https://github.com/cullis-security/cullis
Trust infrastructure for AI agents across organizations. Verified identity, explicit authorization, cryptographic audit trail.
https://github.com/cullis-security/cullis
ai-agents api-gateway cryptography dpop e2e-encryption fastapi federated-identity iam mcp mtls multi-agent-systems pki python self-hosted spiffe trust-broker workload-identity zero-trust
Last synced: about 1 month ago
JSON representation
Trust infrastructure for AI agents across organizations. Verified identity, explicit authorization, cryptographic audit trail.
- Host: GitHub
- URL: https://github.com/cullis-security/cullis
- Owner: cullis-security
- License: other
- Created: 2026-03-29T14:51:00.000Z (3 months ago)
- Default Branch: main
- Last Pushed: 2026-05-06T23:29:02.000Z (about 2 months ago)
- Last Synced: 2026-05-06T23:39:17.864Z (about 2 months ago)
- Topics: ai-agents, api-gateway, cryptography, dpop, e2e-encryption, fastapi, federated-identity, iam, mcp, mtls, multi-agent-systems, pki, python, self-hosted, spiffe, trust-broker, workload-identity, zero-trust
- Language: Python
- Size: 9.99 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 23
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
- Security: SECURITY.md
- Notice: NOTICE
Awesome Lists containing this project
README
Cullis β Zero-trust identity and audit for AI agents.
Start air-gapped in your organization. Scale to cross-company federation without redeploy.
---
> π **Why Cullis exists, architecture deep-dives, use cases, deployment patterns β [cullis.io](https://cullis.io)**
>
> This README is the engineer's entry point: what it is, how to run it, how the code is laid out. Everything else lives on the site.
---
## Status
> [!WARNING]
> **Early-stage research project β not production-ready.**
>
> Cullis is in active study and prototyping. The architecture is real and
> the demo runs end-to-end on a laptop, but the codebase has not been
> externally security-audited, and APIs may still break without notice.
>
> Use it to learn, explore, prototype, and contribute β not yet to handle
> real users, real credentials, or real traffic.
---
## What Cullis is
AI agents act on your behalf β they make decisions, move data, and
increasingly talk to each other. When something goes wrong, three questions
matter: **who was it, what were they allowed to do, and what did they actually do?**
Cullis gives each agent a cryptographic identity, enforces policy at the
organization boundary, and records every action in a tamper-evident
hash-chain. The same binary runs standalone inside your organization or
federated across companies β no redeploy between the two.
---
## Three components
| | **Cullis Connector** | **Cullis Mastio** | **Cullis Court** |
|---|---|---|---|
| **Where it runs** | User's laptop | Your organization | Cross-org network |
| **Owned by** | End user | Your org admin | Network operator |
| **What it does** | User identity + MCPβCullis translation | Agent certs, policy, local audit, tool reverse-proxy | Org registry, trust federation, cross-org routing |
The **Connector** is a desktop app that turns any MCP client (Claude
Desktop, Cursor, Cline) into a Cullis-aware agent. The **Mastio** is the
authority that governs agents inside a single organization. The **Court**
federates Mastios across different organizations.
The Mastio runs in two modes β **standalone** (air-gapped, single-org,
no external dependency) or **federated** (attached to a Court, reaches
agents in other companies). Same binary, admin action switches between
them, no agent re-enrollment.
[Deployment patterns β cullis.io](https://cullis.io).
---
## Quickstart β single host (bundles)
For a single-host evaluation: a Mastio + multi-user Frontdesk chat in two
commands, no repo clone needed. Both bundles pull the published images
from `ghcr.io` and configure themselves with sensible defaults.
**Requirements**: Docker Engine with Compose v2, ~2 GB RAM.
```bash
# 1. Mastio (org gateway + first-boot Org CA + dashboard on :9443)
curl -L https://github.com/cullis-security/cullis/releases/download/mastio-v0.3.2-rc3/cullis-mastio-bundle.tar.gz | tar xz
cd cullis-mastio-bundle && ./deploy.sh
# 2. Frontdesk (multi-user chat on :8080, enrolls against the Mastio above)
cd ..
curl -L https://github.com/cullis-security/cullis/releases/download/frontdesk-bundle-v0.2.0-rc3/cullis-frontdesk-bundle.tar.gz | tar xz
cd cullis-frontdesk-bundle && ./deploy.sh
```
> **Why pinned tags, not `releases/latest/`?** GitHub's `Latest` marker
> points to a single release across the whole repo. Cullis ships two
> independent bundles (Mastio + Frontdesk) with separate version
> trains; a `releases/latest/download/cullis-frontdesk-bundle.tar.gz`
> URL 404s the moment a Mastio release becomes Latest. Newer versions
> are at .
The Mastio dashboard is at `https://localhost:9443/proxy/login` (self-signed
TLS, accept the warning); the Frontdesk SPA is at `http://localhost:8080`.
See [`packaging/mastio-bundle/README.md`](packaging/mastio-bundle/README.md)
and [`packaging/frontdesk-bundle/README.md`](packaging/frontdesk-bundle/README.md)
for production overrides (custom hostname, oauth2-proxy + IDP, image pinning).
## Quickstart β full enterprise stack (sandbox)
Boot the full enterprise stack β Court + 2 Mastios + 3 agents + 2 MCP servers
in 2 organizations, wired with SPIRE, Keycloak, Vault and Postgres β then
replay intra-org and cross-org traffic.
**Requirements**: Docker Engine with Compose v2, ~6 GB free disk, ~4 GB RAM.
```bash
git clone https://github.com/cullis-security/cullis
cd cullis
./sandbox/demo.sh full
```
Replay scenarios (stack must be up):
```bash
./sandbox/demo.sh mcp-catalog # intra-org: agent β MCP tool call (Org A)
./sandbox/demo.sh mcp-inventory # intra-org: agent β MCP tool call (Org B)
./sandbox/demo.sh oneshot-a-to-b # cross-org: A2A encrypted message A β B
./sandbox/demo.sh oneshot-b-to-a # cross-org: A2A encrypted message B β A
./sandbox/demo.sh guide # open the onboarding walkthrough
```
See [`sandbox/GUIDE.md`](sandbox/GUIDE.md) for the
step-by-step onboarding β attach-CA flow, Mastio counter-signature pin
(ADR-009), Connector Desktop enrollment, MCP resource registration.
For single-user install, download the [Connector desktop
app](https://github.com/cullis-security/cullis/releases).
---
## Key features
- **x509 PKI + SPIFFE per-agent identity** β each agent gets a cert
signed by its organization's CA, with `spiffe://org/agent` SAN
- **ECC end-to-end encryption** β ECDH P-256 key exchange, AES-256-GCM
payload, ECDSA signatures
- **DPoP token binding (RFC 9449)** β every token bound to an ephemeral
EC key
- **Default-deny federated policy** β PDP webhook or OPA per organization,
both orgs must allow on cross-org traffic
- **Local hash-chain audit** β append-only, SHA-256 chain, never leaves
the organization
- **Self-service org onboarding** β invite tokens, attach-CA for existing
PKIs, automatic Org CA generation
- **KMS backends** β local filesystem (dev), HashiCorp Vault KV v2 (prod)
---
## SDK
```python
from cullis_sdk.client import CullisClient
client = CullisClient("https://mastio.example.com")
client.login("alice", "acme", "agent.pem", "agent-key.pem")
agents = client.discover(capabilities=["supply"])
session_id = client.open_session("widgets::supplier", "widgets", ["supply"])
client.send(session_id, "acme::alice", {"order": "100 units"}, "widgets::supplier")
```
TypeScript SDK in [`sdk-ts/`](sdk-ts/). MCP server exposing Cullis as a
set of tools (so any MCP-compatible LLM becomes a Cullis agent) in
`cullis_sdk/mcp_server.py`.
---
## Project layout
```
app/ Cullis Court (network control plane)
mcp_proxy/ Cullis Mastio (org trust authority)
cullis_connector/ Cullis Connector (desktop app)
cullis_sdk/ Python SDK + MCP server
sdk-ts/ TypeScript SDK
alembic/ Court database migrations
sandbox/ Public quickstart demo (SPIRE, Keycloak, Vault, Postgres)
deploy/ Helm chart, Docker Compose, env templates
enterprise-kit/ BYOCA guide, OPA policy bundles, PDP template
docs/ cullis.io site source + ops runbook
tests/ Unit, integration, e2e tests
demo_network/ Test infrastructure for the CI smoke gate (federation
+ standalone matrix). Not a user-facing demo.
```
> [!NOTE]
> `app/` and `mcp_proxy/` are legacy directory names that predate the
> Court / Mastio rebrand. The on-disk paths and the brand names refer to
> the same components. Python package imports follow the same legacy
> (`from app import ...` for Court, `from mcp_proxy import ...` for
> Mastio). Each directory has its own README with a per-component
> overview.
Runtime: Python 3.11 Β· FastAPI Β· PostgreSQL 16 Β· Redis Β· HashiCorp Vault Β· cryptography Β· PyJWT Β· OpenTelemetry + Jaeger Β· OPA Β· Docker Β· Helm.
---
## Contributing
See [CONTRIBUTING.md](CONTRIBUTING.md) for development setup, PR workflow, and code conventions.
Security vulnerabilities: [SECURITY.md](SECURITY.md) for private reporting.
## Contact
| | |
|---|---|
| General, partnerships, demos | [hello@cullis.io](mailto:hello@cullis.io) |
| Security (private) | [security@cullis.io](mailto:security@cullis.io) Β· [SECURITY.md](SECURITY.md) |
| Bugs, feature requests | [GitHub Issues](https://github.com/cullis-security/cullis/issues) |
| Discussion | [GitHub Discussions](https://github.com/cullis-security/cullis/discussions) |
## License
Split licensing:
- **Court (`app/`) and Mastio (`mcp_proxy/`)** β [FSL-1.1-Apache-2.0](LICENSE). Non-competing use permitted (internal deployments, services, research, modifications, forks). Each release becomes [Apache 2.0](LICENSE-APACHE-2.0) two years after publication.
- **Python SDK (`cullis_sdk/`)** β [Apache 2.0](cullis_sdk/LICENSE). Permissive, permanent.
- **TypeScript SDK (`sdk-ts/`)** β [MIT](sdk-ts/LICENSE). Permissive, permanent.
- **Integration templates (`enterprise-kit/`)** β [Apache 2.0](enterprise-kit/LICENSE). Permissive, permanent.
See [NOTICE](NOTICE) for the component-by-component map.
---
> Architecture deep-dives, use cases, deployment patterns, and the project's reason for existing all live at **[cullis.io](https://cullis.io)**.