https://github.com/apathy-ca/sark

Zero-trust gateway for AI systems. OPA policies, audit logging, authentication (OIDC/LDAP/SAML), MCP/HTTP/gRPC adapters. FastAPI + Rust extensions. Production-ready.
https://github.com/apathy-ca/sark

ai-governance api-gateway audit-logging authentication authorization fastapi llm-security mcp model-context-protocol opa policy-engine python rust security zero-trust

Last synced: 12 days ago
JSON representation

Zero-trust gateway for AI systems. OPA policies, audit logging, authentication (OIDC/LDAP/SAML), MCP/HTTP/gRPC adapters. FastAPI + Rust extensions. Production-ready.

• Host: GitHub
• URL: https://github.com/apathy-ca/sark
• Owner: apathy-ca
• License: mit
• Created: 2025-11-20T04:29:04.000Z (7 months ago)
• Default Branch: main
• Last Pushed: 2026-05-24T06:06:36.000Z (16 days ago)
• Last Synced: 2026-05-24T08:11:56.534Z (15 days ago)
• Topics: ai-governance, api-gateway, audit-logging, authentication, authorization, fastapi, llm-security, mcp, model-context-protocol, opa, policy-engine, python, rust, security, zero-trust
• Language: Python
• Homepage: https://github.com/apathy-ca/sark/blob/main/docs/QUICK_START.md
• Size: 41.4 MB
• Stars: 1
• Watchers: 1
• Forks: 0
• Open Issues: 31
• Metadata Files:
  • Readme: README.md
  • Changelog: CHANGELOG.md
  • Contributing: CONTRIBUTING.md
  • License: LICENSE
  • Security: SECURITY.md
  • Governance: docs/governance/HOME_GOVERNANCE.md
  • Roadmap: docs/ROADMAP.md
  • Copyright: COPYRIGHT

Awesome Lists containing this project

README

          
# SARK (Security Audit and Resource Kontroler)

**Enterprise-Grade Multi-Protocol AI Governance Platform**

> *"He's not any kind of user, SARK, he's a program."* —MCP, probably

SARK provides zero-trust governance for AI deployments at scale. Built for Model Context Protocol (MCP), with support for **MCP, HTTP/REST, gRPC, and custom protocols** through a universal adapter interface.

**Target Scale:** 50,000+ employees, 10,000+ AI resources

📖 **[Quick Start](docs/QUICK_START.md)** | **[Changelog](CHANGELOG.md)** | **[Full Documentation](docs/)**

---

## What is This?

**The Problem:** AI assistants accessing enterprise systems (databases, APIs, cloud infrastructure) without governance creates security chaos—no visibility, no control, no audit trail.

**The Solution:** SARK sits between AI and your systems, providing:

- 🔐 **Authentication** - OIDC, LDAP, SAML, API Keys

- 🛡️ **Authorization** - Policy-based access control (OPA)

- 📊 **Audit** - Complete trail of every AI action

- ⚡ **Performance** - <100ms p95 latency, 847 req/s sustained

**Example:** Developer asks AI "Show P0 bugs for my team" → AI uses MCP → SARK validates auth & policy → If approved, executes → Logs everything.

📖 **[What is MCP?](docs/MCP_INTRODUCTION.md)** | **[Architecture](docs/ARCHITECTURE.md)** | **[Use Cases](docs/USE_CASES.md)**

---

## Quick Start

**Prerequisites:**

- Python 3.11+

- Rust 1.92+ ([install Rust](https://rustup.rs/)) - Required for building native extensions

```bash

# 1. Clone and setup

git clone --recurse-submodules 

cd sark

# If you already cloned without --recurse-submodules:

# git submodule update --init

python3.11 -m venv venv && source venv/bin/activate

pip install -e ".[dev]"

# 2. Build Rust extensions

maturin develop

# 3. Start services

docker compose --profile full up -d

# 4. Access UI and API

# UI: http://localhost:5173 (admin/password)

# API: http://localhost:8000/docs

```

**Next Steps:**

- 📖 **[15-Minute Quick Start](docs/QUICK_START.md)** - Complete getting started guide

- 💻 **[Development Guide](docs/DEVELOPMENT.md)** - Development workflow and standards

- 🎓 **[Tutorials](tutorials/)** - Step-by-step examples

- 📚 **[API Reference](docs/API_REFERENCE.md)** - Complete API documentation

---

## Features

### Multi-Protocol Support

- **MCP** - SSE and HTTP transports functional (stdio in development)

- **HTTP/REST** - OpenAPI discovery, 5 auth strategies

- **gRPC** - Reflection-based, mTLS support

- **Custom** - Plugin system for any protocol

### Enterprise Security (v1.3.0 Enhanced)

- **Authentication** - OIDC, LDAP, SAML, API Keys

- **Authorization** - OPA policy engine, ReBAC+ABAC

- **Audit** - Immutable logs, SIEM integration (Splunk, Datadog)

- **Federation** - Cross-organization governance with mTLS

- **🆕 Prompt Injection Detection** - 20+ patterns, entropy analysis, 30x faster

- **🆕 Anomaly Detection** - Behavioral baselines, real-time alerts

- **🆕 Secret Scanning** - 25+ patterns, automatic redaction, 50x faster

- **🆕 MFA** - TOTP/SMS/Push/Email for critical actions

- **🆕 Network Controls** - Kubernetes policies, egress filtering

### Production Ready

- ✅ 64% test coverage (improving to 85%), 1 low-severity vulnerability (Windows-only, dev dependency)

- ✅ <100ms p95 latency, 847 req/s sustained throughput

- ✅ Kubernetes-native, Helm charts, Terraform modules

- ✅ 100+ pages of documentation

📖 **[Features Overview](docs/FEATURES.md)** | **[Security](docs/SECURITY.md)** | **[Performance](docs/PERFORMANCE.md)**

---

## Web UI

Modern React UI for managing AI governance:

- 📊 Dashboard with metrics

- 🖥️ Server/resource management

- 📝 Policy editor (Rego syntax)

- 📜 Audit log viewer

- 🔑 API key management

```bash

cd frontend && npm install && npm run dev

# Access: http://localhost:5173

```

📖 **[UI User Guide](docs/UI_USER_GUIDE.md)** | **[UI Deployment](docs/DEPLOYMENT.md#ui-deployment)**

---

## Deployment

### Development

```bash

docker compose --profile full up -d

```

### Production

```bash

# Kubernetes with Helm

helm install sark ./helm/sark -n production --create-namespace

# Or with kubectl

kubectl apply -f k8s/

```

### Cloud Platforms

- AWS EKS, GCP GKE, Azure AKS

- Terraform modules included for all platforms

### Home Deployment (v1.7.0)

Lightweight deployment for home networks and low-resource environments:

```bash

# Quick start with Docker

make home-up

# Or with Docker Compose directly

docker compose -f docker-compose.home.yml up -d

```

- **Target:** 512MB RAM, single core

- **Database:** SQLite (instead of PostgreSQL)

- **Platform:** OPNsense plugin or Docker

- **Features:** Family governance (bedtime, parental controls, cost limits)

📖 **[Home Deployment Guide](docs/deployment/HOME_DEPLOYMENT.md)** | **[Policy Cookbook](docs/policies/POLICY_COOKBOOK.md)**

### Enterprise Deployment

Full-featured deployment with PostgreSQL, Redis, and external OPA:

```bash

# Kubernetes with Helm

helm install sark ./helm/sark -n production --create-namespace

```

📖 **[Deployment Guide](docs/DEPLOYMENT.md)** | **[Terraform Guide](terraform/README.md)** | **[Production Readiness](docs/PRODUCTION_READINESS.md)**

---

## Documentation

### Getting Started

- **[Quick Start](docs/QUICK_START.md)** - 15-minute setup

- **[MCP Introduction](docs/MCP_INTRODUCTION.md)** - What is MCP?

- **[Architecture](docs/ARCHITECTURE.md)** - System design

- **[Use Cases](docs/USE_CASES.md)** - Real-world examples

### Deployment & Operations

- **[Deployment Guide](docs/DEPLOYMENT.md)** - Production deployment

- **[Monitoring](docs/MONITORING.md)** - Observability setup

- **[Operations Runbook](docs/OPERATIONS_RUNBOOK.md)** - Day-2 operations

### Development

- **[Development Guide](docs/DEVELOPMENT.md)** - Setup and workflow

- **[API Reference](docs/API_REFERENCE.md)** - Complete API docs

- **[Contributing](CONTRIBUTING.md)** - Contribution guidelines

### Security & Compliance

- **[Security Guide](docs/SECURITY.md)** - Security best practices

- **[OPA Policy Guide](docs/OPA_POLICY_GUIDE.md)** - Policy authoring

- **[Audit & Compliance](docs/AUDIT_COMPLIANCE.md)** - Compliance features

📚 **[Full Documentation Index](docs/README.md)**

---

## Project Status

🚀 **v1.7.0 - Current Release** (Released Feb 2, 2026)

**New in v1.7.0 - YORI Home Deployment:**

- ✅ **Home Deployment Profile** - 512MB RAM, single-core target for home networks

- ✅ **Governance Modules** - Allowlist, time rules, emergency override, consent tracking

- ✅ **Policy Templates** - Bedtime, parental controls, privacy, cost limits

- ✅ **Analytics Services** - Token tracking, cost calculation, usage reporting

- ✅ **OPNsense Plugin** - Web UI dashboard, service management, policy configuration

- ✅ **Comprehensive Tests** - Unit, integration, and OPA policy tests

**v1.6.0 - Polish & Validation:**

- ✅ **Security Hardening** - 96% vulnerability remediation (24/25 CVEs fixed)

- ✅ **Test Infrastructure** - 39 tests fixed, 100% pass rate for export + tools routers

- ✅ **Dependency Cleanup** - Eliminated ecdsa, migrated to PyJWT[crypto]

- ✅ **Bug Fixes** - Keyword detection for snake_case, FastAPI route ordering

- ✅ **Documentation** - Comprehensive release notes, migration guides

**v1.5.0 - Production Readiness:**

- ✅ **Gateway Transport Implementations** (HTTP, SSE, stdio)

- ✅ **Security Fixes** (LDAP injection, CSRF, credentials)

- ✅ **Frontend Authentication UI** (Login, MFA, API key management)

- ✅ **E2E Integration Tests** (Complete user flow testing)

- ✅ **Performance Benchmark Infrastructure** (Locust, pytest-benchmark)

**v1.4.0 - Rust Foundation:**

- ✅ **Embedded Rust OPA engine** (4-10x faster policy evaluation)

- ✅ **Rust in-memory cache** (10-50x faster than Redis)

- ✅ **Feature flags & gradual rollout** (0% → 100% with instant rollback)

- ✅ **2.4x higher throughput** (2,100+ req/s)

- ✅ **2.3x faster requests** (42ms p95, down from 98ms)

- ✅ **100% backwards compatible** with v1.3.0

- ✅ Automatic Python fallback for safety

- ✅ Comprehensive migration and performance documentation

**Completed (v1.3.0):**

- ✅ Enterprise authentication (OIDC, LDAP, SAML, API Keys)

- ✅ Policy-based authorization (OPA)

- ✅ MCP Gateway integration (opt-in)

- ✅ SIEM integration (Splunk, Datadog)

- ✅ **Prompt injection detection** (20+ patterns, 30x faster than target)

- ✅ **Behavioral anomaly detection** (30-day baseline, real-time alerts)

- ✅ **Secret scanning & redaction** (25+ patterns, 50x faster than target)

- ✅ **MFA for critical actions** (TOTP, SMS, Push, Email)

- ✅ **Network security controls** (NetworkPolicies, egress filtering)

- ✅ Comprehensive testing (350+ unit, 530+ integration, 2200+ performance)

- ✅ Complete documentation (100+ pages)

- ✅ Production deployment guides

**Future Roadmap:**

- **v1.8.0** - OPNsense plugin submission to official repository

- **v1.9.0** - Local LLM support (Ollama integration)

- **v2.0.0** - GRID Reference Implementation (protocol abstraction, federation, cost attribution)

📖 **[Roadmap](docs/ROADMAP.md)** | **[Changelog](CHANGELOG.md)**

---

## Requirements

- Python 3.11+

- Docker with Docker Compose v2

- PostgreSQL 15+, Valkey 7+ (Redis-compatible)

- Open Policy Agent 0.60+

- Kong Gateway 3.8+ (production)

- Kubernetes 1.28+ (production)

📖 **[Requirements](docs/REQUIREMENTS.md)**

---

## GRID Protocol

SARK is the **reference implementation of GRID Protocol Specification v0.1**.

**GRID** (Governed Resource Interaction Definition) is a universal governance protocol for machine-to-machine interactions—protocol-agnostic, federated, zero-trust, policy-first.

**SARK v1.1.0 Compliance:** 85% of GRID v0.1 specification

📖 **[Gap Analysis](docs/specifications/GRID_GAP_ANALYSIS_AND_IMPLEMENTATION_NOTES.md)** - Detailed compliance matrix

📖 **[GRID Specification](docs/specifications/GRID_PROTOCOL_SPECIFICATION_v0.1.md)** | **[Gap Analysis](docs/specifications/GRID_GAP_ANALYSIS_AND_IMPLEMENTATION_NOTES.md)**

---

## Related Projects

### YORI - Home LLM Gateway (Integrated in v1.7.0)

**YORI** (Your Observant Router Intelligence) provides zero-trust LLM governance for home networks. As of v1.7.0, YORI's home deployment profile is **integrated directly into SARK**.

**Deployment Options:**

- **SARK Home Profile** - Use `make home-up` or the OPNsense plugin (recommended)

- **Standalone YORI** - See [YORI repository](https://github.com/apathy-ca/yori) for standalone builds

**Features:**

- **Target:** OPNsense routers, home users (512MB RAM, 1 CPU)

- **Database:** SQLite (lightweight, no external dependencies)

- **Policies:** Bedtime rules, parental controls, privacy protection, cost limits

- **Governance:** Allowlist, time-based rules, emergency override, consent tracking

- **Analytics:** Token tracking, cost estimation, usage reports

YORI reuses SARK's battle-tested Rust core (`grid-opa`, `grid-cache`) via PyO3 bindings, bringing enterprise-grade policy evaluation to resource-constrained home routers.

📖 **[YORI Repository](https://github.com/apathy-ca/yori)** | **[Project Plan](docs/v2.0/YORI_PROJECT_PLAN.md)**

---

## Contributing

We welcome contributions! See **[CONTRIBUTING.md](CONTRIBUTING.md)** for:

- Code style and standards

- Development workflow

- PR process

- Multi-agent collaboration guidelines

---

## License

MIT License - see **[LICENSE](LICENSE)** file for details.

**Copyright** © 2025 James Henry. All rights reserved.

---

**Built with ❤️ for enterprise AI governance at scale.**