agent-security-stack

warden, canon, keeper, cordon & picket composed into one layered defense — and exposed as a single governed MCP server an agent can call mid-task.

github → build note → MIT the guard the suite

01What it is

Each guard closes one failure mode; the stack is all of them, in one place. warden contains the action, canon vets the tool, keeper holds the keys, cordon scrubs the prompt, and picket guards the browser — five small, zero-dependency tools that compose into a single layered defense rather than five separate installs to wire up.

The pieces aren't islands: they share one spine, so canon reuses warden's scanner and keeper reuses warden's tamper-evident audit. Composed in the path — client → canon → warden → server, egress through keeper — a tool must be vetted to exist, safe to run, and hold a valid lease before it touches a secret. And the same suite is exposed on demand, as one MCP server an agent can simply call.

oys-mcp · config

# one MCP server, the whole suite
npx -y agent-security-stack oys-mcp

# five callable tools
warden_check    contain
canon_scan      vet
keeper_lease    key
cordon_redact   sanitize
picket_observe  read

Fig. 1 — the suite as one on-demand MCP server.

02What it does

One guarded call, three-way agreement

The core trio composes into a single decision: a tool call proceeds only when all three layers agree — canon before warden before keeper. Flip any one layer to "bad" and the call stops there: a poisoned tool stops at canon, a curl | bash stops at warden, a spent lease stops at keeper.

Drop-in enforcers at the boundary

Each layer also ships a transparent proxy, so the same defense holds with no app changes. Chain them — client → canon-mcp → warden-mcp → server, egress through the keeper broker — and the agent never holds a key: the broker redeems a scoped, single-use lease and injects the real secret only at egress, bound to one upstream.

One MCP server — call the whole stack

Where the proxies enforce mandatorily in the path, oys-mcp is the complementary on-demand surface: one server that hands any client — Claude Desktop, Claude Code, any agent runtime — the suite as callable tools, so an agent can ask the stack to vet content, actions, and secrets mid-task.

Five tools an agent can call

warden_check asks whether a {tool, input} is safe to run; canon_scan scans a manifest for poisoning; keeper_lease returns an opaque handle, never the secret; cordon_redact strips PII to typed placeholders; picket_observe returns a safe view of an untrusted page with injection withheld. Each wraps the real library — no reimplementation.

A reproducible supply chain

The tools are pinned to vetted commits, so the stack is itself a reproducible supply chain — the thing it's protecting. npm install pulls all five and dedupes warden to a single shared copy; npm run demo shows a clean call proceed while a poisoned tool, a download-and-run, and a spent lease each get stopped. Zero required dependencies, MIT-licensed.

03Where it sits

Part of The Guard.

This is the whole of The Guard in one place — the five tools below, composed, with a single MCP server an agent can call to vet a tool, contain an action, lease a key, redact a prompt, or read a page safely.

warden

An action firewall — classify, gate, and audit every tool call.

canon

Supply-chain gate — scan, pin, and verify the skills an agent may load.

keeper

Scoped, short-lived secret leases instead of raw keys.

cordon

A fail-closed PII gateway — redact before a model sees it.

picket

A governed browser that withholds injection from hostile pages.

Govern the agent, not just the prompt.

agent-security-stack is open source and MIT-licensed. Read the code, read the build note, run it on your own box.

View agent-security-stack on GitHub →