Deploy the Mastio
The Mastio is the org-scoped gateway that mints agent
certificates, enforces policy on every MCP tool call,
and writes an append-only audit chain. The bundle is
a self-contained docker compose stack —
no source tree required.
$ curl -L -o mastio.tar.gz \
https://cullis.io/download/latest
$ tar xzf mastio.tar.gz
$ cd cullis-mastio-bundle/
$ ./deploy.sh
# Mints Org CA + admin account + nginx TLS
# Open https://localhost:9443/proxy/loginCommon paths
Six entry points cover most operator + developer workflows. Pick the one that matches what you are doing right now.
Install Mastio on Docker
Single-host self-hosted deploy. Two commands from tarball to a gateway with admin dashboard.
Read Install · multi-nodeInstall Mastio on Kubernetes
Production deploy via Helm charts — ingress, BYOCA, dev vs. prod values.
Read Build · PythonPython SDK quickstart
From pip install to a Mastio-authenticated agent calling LLMs + MCP tools.
Read Enroll · existing PKIBYOCA enrollment
Use your existing PKI to enroll agents. Mastio verifies chain, pins thumbprint.
Read Enroll · workload identitySPIRE enrollment
Hand the workload-API SVID to the SDK; Mastio pins it as the agent identity.
Read Operate · on-callProduction runbook
Incident response, rotate keys, audit export, disaster recovery procedures.
ReadHow Cullis fits
Cullis sits between your autonomous agents and the LLMs, MCP tools, and SaaS APIs they call. Every request is authenticated with a cert + DPoP proof bound to the agent identity, passed through a policy decision point, and written to a tamper-evident audit chain.
- Mastio — org gateway. Cert mint, policy enforcement, audit chain, MCP reverse-proxy, native AI dispatch (Anthropic / OpenAI SDKs, raw httpx for Ollama).
- Python SDK — agent client. Loads cert + DPoP key from disk, presents mTLS to Mastio, makes chat completions and MCP tool calls.