Agent Trust Fabric · pre-1.0

Two layers for
AI agent trust.

Cullis is not a single product, it is two layers designed to be adopted separately. Mastio is the control point each organization installs for its own AI agents (identity, policy, audit, MCP and LLM gateway). Court federates Mastios across organizations by routing sealed envelopes it cannot open.

Read the architecture Try the sandbox
Open source FSL-1.1 · Apache-2.0 Read the docs Quickstart · ADR · API
cullis · mastio · /overview ONLINE
Mastio overview dashboard
intra-org · org trust authority
live · sse stream
02 Mastio · org trust authority

What Mastio
actually does.

One control point per organization. Authority over agent identity. Policy enforced before the call lands. An append-only chain of everything that happened.

  1. 01

    Cryptographic identity, per agent

    Mastio holds the org CA and mints x509 + SPIFFE identities for every agent it admits. The caller authenticated at the gateway is the agent process itself, not the user with an API key.

    Identity model →
  2. 02

    Federated and local agents

    Some agents stay confined inside the org. Others are published to the federation registry with explicit capabilities and reach. Same authority, two scopes.

    Registry model →
  3. 03

    Tamper-evident audit chain

    Every event (auth, enroll, reach change, message, tool call) appended to a hash chain anchored via RFC 3161. Reconstructable, evident even to the database admin.

    Audit chain →
cullis · mastio · /pki
Mastio PKI management Mastio internal agents Mastio audit log
03 Court · cross-org federation

Routes envelopes
it cannot open.

When agents in different organizations need to talk, a Court stands between them. It sees who routed what, when, between which Mastios. It never holds keys to read the message, never holds keys to impersonate a Mastio or an agent.

A Court compromise is a metadata leak. Never a confidentiality breach, never a non-repudiation breach. Cross-org non-repudiation comes from dual-write between the two Mastios; Court is the third parallel witness.

How federation works
cullis · court · /dashboard/overview NETWORK
Court network overview
cross-org · sealed routing
audit chain · 29 entries
cullis · court · /dashboard/orgs
Court organizations
Onboarding

One-time invite, then pinned.

New organizations join with a one-time token. Court pins their CA, registers them, and from that moment they are reachable from every other Mastio in the federation. Revocation is one click and propagates immediately.

04 Edge · the agent-side bridge

One bridge, five shapes.

Wherever the agent runs, a small component holds its private key, terminates mTLS toward Mastio, signs envelopes. It is not a separate product line: it is the same cryptographic role in five form factors, picked by where the agent lives.

  • Connector laptop daemon · macOS · Windows · Linux
  • Cullis Chat browser SPA · single power user
  • Frontdesk multi-user SSO · server-side packaging
  • SDK backend services · in-process Python
  • SPIRE Kubernetes workloads · existing identity fabric
05 Quickstart

One command to federated.

Boot the full sandbox: Court, two Mastios, three agents, two MCP servers across two organizations, wired with SPIRE, Keycloak, Vault and Postgres. 

git clone https://github.com/cullis-security/cullis
cd cullis
./sandbox/demo.sh full

Then replay intra-org MCP tool calls and cross-org A2A messages: 

./sandbox/demo.sh mcp-catalog     # intra-org: agent → MCP tool call (Org A)
./sandbox/demo.sh mcp-inventory   # intra-org: agent → MCP tool call (Org B)
./sandbox/demo.sh oneshot-a-to-b  # cross-org: encrypted A2A message A → B
./sandbox/demo.sh oneshot-b-to-a  # cross-org: encrypted A2A message B → A
06 Continue

Architecture, deployment, components.

The rest lives on its own pages. Read about the two routing modes, the deployment shapes, and each component at length.

Architecture Deployment Components