Command Palette

Search for a command to run...

UnylyUnyly
Весь каталог

Warden

БесплатноНе проверен

Warden provides a trusted skill brain for open agents, enabling secure execution of curated, cryptographically-signed skills with sandboxing, trust scoring, and

GitHubEmbed

Описание

Warden provides a trusted skill brain for open agents, enabling secure execution of curated, cryptographically-signed skills with sandboxing, trust scoring, and transparency logging, all with zero third-party dependencies.

README

CI License: Apache 2.0 Python 3.8+ Dependencies: zero Self-test: 75/75

Connect your open-source agent to one endpoint, and it gains a curated, cryptographically-signed, sandboxed set of skills — without poisoning it.

Live → https://warden-8c4.pages.dev/ · browse the trust-graded registry · mirror

The world has thousands of places to find agent skills and almost nowhere trustworthy to run them. Warden is the run-trust layer: not a bigger directory, a vouched-for one. It is OSS-native, local-first, and opinionated about curation — and it treats trust as a signal, not a guarantee.

This repository is the trust core (Phase 0) — the Agent Skill Trust Spec, a curated hardened skill-pack, and a working reference local node — plus the Phase 1–4 capabilities built as reference implementations (sandboxed execution, private encrypted memory, knowledge packs, governance, the Scan API). Pure Python standard library — zero third-party dependencies. Nothing leaves your box.


The magic moment

One config line points any MCP-speaking agent at Warden. Within a minute it has a curated skill set where every skill is visibly signed, sandboxed, and trust-scored — capability and provenance in the same breath:

$ py examples/mcp_client_smoke.py

[warden] pinned curator key warden:cd015c720e6027fd
[warden] transparency log: 5 entries, root sha256:491104b0…, integrity OK
[warden] VERIFIED  build-brain/build-product        [Warden PROVISIONAL A/99 ✓]
[warden] VERIFIED  build-brain/ship-gate            [Warden A/100 ✓]
[warden] VERIFIED  compliance-brain/secret-sentinel [Warden PROVISIONAL C/79 ✓]
[warden] VERIFIED  research-brain/fact-gate         [Warden A/100 ✓]
[warden] VERIFIED  research-brain/idea-scout        [Warden A/100 ✓]
[warden] ready: 5 skill(s) exposed, 0 refused (deny-by-default)

…and when the agent calls a skill, it gets the skill with its provenance:

=== WARDEN PROVENANCE ==========================================
skill        : research-brain/idea-scout v1.0.0
trust        : [Warden A/100 ✓]  (a SIGNAL, not a guarantee)
pinned hash  : sha256:208b0208cd3c…
capabilities : no network, no filesystem, no shell, no secrets
sandbox      : isolated-no-net (deny-by-default; cannot act outside this envelope)
verified now : VERIFIED (11/11 checks)
================================================================

Quickstart (≈60 seconds)

Requires Python 3.8+ (on Windows use the py launcher). No pip install.

# 1. generate your curator key (the root of trust; the private seed is gitignored)
py -m warden keygen

# 2. scan + sign + log + register every curated skill
py -m warden sign-all

# 3. cold-verify everything (re-derives the hash, checks the signature, re-scans,
#    recomputes the trust score, checks the transparency log)
py -m warden verify-all

# 4. see the curated set and the public log
py -m warden list
py -m warden audit

# 5. run the reference MCP node (stdio), or drive it with the demo client
py -m warden serve
py examples/mcp_client_smoke.py

# prove the scanner: a deliberately poisoned skill is REJECTED at the door
py -m warden scan skills/_samples/poisoned-weather

# everything verified in one shot
py -m warden selftest        # 75/75 (Phase 0–4)

Wire it into your agent

Point any MCP client at the node. Claude Desktop style:

{
  "mcpServers": {
    "warden": { "command": "py", "args": ["-m", "warden", "serve"],
                "cwd": "C:/path/to/WARDEN" }
  }
}

See examples/ for the full config and a smoke client.

Verify the live registry yourself

You don't have to trust us. Check the curator's signature on the public registry from anywhere — this re-derives the canonical bytes and verifies the Ed25519 signature with Warden's own pure-Python verifier:

import urllib.request, base64, json
from warden import ed25519
from warden.canonical import canonicalize

url = "https://warden-8c4.pages.dev/registry/index.json"
req = urllib.request.Request(url, headers={"User-Agent": "warden-verify/1.0"})  # any UA; some CDNs 403 the default
obj = json.load(urllib.request.urlopen(req, timeout=20))
data = obj["index"]
ok = ed25519.verify(bytes.fromhex(data["curator_key"]),
                    canonicalize(data), base64.b64decode(obj["signature"]))
print("VERIFIED" if ok else "TAMPERED", ed25519.fingerprint(bytes.fromhex(data["curator_key"])))
# -> VERIFIED warden:cd015c720e6027fd

Change one byte of the index and the signature fails. The GitHub mirror serves the identical signed bytes.


Phases 1–4 (now built)

The phase capabilities are now built as reference implementations — local-first, pure standard library, zero third-party dependencies, verified by a 75/75 self-test. The full command surface (py -m warden help):

Capability Command
Run a kind:"code" skill in the sandbox py -m warden run-code <dir> "{...}"
Private per-agent encrypted memory py -m warden memory remember|recall|list
Safe auto-update (re-verify + re-score; refuses escalation) py -m warden update <id> <dir> [--apply]
Shareable scan report py -m warden scan-report <dir> [--sign]
Org allow/deny policy (ALLOW/DENY per skill) py -m warden policy show|init|check
Tamper-evident audit log py -m warden audit-log [N]
The Scan API (Trust-as-a-Service) py -m warden serve-api [--port N]
Trust-graded signed static index → site/registry/ py -m warden build-index [out]
Signed read-only knowledge packs py -m warden kpack list|sign|verify
Host your own skill (private) py -m warden host <dir>
Trust another curator key py -m warden add-root <hex> <name>

What remains is the business rollout, not the code — see Honest scope below and docs/PHASES.md.


The trust architecture (the moat)

Built to the OWASP Agentic Skills Top 10. Six pillars, all real in this repo:

# Pillar Where
1 Content-addressed + Ed25519-signed + pinned — you connect to a hash, not a name. Kills rug-pulls. content_address.py, ed25519.py, sign.py
2 Intake scanning — tool-poisoning, unsafe-exec, SSRF, secret-exfil, obfuscation, and capability drift. scanner.py
3 Capability manifest + deny-by-default — a skill may touch only what it declares. manifest.py, policy.py
4 Sandboxed execution — skills run in a declared profile, never the agent's process. policy.py (profiles)
5 Behavioral trust score — per-version, time-aware; re-publishing re-evaluates. Not a static badge. trust.py
6 Public transparency log — append-only, hash-linked, Merkle-rooted. Nothing changes silently. translog.py

The point the whole project turns on:

Verification of identity is not verification of behavior. A "verified" badge can still turn malicious on its next update. So Warden pins the exact bytes, re-scores every version, scans for drift between what a skill declares and what it does, and writes every change to a public log.

 ┌───────────┐   ┌─────────────┐   ┌─────────────┐   ┌────────────┐
 │ Skills in │──▶│ Scan & sign │──▶│ Skill brain │──▶│ Your agent │
 │ any source│   │ OWASP + hash│   │  sandboxed  │   │ MCP, local │
 └───────────┘   └─────────────┘   └─────────────┘   └────────────┘
   untrusted        [trust ctrl]      [trust ctrl]      your side
   ····················· TRANSPARENCY LOG — every version auditable ··········
   [ pinned hash = no rug-pull ]   [ sandbox = contained ]   [ deny-by-default ]

What's in here

WARDEN/
├── TRUST_SPEC.md          the standard (start here)
├── THREAT_MODEL.md        OWASP Agentic Skills Top 10 → mitigations
├── warden/                the reference node + pipeline (zero-dep stdlib)
├── skills/                curated hardened skill packs + registry + _samples
├── schema/                JSON Schemas (manifest, signature, trust, log entry)
├── keys/                  the pinned curator public key
├── examples/              one-config-line setup + magic-moment smoke client
├── docs/                  positioning, build path, FAQ
└── site/                  the landing + waitlist site (zero-dep static; deploy anywhere)

Landing site

A zero-dependency static site (the launch + waitlist funnel) lives in site/. Run it locally with py -m http.server 4173 --directory site and open http://localhost:4173. Wire one endpoint (WAITLIST_ENDPOINT in site/app.js) before deploying — details in site/README.md.

Honest scope

The Phase 0 curated skills are instruction packs: the node serves their verified text plus a provenance block, and your agent's model follows them. The Phase 1–4 capabilities are now built as reference implementations — local, zero-dep, verified — so sandboxed kind:"code" execution, private encrypted memory, knowledge packs, safe auto-updates, org policy, the audit log, and the Scan API all run today (see the table above and docs/PHASES.md).

What remains is honest and named:

  • The business rollout — hosting, the paid tiers (Pro / Team / Scan API as products), billing, SSO (an integration point, not built), and go-to-market. Reference code existing is not the same as the business being validated, so productizing/hosting stays gated behind a cheap test (see docs/BUILD_PATH.md).
  • Production-grade sandboxing — the kind:"code" sandbox is defense-in-depth at the Python + process layer, not a hard OS sandbox (no seccomp / namespaces). For untrusted code in production, run it in a container / microVM / WASM and enforce the same policy there. The pure-Python Ed25519 and ChaCha20-Poly1305 are real and interop-verified but not constant-time (sign offline / HSM in production).

We would rather ship small and true than over-promise.

How it makes money (without charging for the core)

The core is free forever — it is the funnel, and devs don't pay for cores. Revenue comes from governance (teams), the supply side (a Scan API that vouches for skill authors' and marketplaces' skills), and hosting/convenience. See docs/BUILD_PATH.md.

Positioning in one breath

Not a directory (mcp.so, Glama, Smithery). Not a memory platform (Mem0, Zep, Letta) — memory is a supporting feature here, never the headline. Not a hosted identity-verification play (mcpskills.io, Apigene). Warden is OSS-native + local-first + behavioral-trust + opinionated curation. Full comparison in docs/POSITIONING.md.

Trust is a signal, not a guarantee

Read SECURITY.md before you rely on anything here. We never claim "100% safe"; we claim signed, scanned, contained, scored, and logged.

License

Apache-2.0.

from github.com/chadcorp/warden

Установка Warden

У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.

▸ github.com/chadcorp/warden

FAQ

Warden MCP бесплатный?

Да, Warden MCP бесплатный — установка в пару кликов через Unyly без оплаты.

Нужен ли API-ключ для Warden?

Нет, Warden работает без API-ключей и переменных окружения.

Warden — hosted или self-hosted?

Self-hosted: сервер запускается локально на твоей машине командой из раздела установки.

Как установить Warden в Claude Desktop, Claude Code или Cursor?

Открой Warden на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.

Похожие MCP

Compare Warden with

Не уверен что выбрать?

Найди свой стек за 60 секунд

Автор?

Embed-бейдж для README

Похожее

Все в категории development