Warden — the trusted skill brain for open agents

Connect your open-source agent to one endpoint, and it gains a curated, cryptographically-signed, sandboxed set of skills — without poisoning it.

Live site → https://chadcorp.github.io/warden/ · browse the trust-graded registry

The world has thousands of places to find agent skills and almost nowhere trustworthy to run them. Warden is the run-trust layer: not a bigger directory, a vouched-for one. It is OSS-native, local-first, and opinionated about curation — and it treats trust as a signal, not a guarantee.

This repository is the trust core (Phase 0) — the Agent Skill Trust Spec, a curated hardened skill-pack, and a working reference local node — plus the Phase 1–4 capabilities built as reference implementations (sandboxed execution, private encrypted memory, knowledge packs, governance, the Scan API). Pure Python standard library — zero third-party dependencies. Nothing leaves your box.

The magic moment

One config line points any MCP-speaking agent at Warden. Within a minute it has a curated skill set where every skill is visibly signed, sandboxed, and trust-scored — capability and provenance in the same breath:

$ py examples/mcp_client_smoke.py

[warden] pinned curator key warden:cd015c720e6027fd
[warden] transparency log: 5 entries, root sha256:491104b0…, integrity OK
[warden] VERIFIED  build-brain/build-product        [Warden PROVISIONAL A/99 ✓]
[warden] VERIFIED  build-brain/ship-gate            [Warden A/100 ✓]
[warden] VERIFIED  compliance-brain/secret-sentinel [Warden PROVISIONAL C/79 ✓]
[warden] VERIFIED  research-brain/fact-gate         [Warden A/100 ✓]
[warden] VERIFIED  research-brain/idea-scout        [Warden A/100 ✓]
[warden] ready: 5 skill(s) exposed, 0 refused (deny-by-default)

…and when the agent calls a skill, it gets the skill with its provenance:

=== WARDEN PROVENANCE ==========================================
skill        : research-brain/idea-scout v1.0.0
trust        : [Warden A/100 ✓]  (a SIGNAL, not a guarantee)
pinned hash  : sha256:208b0208cd3c…
capabilities : no network, no filesystem, no shell, no secrets
sandbox      : isolated-no-net (deny-by-default; cannot act outside this envelope)
verified now : VERIFIED (11/11 checks)
================================================================

Related MCP server: Aegis-ZK

Quickstart (≈60 seconds)

Requires Python 3.8+ (on Windows use the py launcher). No pip install.

# 1. generate your curator key (the root of trust; the private seed is gitignored)
py -m warden keygen

# 2. scan + sign + log + register every curated skill
py -m warden sign-all

# 3. cold-verify everything (re-derives the hash, checks the signature, re-scans,
#    recomputes the trust score, checks the transparency log)
py -m warden verify-all

# 4. see the curated set and the public log
py -m warden list
py -m warden audit

# 5. run the reference MCP node (stdio), or drive it with the demo client
py -m warden serve
py examples/mcp_client_smoke.py

# prove the scanner: a deliberately poisoned skill is REJECTED at the door
py -m warden scan skills/_samples/poisoned-weather

# everything verified in one shot
py -m warden selftest        # 73/73 (Phase 0–4)

Wire it into your agent

Point any MCP client at the node. Claude Desktop style:

{
  "mcpServers": {
    "warden": { "command": "py", "args": ["-m", "warden", "serve"],
                "cwd": "C:/path/to/WARDEN" }
  }
}

See examples/ for the full config and a smoke client.

Phases 1–4 (now built)

The phase capabilities are now built as reference implementations — local-first, pure standard library, zero third-party dependencies, verified by a 73/73 self-test. The full command surface (py -m warden help):

What remains is the business rollout, not the code — see Honest scope below and docs/PHASES.md.

The trust architecture (the moat)

Built to the OWASP Agentic Skills Top 10. Six pillars, all real in this repo:

The point the whole project turns on:

Verification of identity is not verification of behavior. A "verified" badge can still turn malicious on its next update. So Warden pins the exact bytes, re-scores every version, scans for drift between what a skill declares and what it does, and writes every change to a public log.

 ┌───────────┐   ┌─────────────┐   ┌─────────────┐   ┌────────────┐
 │ Skills in │──▶│ Scan & sign │──▶│ Skill brain │──▶│ Your agent │
 │ any source│   │ OWASP + hash│   │  sandboxed  │   │ MCP, local │
 └───────────┘   └─────────────┘   └─────────────┘   └────────────┘
   untrusted        [trust ctrl]      [trust ctrl]      your side
   ····················· TRANSPARENCY LOG — every version auditable ··········
   [ pinned hash = no rug-pull ]   [ sandbox = contained ]   [ deny-by-default ]

What's in here

WARDEN/
├── TRUST_SPEC.md          the standard (start here)
├── THREAT_MODEL.md        OWASP Agentic Skills Top 10 → mitigations
├── warden/                the reference node + pipeline (zero-dep stdlib)
├── skills/                curated hardened skill packs + registry + _samples
├── schema/                JSON Schemas (manifest, signature, trust, log entry)
├── keys/                  the pinned curator public key
├── examples/              one-config-line setup + magic-moment smoke client
├── docs/                  positioning, build path, FAQ
└── site/                  the landing + waitlist site (zero-dep static; deploy anywhere)

Landing site

A zero-dependency static site (the launch + waitlist funnel) lives in site/. Run it locally with py -m http.server 4173 --directory site and open http://localhost:4173. Wire one endpoint (WAITLIST_ENDPOINT in site/app.js) before deploying — details in site/README.md.

Honest scope

The Phase 0 curated skills are instruction packs: the node serves their verified text plus a provenance block, and your agent's model follows them. The Phase 1–4 capabilities are now built as reference implementations — local, zero-dep, verified — so sandboxed kind:"code" execution, private encrypted memory, knowledge packs, safe auto-updates, org policy, the audit log, and the Scan API all run today (see the table above and docs/PHASES.md).

What remains is honest and named:

• The business rollout — hosting, the paid tiers (Pro / Team / Scan API as products), billing, SSO (an integration point, not built), and go-to-market. Reference code existing is not the same as the business being validated, so productizing/hosting stays gated behind a cheap test (see docs/BUILD_PATH.md).

• Production-grade sandboxing — the kind:"code" sandbox is defense-in-depth at the Python + process layer, not a hard OS sandbox (no seccomp / namespaces). For untrusted code in production, run it in a container / microVM / WASM and enforce the same policy there. The pure-Python Ed25519 and ChaCha20-Poly1305 are real and interop-verified but not constant-time (sign offline / HSM in production).

We would rather ship small and true than over-promise.

How it makes money (without charging for the core)

The core is free forever — it is the funnel, and devs don't pay for cores. Revenue comes from governance (teams), the supply side (a Scan API that vouches for skill authors' and marketplaces' skills), and hosting/convenience. See docs/BUILD_PATH.md.

Positioning in one breath

Not a directory (mcp.so, Glama, Smithery). Not a memory platform (Mem0, Zep, Letta) — memory is a supporting feature here, never the headline. Not a hosted identity-verification play (mcpskills.io, Apigene). Warden is OSS-native + local-first + behavioral-trust + opinionated curation. Full comparison in docs/POSITIONING.md.

Trust is a signal, not a guarantee

Read SECURITY.md before you rely on anything here. We never claim "100% safe"; we claim signed, scanned, contained, scored, and logged.

License

Apache-2.0.