T06:28:58.303Z","etag":null,"topics":["agent","agentic-ai","agentic-ai-development","agents","ai","framework","rust","sandbox","secure","symbi","symbiont"],"latest_commit_sha":null,"homepage":"https://docs.symbiont.dev","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ThirdKeyAI.png","metadata":{"files":{"readme":"README.de.md","changelog":"CHANGELOG.md","contributing":"docs/contributing.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":"AGENTS.md","dco":null,"cla":null}},"created_at":"2025-07-10T02:41:22.000Z","updated_at":"2026-04-10T04:28:16.000Z","dependencies_parsed_at":"2025-07-22T05:23:42.308Z","dependency_job_id":"b90769f4-fdc4-4230-8b07-50fc03ff1384","html_url":"https://github.com/ThirdKeyAI/Symbiont","commit_stats":null,"previous_names":["thirdkeyai/symbiont"],"tags_count":21,"template":false,"template_full_name":null,"purl":"pkg:github/ThirdKeyAI/Symbiont","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThirdKeyAI%2FSymbiont","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThirdKeyAI%2FSymbiont/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThirdKeyAI%2FSymbiont/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThirdKeyAI%2FSymbiont/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ThirdKeyAI","download_url":"https://codeload.github.com/ThirdKeyAI/Symbiont/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ThirdKeyAI%2FSymbiont/sbom","scorecard":{"id":756946,"data":{"date":"2025-08-10T20:01:40Z","repo":{"name":"github.com/ThirdKeyAI/Symbiont","commit":"91c88a39bea35b448f31084aa781b2daa7c777d3"},"scorecard":{"version":"v5.1.1","commit":"cd152cb6742c5b8f2f3d2b5193b41d9c50905198"},"score":5,"checks":[{"name":"Code-Review","score":0,"reason":"Found 0/26 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#code-review"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#maintained"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":9,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker-build.yml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/security-check.yml:17","Info: jobLevel 'packages' permission set to 'read': .github/workflows/security-check.yml:18","Warn: no topLevel permission defined: .github/workflows/docker-build.yml:1","Info: topLevel 'contents' permission set to 'read': .github/workflows/docs.yml:14","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:18","Warn: no topLevel permission defined: .github/workflows/security-check.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#token-permissions"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dangerous-workflow"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#security-policy"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":2,"reason":"badge detected: InProgress","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#cii-best-practices"}},{"name":"Pinned-Dependencies","score":1,"reason":"dependency not pinned by hash detected -- score normalized to 1","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker-build.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docker-build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docker-build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docker-build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build.yml:49: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docker-build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker-build.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docker-build.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:28: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:57: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docs.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:83: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docs.yml:101: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/docs.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security-check.yml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/security-check.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-check.yml:25: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/security-check.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security-check.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/ThirdKeyAI/Symbiont/security-check.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:3","Warn: containerImage not pinned by hash: Dockerfile:75: pin your Docker image by updating debian:bookworm-slim to debian:bookworm-slim@sha256:2424c1850714a4d94666ec928e24d86de958646737b1d113f5b2207be44d37d8","Info:   2 out of  10 GitHub-owned GitHubAction dependencies pinned","Info:   1 out of   8 third-party GitHubAction dependencies pinned","Info:   0 out of   2 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-build.yml:15"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 4 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#sast"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: :0"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#dependency-update-tool"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#signed-releases"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#fuzzing"}},{"name":"Branch-Protection","score":0,"reason":"branch protection not enabled on development/release branches","details":["Warn: branch protection not enabled for branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#branch-protection"}},{"name":"Contributors","score":6,"reason":"project has 2 contributing companies or organizations -- score normalized to 6","details":["Info: found contributions from: ImmutaLabs, tarnover"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#contributors"}},{"name":"CI-Tests","score":10,"reason":"2 out of 2 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":0,"reason":"13 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-x4gp-pqpj-f43q","Warn: Project is vulnerable to: RUSTSEC-2024-0344","Warn: Project is vulnerable to: RUSTSEC-2024-0388","Warn: Project is vulnerable to: RUSTSEC-2022-0093 / GHSA-w5vr-6qhr-36cc","Warn: Project is vulnerable to: RUSTSEC-2024-0384","Warn: Project is vulnerable to: RUSTSEC-2024-0436","Warn: Project is vulnerable to: RUSTSEC-2024-0370","Warn: Project is vulnerable to: RUSTSEC-2025-0010","Warn: Project is vulnerable to: GHSA-4p46-pwfr-66x6","Warn: Project is vulnerable to: RUSTSEC-2025-0009","Warn: Project is vulnerable to: GHSA-c86p-w88r-qvqr","Warn: Project is vulnerable to: RUSTSEC-2024-0320","Warn: Project is vulnerable to: RUSTSEC-2021-0141"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/cd152cb6742c5b8f2f3d2b5193b41d9c50905198/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-22T21:56:53.911Z","repository_id":305801342,"created_at":"2025-08-22T21:56:53.912Z","updated_at":"2025-08-22T21:56:53.912Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31776013,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-13T20:17:16.280Z","status":"ssl_error","status_checked_at":"2026-04-13T20:17:08.216Z","response_time":93,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["agent","agentic-ai","agentic-ai-development","agents","ai","framework","rust","sandbox","secure","symbi","symbiont"],"created_at":"2025-10-15T20:26:17.128Z","updated_at":"2026-04-14T02:00:41.218Z","avatar_url":"https://github.com/ThirdKeyAI.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cimg src=\"logo-hz.png\" alt=\"Symbi\"\u003e\n\n[English](README.md) | [中文简体](README.zh-cn.md) | [Español](README.es.md) | [Português](README.pt.md) | [日本語](README.ja.md) | **Deutsch**\n\n[![Build](https://img.shields.io/github/actions/workflow/status/thirdkeyai/symbiont/docker-build.yml?branch=main)](https://github.com/thirdkeyai/symbiont/actions)\n[![Crates.io](https://img.shields.io/crates/v/symbi)](https://crates.io/crates/symbi)\n[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](LICENSE)\n[![Docs](https://img.shields.io/badge/docs-online-brightgreen)](https://docs.symbiont.dev)\n\n---\n\n**Richtliniengesteuerte Agenten-Laufzeitumgebung fuer den Produktionseinsatz.**\n*Derselbe Agent. Sichere Laufzeitumgebung.*\n\nSymbiont ist eine Rust-native Laufzeitumgebung fuer die Ausfuehrung von KI-Agenten und Tools unter expliziter Richtlinien-, Identitaets- und Audit-Kontrolle.\n\nDie meisten Agenten-Frameworks konzentrieren sich auf Orchestrierung. Symbiont konzentriert sich darauf, was passiert, wenn Agenten in realen Umgebungen mit echten Risiken ausgefuehrt werden muessen: nicht vertrauenswuerdige Tools, sensible Daten, Genehmigungsgrenzen, Audit-Anforderungen und wiederholbare Durchsetzung.\n\n---\n\n## Warum Symbiont\n\nKI-Agenten sind leicht zu demonstrieren und schwer zu vertrauen.\n\nSobald ein Agent Tools aufrufen, auf Dateien zugreifen, Nachrichten senden oder externe Dienste nutzen kann, braucht man mehr als Prompts und Glue-Code. Man braucht:\n\n* **Richtliniendurchsetzung** fuer das, was ein Agent tun darf -- eingebaute DSL und [Cedar](https://www.cedarpolicy.com/)-Autorisierung\n* **Tool-Verifikation**, damit die Ausfuehrung kein blindes Vertrauen ist -- [SchemaPin](https://github.com/ThirdKeyAI/SchemaPin) kryptografische Verifikation von MCP-Tools\n* **Tool-Vertraege**, die regeln, wie Tools ausgefuehrt werden -- [ToolClad](https://github.com/ThirdKeyAI/ToolClad) deklarative Argumentvalidierung, Scope-Durchsetzung und Injection-Schutz\n* **Agenten-Identitaet**, damit man weiss, wer handelt -- [AgentPin](https://github.com/ThirdKeyAI/AgentPin) domaingebundene ES256-Identitaet\n* **Sandboxing** fuer riskante Workloads -- Docker-Isolation mit Ressourcenlimits\n* **Audit-Trails** fuer das, was passiert ist und warum -- kryptografisch manipulationssichere Logs\n* **Genehmigungsgates** fuer sensible Aktionen -- menschliche Ueberpruefung vor der Ausfuehrung, wenn die Richtlinie es erfordert\n\nSymbiont ist fuer diese Schicht gebaut.\n\n---\n\n## Schnellstart\n\n### Voraussetzungen\n\n* Docker (empfohlen) oder Rust 1.82+\n\n### Ausfuehrung mit Docker\n\n```bash\n# Laufzeitumgebung starten (API auf :8080, HTTP-Eingabe auf :8081)\ndocker run --rm -p 8080:8080 -p 8081:8081 ghcr.io/thirdkeyai/symbi:latest up\n\n# Nur MCP-Server ausfuehren\ndocker run --rm -p 8080:8080 ghcr.io/thirdkeyai/symbi:latest mcp\n\n# Agent-DSL-Datei parsen\ndocker run --rm -v $(pwd):/workspace ghcr.io/thirdkeyai/symbi:latest dsl parse /workspace/agent.dsl\n```\n\n### Aus Quellcode erstellen\n\n```bash\ncargo build --release\n./target/release/symbi --help\n\n# Laufzeitumgebung starten\ncargo run -- up\n\n# Interaktive REPL\ncargo run -- repl\n```\n\n\u003e Fuer Produktionsdeployments lesen Sie `SECURITY.md` und den [Deployment-Leitfaden](https://docs.symbiont.dev/getting-started), bevor Sie nicht vertrauenswuerdige Tool-Ausfuehrung aktivieren.\n\n---\n\n## Funktionsweise\n\nSymbiont trennt die Absicht des Agenten von der Ausfuehrungsberechtigung:\n\n1. **Agenten schlagen** Aktionen durch die Reasoning-Schleife vor (Observe-Reason-Gate-Act)\n2. **Die Laufzeitumgebung evaluiert** jede Aktion gegen Richtlinien-, Identitaets- und Vertrauenspruefungen\n3. **Richtlinien entscheiden** -- erlaubte Aktionen werden ausgefuehrt; abgelehnte Aktionen werden blockiert oder zur Genehmigung weitergeleitet\n4. **Alles wird protokolliert** -- manipulationssicherer Audit-Trail fuer jede Entscheidung\n\nModellausgaben werden niemals als Ausfuehrungsberechtigung behandelt. Die Laufzeitumgebung kontrolliert, was tatsaechlich passiert.\n\n### Beispiel: nicht vertrauenswuerdiges Tool durch Richtlinie blockiert\n\nEin Agent versucht, ein nicht verifiziertes MCP-Tool aufzurufen. Die Laufzeitumgebung:\n\n1. Prueft den SchemaPin-Verifikationsstatus -- Tool-Signatur fehlt oder ist ungueltig\n2. Evaluiert die Cedar-Richtlinie -- `forbid(action == Action::\"tool_call\") when { !resource.verified }`\n3. Blockiert die Ausfuehrung und protokolliert die Ablehnung mit vollstaendigem Kontext\n4. Leitet optional an einen Operator zur manuellen Genehmigung weiter\n\nKeine Code-Aenderung erforderlich. Die Richtlinie steuert die Ausfuehrung.\n\n---\n\n## DSL-Beispiel\n\n```symbiont\nagent secure_analyst(input: DataSet) -\u003e Result {\n    policy access_control {\n        allow: read(input) if input.verified == true\n        deny: send_email without approval\n        audit: all_operations\n    }\n\n    with memory = \"persistent\", requires = \"approval\" {\n        result = analyze(input);\n        return result;\n    }\n}\n```\n\nDen vollstaendigen DSL-Leitfaden mit `metadata`-, `schedule`-, `webhook`- und `channel`-Bloecken finden Sie im [DSL-Leitfaden](https://docs.symbiont.dev/dsl-guide).\n\n---\n\n## Kernfaehigkeiten\n\n| Faehigkeit | Beschreibung |\n|-----------|-------------|\n| **Policy Engine** | Feingranulare [Cedar](https://www.cedarpolicy.com/)-Autorisierung fuer Agenten-Aktionen, Tool-Aufrufe und Ressourcenzugriff |\n| **Tool-Verifikation** | [SchemaPin](https://github.com/ThirdKeyAI/SchemaPin) kryptografische Verifikation von MCP-Tool-Schemas vor der Ausfuehrung |\n| **Tool-Vertraege** | [ToolClad](https://github.com/ThirdKeyAI/ToolClad) deklarative Vertraege mit Argumentvalidierung, Scope-Durchsetzung und Cedar-Policy-Generierung |\n| **Agenten-Identitaet** | [AgentPin](https://github.com/ThirdKeyAI/AgentPin) domaingebundene ES256-Identitaet fuer Agenten und geplante Aufgaben |\n| **Reasoning-Schleife** | Typestate-erzwungener Observe-Reason-Gate-Act-Zyklus mit Richtlinien-Gates und Circuit-Breakern |\n| **Sandboxing** | Docker-basierte Isolation mit Ressourcenlimits fuer nicht vertrauenswuerdige Workloads |\n| **Audit-Logging** | Manipulationssichere Logs mit strukturierten Datensaetzen fuer jede Richtlinienentscheidung |\n| **Secrets Management** | Vault/OpenBao-Integration, AES-256-GCM-verschluesselter Speicher, pro Agent begrenzt |\n| **MCP-Integration** | Native Model Context Protocol-Unterstuetzung mit gesteuertem Tool-Zugriff |\n\nWeitere Faehigkeiten: Bedrohungsscanning fuer Tool-/Skill-Inhalte (40 Regeln, 10 Angriffskategorien), Cron-Scheduling, persistenter Agentenspeicher, hybride RAG-Suche (LanceDB/Qdrant), Webhook-Verifikation, Delivery-Routing, OTLP-Telemetrie, HTTP-Sicherheitshardening und Governance-Plugins fuer [Claude Code](https://github.com/thirdkeyai/symbi-claude-code) und [Gemini CLI](https://github.com/thirdkeyai/symbi-gemini-cli). Details finden Sie in der [vollstaendigen Dokumentation](https://docs.symbiont.dev).\n\nRepraesentative Benchmarks sind im [Benchmark-Harness](crates/runtime/benches/performance_claims.rs) und in den [Schwellenwerttests](crates/runtime/tests/performance_claims.rs) verfuegbar.\n\n---\n\n## Sicherheitsmodell\n\nSymbiont basiert auf einem einfachen Prinzip: **Modellausgaben sollten niemals als Ausfuehrungsberechtigung vertraut werden.**\n\nAktionen durchlaufen Laufzeitkontrollen:\n\n* **Zero Trust** -- alle Agenten-Eingaben sind standardmaessig nicht vertrauenswuerdig\n* **Richtlinienpruefungen** -- Cedar-Autorisierung vor jedem Tool-Aufruf und Ressourcenzugriff\n* **Tool-Verifikation** -- SchemaPin kryptografische Verifikation von Tool-Schemas\n* **Sandbox-Grenzen** -- Docker-Isolation fuer nicht vertrauenswuerdige Ausfuehrung\n* **Operator-Genehmigung** -- menschliche Ueberpruefungsgates fuer sensible Aktionen\n* **Secrets-Kontrolle** -- Vault/OpenBao-Backends, verschluesselter lokaler Speicher, Agenten-Namespaces\n* **Audit-Logging** -- kryptografisch manipulationssichere Aufzeichnungen jeder Entscheidung\n\nWenn Sie nicht vertrauenswuerdigen Code oder riskante Tools ausfuehren, verlassen Sie sich nicht auf ein schwaches lokales Ausfuehrungsmodell als einzige Grenze. Siehe [`SECURITY.md`](SECURITY.md) und die [Sicherheitsmodell-Dokumentation](https://docs.symbiont.dev/security-model).\n\n---\n\n## Workspace\n\n| Crate | Beschreibung |\n|-------|-------------|\n| `symbi` | Einheitliches CLI-Binary |\n| `symbi-runtime` | Kern-Agenten-Laufzeitumgebung und Ausfuehrungsengine |\n| `symbi-dsl` | DSL-Parser und -Evaluator |\n| `symbi-channel-adapter` | Slack/Teams/Mattermost-Adapter |\n| `repl-core` / `repl-proto` / `repl-cli` | Interaktive REPL und JSON-RPC-Server |\n| `repl-lsp` | Language Server Protocol-Unterstuetzung |\n| `symbi-a2ui` | Admin-Dashboard (Lit/TypeScript, Alpha) |\n\nGovernance-Plugins: [`symbi-claude-code`](https://github.com/thirdkeyai/symbi-claude-code) | [`symbi-gemini-cli`](https://github.com/thirdkeyai/symbi-gemini-cli)\n\n---\n\n## Dokumentation\n\n* [Erste Schritte](https://docs.symbiont.dev/getting-started)\n* [Sicherheitsmodell](https://docs.symbiont.dev/security-model)\n* [Runtime-Architektur](https://docs.symbiont.dev/runtime-architecture)\n* [Reasoning-Loop-Leitfaden](https://docs.symbiont.dev/reasoning-loop)\n* [DSL-Leitfaden](https://docs.symbiont.dev/dsl-guide)\n* [API-Referenz](https://docs.symbiont.dev/api-reference)\n\nWenn Sie Symbiont fuer den Produktionseinsatz evaluieren, beginnen Sie mit dem Sicherheitsmodell und der Erste-Schritte-Dokumentation.\n\n---\n\n## SDKs\n\nOffizielle Client-SDKs zur Integration der Symbiont-Laufzeitumgebung in Ihre Anwendung:\n\n| Sprache | Paket | Repository |\n|---------|-------|------------|\n| **JavaScript/TypeScript** | [symbiont-sdk-js](https://www.npmjs.com/package/symbiont-sdk-js) | [GitHub](https://github.com/ThirdKeyAI/symbiont-sdk-js) |\n| **Python** | [symbiont-sdk](https://pypi.org/project/symbiont-sdk/) | [GitHub](https://github.com/ThirdKeyAI/symbiont-sdk-python) |\n\n---\n\n## Lizenz\n\n* **Community Edition** (Apache 2.0): Kern-Laufzeitumgebung, DSL, Policy Engine, Tool-Verifikation, Sandboxing, Agentenspeicher, Scheduling, MCP-Integration, RAG, Audit-Logging und alle CLI/REPL-Werkzeuge.\n* **Enterprise Edition** (kommerzielle Lizenz): Erweiterte Sandbox-Backends, Compliance-Audit-Exporte, KI-gestuetzte Tool-Ueberpruefung, verschluesselte Multi-Agenten-Kollaboration, Monitoring-Dashboards und dedizierter Support.\n\nKontaktieren Sie [ThirdKey](https://thirdkey.ai) fuer Enterprise-Lizenzierung.\n\n---\n\n\u003cdiv align=\"right\"\u003e\n  \u003cimg src=\"symbi-trans.png\" alt=\"Symbi-Logo\" width=\"120\"\u003e\n\u003c/div\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthirdkeyai%2Fsymbiont","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fthirdkeyai%2Fsymbiont","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fthirdkeyai%2Fsymbiont/lists"}