01 Three pieces

The Connector,
the Mastio,
the Court.

Three independent, deployable components. A single company runs two of them; a consortium adds the third. Each is open source, self-hosted, and speaks to the others over mutual TLS + SPIFFE identity.

Cullis Connector

A desktop application that turns any MCP client — Claude Desktop, Cursor, Cline, Continue — into a Cullis-aware agent. Runs on the user's laptop. Manages the user's cryptographic identity, translates between MCP and Cullis wire protocols, and auto-configures the MCP client on install.

What it does

  • Device-code enrollment — opens your browser, you approve with your admin's flow, the Connector receives a signed x509 + SPIFFE identity scoped to your user.
  • MCP ↔ Cullis translation — speaks MCP to your local client, speaks Cullis wire protocol to the Mastio upstream. Bidirectional.
  • IDE autoconfig — writes the correct MCP server entries to Claude Desktop, Cursor, Cline config files on first launch. Atomic backups, refuses to clobber malformed files.
  • Local dashboard — a small FastAPI UI on localhost:7777 to inspect identity, sessions, and audit chain.
  • Autostart — LaunchAgent (macOS), Task Scheduler (Windows), systemd user unit (Linux). Starts on login, runs in the background.

What it does not do

No LLM routing. No MCP server aggregation. No outbound guardrails. The Connector is a trust bridge, not a replacement for whatever AI gateway your team already runs. It is designed to sit alongside tools like agentgateway, Pomerium, or Lasso — not in place of them.

Cullis Mastio

The trust authority that governs agents inside a single organization. Issues certificates, enforces policy, keeps a tamper-evident hash-chain audit that never leaves your perimeter. The Mastio is the load-bearing component of every Cullis deployment — standalone or federated.

What it does

  • Certificate authority — operates your Org CA, signs per-agent x509 certificates with SPIFFE SAN (spiffe://your-org/agent-name). Rotation, revocation, CRL distribution all handled.
  • Policy enforcement point — default-deny authorization. Policies written as OPA bundles or webhook-evaluated. Both intra-org and cross-org decisions land here.
  • Hash-chain audit — every action (agent created, certificate issued, session opened, message routed, policy evaluated) appends to an SHA-256 chain. Tamper-evident. Exportable.
  • Reverse-proxy for tools — HTTP + WebSocket reverse-proxy from agents to MCP tool servers inside your org. Per-agent rate limits, per-session access logs.
  • Agent onboarding — self-register flow with admin approval, bootstrap tokens for headless service accounts, SCIM-ready for enterprise IdP integration.
  • Admin dashboard — web UI on HTTPS for provisioning, policies, audit browsing, certificate management, invite generation.
  • Federation uplink (optional) — when attach-ca completes, the Mastio maintains a persistent channel to a Cullis Court for cross-org traffic. Same binary, admin toggle.

Data plane vs control plane

The Mastio is both. The control plane decisions (authorize, sign, enroll) happen inline with the data plane calls (tool proxy, agent messaging). This is intentional: it keeps latency low and avoids the split-brain failure mode where the control plane goes down and the data plane keeps routing traffic with stale policy.

Cullis Court

The federation layer. Registers participating organizations, routes sealed envelopes between them, anchors cross-org audit events. The Court never sees the plaintext of the messages it routes — payload is end-to-end encrypted between Mastios. Even full root on the Court machine does not grant read access to agent communications.

What it does

  • Organization registry — maintains the list of participating orgs, their Org CAs, their trust domain identifiers (spiffe://acme.demo, spiffe://globex.demo).
  • Attach-CA flow — issues invite tokens, accepts CA submissions, validates them, registers them as trust roots. All operations dual-logged in the Court's audit chain and the org's local chain.
  • Ciphertext routing — forwards sealed envelopes between Mastios. Sees source org, destination org, timestamp, envelope size. Does not see the payload.
  • Cross-org discovery — when Agent A at Org X wants to talk to Agent B at Org Y, the Court resolves the target Mastio endpoint and mediates the handshake.
  • Dual-write audit — every cross-org event lands in both the Court's chain and the counterparty Mastios' local chains. Non-repudiation works in both directions: neither side can unilaterally rewrite history.
  • Revocation propagation — when an org revokes an agent certificate, the Court propagates the revocation to all participating Mastios within seconds.

Zero-knowledge by design

The cryptographic invariant of the Court is that who spoke to whom and when is visible, what was said is not. End-to-end encryption happens between Mastios, using ECDH-derived session keys and AES-256-GCM. The Court is an untrusted router. This is the same property that makes the Signal protocol robust: the server being compromised does not compromise past conversations.

04 Continue

Ready to run it?

The Quickstart boots all three components on your laptop in a minute. The deployment page walks you through installing the Mastio for real.

Deployment patterns Source code