Per-agent cryptographic identity. Policy enforced before the LLM call lands. Hash-chained audit your auditor can verify without trusting your IT team. Self-hosted, LLM-agnostic, FSL-1.1 + Apache-2.0.
Illustrative screenshots from the Cullis demo stack. Agent identities, tool calls, and audit events shown are reproducible from the public repo, not a customer deployment.
Built on standards. Auditable by inspection.
Mastio · organisation control point
One Docker container per organisation. Authority over agent identity, policy enforced before the LLM call lands, an append-only audit chain externally verifiable by your auditor or regulator. Works underneath any agent stack — Claude Agent SDK, OpenAI Agents SDK, LangGraph, CrewAI, or any MCP-aware loop.
x509 + SPIFFE ID per agent process. mTLS RFC 8705 and DPoP RFC 9449. The caller authenticated at the gateway is the agent itself, not a shared service account. Rotation on its own schedule, revocation propagates in seconds. Maps to EU AI Act Art. 12 and DORA Art. 28 + Art. 30 (ICT third-party risk + key contractual provisions).
Identity model →PDP fires before the LLM API or MCP tool runs. Per-principal scopes (this agent can read claim files, that agent cannot). 4-eye approval capability. OPA-compatible bundles or built-in DSL. Maps to EU AI Act Art. 14 (human oversight) and Art. 26 (deployer obligations on high-risk systems).
Policy model →Every event (auth, enroll, message, tool call, LLM token) hashed and chained. Optional RFC 3161 TSA anchoring. Your auditor verifies the chain externally, without trusting Cullis or your IT team. Maps to EU AI Act Art. 12 (record-keeping) + Art. 15 (accuracy, robustness, cybersecurity) and EIOPA Opinion BoS-25-360 (6 Aug 2025).
Audit chain →
Captured from the local Cullis demo stack. Reproducible from the public repo, not a customer deployment.
Reading the regulation
The pilots don't graduate. Not because the agent is wrong. Because no one in compliance can answer the only question the regulator will ask in 2027: who decided what, with which input, eighteen months ago, and how do we prove it without trusting the vendor.
Drop-in integration · LLM-agnostic
Cullis sits underneath, not next to. Same governance primitives for Claude Agent SDK, OpenAI Agents SDK, LangGraph, CrewAI, Ollama on-prem. Switch model providers with one environment variable. Identity, policy, audit chain do not change.
Mastio in your stack
Mastio is the AI gateway, sits in front of the one you already run, or stays out of the data path entirely. Identity, policy and audit chain are the same in all three.
Mastio runs LiteLLM in-process and speaks directly to the provider. One container, no extra gateway to operate.
You already run an AI gateway for cost control, fallback and caching. Mastio sits in front, the gateway stays in place.
Mastio stays out of the LLM data path. The agent calls the provider directly. Identity, policy and audit live in Mastio over a side channel.
Even behind a hardened enterprise gateway, three properties stay Cullis-only:
Reference scenarios · Claude for Financial Services on Cullis
Two overlap with templates from Anthropic's Claude for Financial Services release. Two are Cullis-specific reference architectures. Stack heterogeneity (Claude in cloud, Ollama on-prem, MockLLM for deterministic replay) shows the governance layer is genuinely LLM-agnostic.
Entity file assembly + AML escalation on the Anthropic template. Per-agent cert binds every screening action. Maps to EU AI Act Art. 14 + Art. 12.
Cross-desk capability gate blocks MNPI leakage — Industrials agent cannot read Tech docs. Maps to MAR Art. 16 + Art. 18.
Cullis-specific. Runs on open-weight LLM on-prem (Ollama) — no SaaS sees vendor risk data. Maps to DORA Art. 28 + Art. 30.
Signal → reasoning → risk_check → place_order, every step hash-chained. PDP blocks orders when kill-switch on. Mock OMS — not production trading. Maps to MiFID II Art. 17 + RTS 6 Art. 23 (pre-trade controls).
Quickstart
The Mastio bundle is a self-contained tarball that pulls its
image from ghcr.io and configures itself on first
boot. The SDK is on PyPI.
# 1. Mastio — organisation gateway on :9443
curl -L https://github.com/cullis-security/cullis/releases/download/mastio-v0.5.1/cullis-mastio-bundle.tar.gz | tar xz
cd cullis-mastio-bundle && ./deploy.sh# 2. Python SDK for your autonomous agent
pip install cullis-sdk
Mint an agent identity bundle from the Mastio dashboard, then
wire it into the SDK. Six lines and the first
chat_completion lands as an audit row.
from cullis_sdk import CullisClient
client = CullisClient.from_identity_dir(
"https://mastio.example.com:9443",
cert_path="./identity/agent.crt",
key_path="./identity/agent.key",
dpop_key_path="./identity/dpop.jwk",
)
response = client.chat_completion({
"model": "claude-sonnet-4-6",
"messages": [{"role": "user", "content": "Screen the latest applicant batch."}],
})
for tool in client.list_mcp_tools():
print(tool["name"])
result = client.call_mcp_tool("sanctions_lookup", {"full_name": "Acme Holding Ltd"})Full install instructions, enrolment paths, and production overrides on the repo.
Pilot conversation
Two or three design partners in regulated EU industries for H2 2026. Conservative scope, reversible, no SLA. Output is a signed audit bundle of real production journeys.