Cullis
A self-hosted trust broker and MCP proxy. Every agent gets an x509 identity, every message is end-to-end encrypted, every decision is cryptographically audited — across organizational boundaries.
When agents from different organizations need to collaborate, they rely on mechanisms that were never designed for autonomous, cross-boundary interactions.
Long-lived secrets that grant permanent, unlimited access. A single leak means full impersonation with no way to detect or revoke the compromise in real time.
Agents from different organizations have no way to cryptographically verify each other's identity. There's no chain of trust, no issuer validation, no proof of origin.
When something goes wrong across organizational boundaries, there is no tamper-evident record of who authorized what. Compliance is impossible. Non-repudiation is a myth.
Every security property is enforced at the protocol level — not in config files, not in application code. No secrets to share, no knobs to get wrong.
Every agent gets a real x509 identity signed by its organization's CA. No shared secrets, no long-lived API keys, no passwords. Tokens are bound to ephemeral keys so theft is meaningless.
Payloads are sealed end-to-end between agents, with dual signatures for non-repudiation and transport integrity. The broker routes envelopes but never sees the message.
Each organization owns its policy decisions. The broker queries both PDPs and only proceeds when both approve. No centralized power, no vendor making decisions for you.
Auth, session, message, policy — everything lands in a SHA-256 hash-chained ledger. Any tampering (insert, modify, delete, reorder) breaks the chain and is detectable immediately.
Each org deploys its own MCP Proxy and self-onboards via invite tokens. Agents authenticate with simple API keys — the proxy handles the cryptography. Zero manual certificate exchange.
Auth, discovery, E2E encryption, signing, WebSocket streaming — all built-in. Private keys never touch disk: load them from Vault, AWS KMS, or your secret manager of choice.
from cullis import BrokerClient from cullis.vault import load_pem # Keys live in Vault — never on disk cert, key = load_pem("secret/acme/rfq-bot") client = BrokerClient("https://broker.acme.com") client.login_from_pem( agent_id="acme::rfq-bot", cert_pem=cert, key_pem=key, ) # ✓ mTLS + DPoP + E2E ready sid = client.open_session( target="supplier::chips-bot", caps=["supply.negotiate"], )
Agents talk to their local MCP Proxy with simple API keys. Proxies handle all cryptography and communicate with the broker over mTLS. Each organization retains full control.
Cullis is the substrate for agent interactions that currently don't happen because the trust primitives don't exist. These are the shapes we see working today.
A buyer agent broadcasts a request to suppliers across the federation. Matching agents respond with signed quotes. The buyer picks one and authorizes a single-use transaction token bound to the payload hash. Every step cryptographically audited.
supply.negotiate)Your SaaS platform exposes AI agents to customers. Each customer org runs its own MCP Proxy, customer agents talk to your platform agents via the broker. You never see their plaintext, they never share secrets with you, and policy stays on both sides.
Healthcare, finance, and critical infrastructure need AI agents that cross organizational boundaries without breaking compliance. Bring your own CA, enforce OPA policies, export the tamper-evident ledger straight to your regulator.
Boot the full Cullis architecture on your laptop — broker, two MCP proxies, two organizations, two agents — route one end-to-end encrypted message between them, then tear it all down. About a minute, from clone to clean slate.
3.10+
pip install httpx
ports 8800 9800 9801
Builds five containers, registers two organizations, mints one agent
in each (alpha::sender and beta::checker),
and leaves a background daemon listening. Prints every dashboard URL
you can poke at in a browser.
Seventy lines of Python — no LLM, no Anthropic key. Opens a
session to beta::checker, sends
{"check": "ok"} end-to-end encrypted through the broker,
and exits. Round trip under one second. The checker daemon prints the
decrypted payload on its own log.
Stops every container, removes the postgres and proxy volumes, kills
the checker daemon, clears the demo state file. The next
up starts from absolute zero.
Cullis is not a service mesh, not an API gateway, not a workload identity provider. It's the missing layer between them — the one that turns the MCP protocol into a federated, cryptographically audited trust network.
| Capability | MCP (raw) | SPIFFE / SPIRE | Vault + Consul | Cullis |
|---|---|---|---|---|
| Agent-to-agent identity across orgs | — | Single trust domain | Single datacenter | Federated, BYOCA |
| DPoP token binding (RFC 9449) | — | — | — | Built-in |
| E2E payload encryption (beyond mTLS) | — | — | mTLS only | AES-256-GCM + RSA-OAEP |
| Federated policy (per-org PDP) | — | — | Intentions (local) | Webhook + OPA, dual-consent |
| Tamper-evident audit chain | — | — | Syslog only | SHA-256 hash chain |
| Invite-based org onboarding | — | Manual | Manual | Token + dashboard |
| MCP-native agent gateway | Protocol spec | — | — | Drop-in proxy |
| Cross-org session tokens (scope-bound) | — | — | — | Capability-scoped |
| Self-hosted, open source, Apache 2.0 | — | — | BSL / MPL | Yes |
Cullis composes with these tools rather than replacing them — you can back Cullis identities with a SPIRE-issued CA, keep your keys in Vault, and layer a service mesh underneath. What Cullis adds is the federated trust between organizations.
Cullis is open source, standards-aligned, and easy to spin up locally. The bundled demo runs the whole architecture on a single laptop in about a minute. Star the repo, open an issue, or kick the tyres in your own environment.