Skip to main content
Glama

πŸ•ΈοΈ Weave_Protocol

Infrastructure security for AI agents. We attack what we defend.

npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm npm License

Make agent behavior verifiable, auditable, and cryptographically provable across any harness, any platform. Built as a TypeScript monorepo with MCP integration, blockchain anchoring, and β€” as of Q4 β€” a published red-team engine that tests our own defenses.

The thesis: every security platform claims its defenses work. We're the first to publish the attacks that prove it. Same suite. Same scorecard. Same locked benchmark β€” applied to our own packages, every release.


πŸš€ Get started in one command

npx @weave_protocol/cli init

The CLI detects your framework (LangChain, LlamaIndex, MCP, OpenAI, Anthropic, Microsoft, Google) and scaffolds the right security middleware for your stack. Or install everything at once:

npm install @weave_protocol/full

Related MCP server: agent-audit

πŸ†• What's New

βš”οΈ Q4 Moat Quarter β€” we attack what we defend

The first agent security platform to publish its own offensive engine. Two new packages flipped the suite from purely defensive to defense + offense in the same monorepo, validated against each other:

Package

Role

Version

@weave_protocol/adversary

Offensive engine β€” 68 documented + novel attacks across 5 categories (IPI, tool-coercion, jailbreak, extraction, goal-corruption). Real Playwright browser target with 4 breach signal channels. Real-LLM demo mode via Anthropic API.

βœ… v0.2.1

@weave_protocol/agentsecbench

Standardized benchmark β€” locked attack suites, tier grades A–F, paste-ready reports, side-by-side comparison

βœ… v0.1.0

Trophy attacks β€” documented in-the-wild incidents reproduced in the corpus:

  • 🏦 Atlan autonomous-fraud (Dec 2025) β€” first documented agent-driven financial fraud

  • πŸ”’ EchoLeak (CVE-2025-32711) β€” Microsoft Copilot zero-click exfil

  • πŸ‘» Brave/Comet OTP exfil (2025) β€” browser agent secret leak via hidden CSS

  • 🚫 Forcepoint false copyright (Apr 2026) β€” DoS via fake copyright claim

# Run the canonical benchmark against the demo target β€” proves the suite lands
npx @weave_protocol/agentsecbench run

# Or run the full 68-attack corpus directly
npx @weave_protocol/adversary demo

Why this matters: every model release, every WARD policy change, every adapter update can be re-benchmarked against the same locked suite. Did your score regress? agentsecbench compare will show you. Does your WARD policy actually defend anything? --measure-ward-delta will tell you. This is how a category gets defined.

See Adversary README β†’ Β· See AgentSecBench README β†’ Β· See METHODOLOGY.md β†’


πŸ’° Q4 Governance β€” autonomous spending caps

Every enterprise agent question today is "what's my ceiling on this thing?" β€” measured in dollars, not just tool calls. @weave_protocol/witan@1.1.0 answers it. Per-window budgets (run / hour / day / week / month) that gate LLM calls and tool calls, with three actions: block, require approval/consensus, or notify.

Multi-provider LLM pricing built in β€” Anthropic, OpenAI, Google, and local (free). Per-tool amount caps (send_payment max $500/day). Interactive TTY approval prompt for human-in-loop terminals. Async callback for Slack/PagerDuty/custom UIs. Safe defaults β€” never silent approval in non-interactive contexts.

npx @weave_protocol/witan@1.1.0 spending caps         # inspect WARD.md caps
npx @weave_protocol/witan@1.1.0 spending simulate     # dry-run scenarios
# Extend your WARD.md:
spending_limits:
  - window: day
    budget: { usd: 5.00 }
    on_exceeded: require_approval
  - window: run
    budget: { tool_calls: 100 }
    on_exceeded: block
  - window: day
    budget:
      tools:
        send_payment: { max_amount_usd: 500 }
    on_exceeded: require_approval

Backward compatible with the existing behavioral_limits.maxCostUSD. In-memory storage in v1.1 with a pluggable interface for the v1.2 Redis/SQLite backends. Programmatic API via import { SpendingTracker } from '@weave_protocol/witan/spending'.

See Witan spending caps README β†’


πŸ›‘οΈ Four runtimes. Three vendors. One policy file.

The thesis was that WARD.md could be a portable agent security standard β€” write it once, enforce it everywhere. As of today, that's shipped and live across the entire agent harness landscape:

Runtime

Vendor

Enforcer

Status

MCP servers

Open standard

Hundredmen v1.1.0

βœ… Live on npm

Claude Code

Anthropic

adapter-claudecode v0.1.0

βœ… Live on npm

Google Antigravity (desktop + agy CLI + SDK)

Google

adapter-antigravity v0.1.0

βœ… Live on npm

Microsoft Agent Framework

Microsoft

adapter-msaf v0.1.0

βœ… Live on npm

Browser agents

Open standard

browser v0.1.0

βœ… Live on npm

The same WARD.md file in your project root is now read and enforced by Anthropic's, Google's, Microsoft's, MCP's, and the browser harness's runtimes β€” without any platform-specific edits.

my-agent-project/
β”œβ”€β”€ AGENTS.md          # what the agent does
β”œβ”€β”€ SKILL.md           # how the agent does it
└── WARD.md            # what the agent can't do  ← all five surfaces respect this

🌐 Browser agent security (Q3) β€” fifth enforcement surface

@weave_protocol/browser adds runtime IPI (indirect prompt injection) scanning to browser-driving agents. 33 detection patterns cover the documented threat surface: hidden CSS payloads, role-hijack directives, tool-call mimicry, action-injection directives, payment-recipient proximity patterns (Atlan), copyright-DoS markers (Forcepoint), and more.

Pair with the Browser Guard extension for client-side visibility into what your agent sees vs. what you see.

See browser README β†’


πŸ“Š State of AI Agent Security: Q3 2026 Report

Industry analysis of agent security trends, platform maturity, supply chain risks, and market gaps. Live at: tyox-all.github.io/Weave_Protocol/q3-2026.html


Previously shipped (Q3)

  • adapter-msaf v0.1.0 β€” Microsoft Agent Framework enforcement via middleware. WardMiddleware class, one-line integration, Azure credential heuristic.

  • adapter-antigravity v0.1.0 β€” Google Antigravity enforcement. One install protects desktop + agy CLI + SDK.

  • adapter-claudecode v0.1.0 β€” Claude Code enforcement via PreToolUse hooks.

  • Hundredmen v1.1.0 β€” WARD.md is now the first gate in the MCP decision flow, ahead of reputation/drift/approval.

  • WARD.md v0.1.0 β€” Agent security policy standard. Ten domains: filesystem, network, capabilities, data boundaries, behavioral limits, multi-agent, compliance, verification, threat model, incident response. Spec β†’

  • Tollere v0.2.2 β€” Multi-channel supply chain security. npm, PyPI, Cargo, Go, Maven, Docker Hub, VS Code Marketplace, Open VSX, JetBrains. Sandwich pattern detection.

  • Weave CLI v0.1.0 + Full Bundle v0.1.0 β€” weave init / audit / dashboard / doctor. One-command security setup.


πŸ“¦ Packages

The suite is now organized into three layers β€” defense, offensive, and operations. All 17 packages live on npm under the @weave_protocol scope, plus one Python package on PyPI.

πŸ›‘οΈ Defense Layer (11 packages)

The packages that keep your agent within policy: declare it, enforce it across every harness, scan everything that enters, encrypt everything that exits.

Package

Version

Description

πŸ›‘οΈ @weave_protocol/ward

0.1.0

WARD.md β€” agent security policy standard (parser, validator, runtime checks)

πŸ›‘οΈ @weave_protocol/adapter-claudecode

0.1.0

Claude Code adapter β€” enforces WARD.md via PreToolUse hooks

πŸ›‘οΈ @weave_protocol/adapter-antigravity

0.1.0

Google Antigravity adapter β€” enforces WARD.md across desktop, agy CLI, and SDK

πŸ›‘οΈ @weave_protocol/adapter-msaf

0.1.0

Microsoft Agent Framework adapter β€” middleware-based WARD enforcement

🌐 @weave_protocol/browser

0.1.0

Browser agent security β€” runtime IPI scanner (33 patterns) for headless agents

πŸ” @weave_protocol/hundredmen

1.1.0

MCP proxy β€” intercept, scan, gate tool calls; enforces WARD.md as first gate

πŸ›‘οΈ @weave_protocol/mund

0.2.2

Scanner β€” secrets, PII, injection, MCP vetting, threat intel

πŸ›οΈ @weave_protocol/hord

0.1.6

Vault β€” encrypted storage with Yoxallismus dual-tumbler cipher

βš–οΈ @weave_protocol/domere

1.3.4

Judge β€” compliance (PCI-DSS, ISO27001, SOC2, HIPAA, GDPR, CCPA), blockchain anchoring

πŸ‘₯ @weave_protocol/witan

1.1.0

Council β€” multi-agent consensus & governance, autonomous spending caps (Q4 v1.1)

πŸ›‚ @weave_protocol/tollere

0.2.2

Customs β€” supply chain security (npm, PyPI, Docker, IDE extensions, sandwich detection)

βš”οΈ Offensive Layer (2 packages) β€” NEW Q4

The red team. We attack what we defend.

Package

Version

Description

βš”οΈ @weave_protocol/adversary

0.2.1

Offensive engine β€” 68 attacks Β· real Playwright browser target Β· real-LLM demo mode Β· WARD-aware attack selection

🎯 @weave_protocol/agentsecbench

0.1.0

Standardized benchmark β€” locked suites (ASB-Browser-v1), tier grading A–F, trophy attacks, WARD delta, paste-ready reports

πŸ”§ Operations & Integrations (5 packages, plus 1 PyPI)

The front door, the dashboard, the bridges to other frameworks.

Package

Version

Description

πŸ•ΈοΈ @weave_protocol/cli

0.1.0

The weave CLI β€” init, audit, dashboard, doctor

πŸ“¦ @weave_protocol/full

0.1.0

Bundle β€” installs all packages in one command

πŸ”Œ @weave_protocol/api

1.1.1

REST API + Operator Dashboard β€” npx @weave_protocol/api β†’ http://localhost:3000/dashboard

πŸ”— @weave_protocol/langchain

1.0.2

LangChain.js security callbacks & tool wrappers (0 audit vulnerabilities via npm overrides)

🐍 weave-protocol-llamaindex

0.1.0

Python/LlamaIndex security callbacks & tools (on PyPI)


πŸ€– AI Agent Skills

Each package includes a SKILL.md file following the Claude Agent Skills specification. These teach AI agents how to use Weave Protocol tools effectively.

Package

Skill Name

Triggers

πŸ•ΈοΈ CLI

weave-cli

set up Weave, init project, scaffold security, audit, dashboard, doctor

πŸ›‘οΈ Ward

ward

WARD.md, agent security policy, guardrails, lock down agent

πŸ›‘οΈ adapter-claudecode

adapter-claudecode

secure Claude Code, install WARD hooks, block Claude Code actions

πŸ›‘οΈ adapter-antigravity

adapter-antigravity

secure Antigravity, agy hooks, block GCP credential reads

πŸ›‘οΈ adapter-msaf

adapter-msaf

secure MSAF agent, WardMiddleware, lock down Copilot SDK, Azure enforcement

🌐 browser

browser-security

secure browser agent, IPI scanning, hidden CSS detection, page-context safety

πŸ›‘οΈ Mund

security-scanning

scan, detect secrets, check injection, vet MCP server, threat intel

πŸ›οΈ Hord

encrypting-data

encrypt, decrypt, vault, Yoxallismus, protect

βš–οΈ Domere

compliance-auditing

audit, checkpoint, SOC2, HIPAA, PCI-DSS, GDPR, CCPA, blockchain

πŸ‘₯ Witan

consensus-governance

consensus, vote, approve, policy, escalate

πŸ” Hundredmen

security-inspection

intercept, drift, reputation, approve, block, live feed, enforce WARD

πŸ›‚ Tollere

supply-chain-security

npm install, docker pull, install extension, typosquat, CVE, sandwich pattern

βš”οΈ Adversary

adversarial-testing

red-team agent, attack, penetration test, find vulnerabilities, IPI test, run attack corpus

🎯 AgentSecBench

security-benchmarking

benchmark agent, security score, tier grade, ASB-Browser, citable security report, compare runs

πŸ”— Langchain

langchain-security

LangChain, callback, secure tool, RAG security, PII redaction

πŸ”Œ API

weave-api-calling

REST API, HTTP endpoint, curl, fetch

Installation:

The SKILL.md format is shared across Claude Code and Antigravity, so the same files work for both β€” only the install path differs.

git clone https://github.com/Tyox-all/Weave_Protocol.git
cd Weave_Protocol

# For Claude Code:
mkdir -p ~/.claude/skills/weave-protocol
cp */SKILL.md ~/.claude/skills/weave-protocol/

# For Google Antigravity (global, all sessions):
mkdir -p ~/.gemini/antigravity-cli/skills/weave-protocol
cp */SKILL.md ~/.gemini/antigravity-cli/skills/weave-protocol/

# Or per-project under .agents/:
mkdir -p .agents/skills/weave-protocol
cp /path/to/Weave_Protocol/*/SKILL.md .agents/skills/weave-protocol/

For Microsoft Agent Framework, skills aren't used β€” MSAF is code-level. Use the WardMiddleware class from @weave_protocol/adapter-msaf instead.


πŸš€ Quick Start

npx @weave_protocol/cli init

Option 2: Install everything

npm install @weave_protocol/full

Option 3: Install individual packages

npm install @weave_protocol/mund @weave_protocol/tollere @weave_protocol/ward

Option 4: Benchmark first, defend second

# See what attacks land on your agent before you start hardening
npx @weave_protocol/agentsecbench run --measure-ward-delta

Claude Desktop Integration (MCP)

Add to claude_desktop_config.json:

{
  "mcpServers": {
    "mund":       { "command": "npx", "args": ["-y", "@weave_protocol/mund"] },
    "hord":       { "command": "npx", "args": ["-y", "@weave_protocol/hord"] },
    "domere":     { "command": "npx", "args": ["-y", "@weave_protocol/domere"] },
    "hundredmen": { "command": "npx", "args": ["-y", "@weave_protocol/hundredmen"] },
    "tollere":    { "command": "npx", "args": ["-y", "@weave_protocol/tollere"] }
  }
}

Claude Code / Antigravity / MSAF Integration

# Anthropic
npm install -g @weave_protocol/adapter-claudecode && weave-claude-code init

# Google
npm install -g @weave_protocol/adapter-antigravity && weave-antigravity init

# Microsoft (code-level)
npm install @weave_protocol/adapter-msaf
import { WardMiddleware } from '@weave_protocol/adapter-msaf';
const ward = new WardMiddleware();
agent.useFunctionMiddleware(ward.functionMiddleware());

Drop a WARD.md in your project root. Any (or all) of the adapters will gate every tool call.


✨ Package Details

πŸ•ΈοΈ CLI β€” One Command for Everything

npx @weave_protocol/cli init        # detect framework, scaffold middleware
npx @weave_protocol/cli audit       # supply chain scan (Tollere)
npx @weave_protocol/cli dashboard   # launch monitoring UI
npx @weave_protocol/cli doctor      # environment health check

πŸ“„ Skill: weave-cli


πŸ›‘οΈ Ward β€” The Policy Standard

WARD.md files declare what an agent is allowed to do, version-controlled alongside AGENTS.md and SKILL.md.

Section

Controls

Filesystem

Read/write/execute/delete/list rules with glob patterns

Network

Outbound HTTP allowlist with optional method restrictions

Capabilities

Tools the agent may invoke (with optional approval gating)

Data Boundaries

Egress classifications (PII, PHI, credentials...) and redaction

Behavioral Limits

Iterations, runtime, cost, tokens, tool calls

Multi-Agent

Trust chain, isolation level, semantic drift threshold

Compliance

SOC2 / HIPAA / GDPR / CCPA / ISO27001 / PCI-DSS

Verification

Attestation backend (Dōmere), blockchain, frequency

Threat Model

In-scope / out-of-scope threats

Incident Response

Actions on violation (log / alert / terminate / attest)

Enforced at runtime by five independent surfaces: Hundredmen (MCP), adapter-claudecode (Claude Code), adapter-antigravity (Antigravity), adapter-msaf (Microsoft Agent Framework), and browser (Browser agents).

πŸ“„ Skill: ward Β· πŸ“‹ Spec: WARD.md SPEC β†’


πŸ›‘οΈ The Harness Adapters

All four enforcement surfaces share the same WARD.md file. Pick the adapter(s) for your harness:

  • adapter-claudecode β€” Claude Code via PreToolUse hooks

  • adapter-antigravity β€” Google Antigravity (one install, three surfaces)

  • adapter-msaf β€” Microsoft Agent Framework via middleware

  • browser β€” Browser agents (Playwright/Stagehand/Puppeteer-driven), 33-pattern IPI scanner

WARD resolution (all adapters): $WEAVE_WARD_PATH β†’ <cwd>/WARD.md β†’ <cwd>/.weave/WARD.md β†’ harness-specific user-global location.


πŸ›‘οΈ Mund β€” The Guardian

Real-time security scanning for AI agents. Catches secrets (30+ patterns), PII, prompt injection, dangerous code, malicious MCP server descriptions. Threat intel auto-updates from community feeds.

πŸ“„ Skill: security-scanning


πŸ›οΈ Hord β€” The Vault

Encrypted storage with the Yoxallismus dual-tumbler cipher. AES-256-GCM, ChaCha20-Poly1305, Argon2id key derivation, secure memory handling.

πŸ“„ Skill: encrypting-data


βš–οΈ Domere β€” The Judge

Enterprise-grade verification, orchestration, compliance, and audit infrastructure. SOC2, HIPAA, PCI-DSS, ISO27001, GDPR, CCPA. Solana and Ethereum blockchain anchoring for immutable audit trails.

Blockchain Anchoring:

  • Solana Mainnet: 6g7raTAHU2h331VKtfVtkS5pmuvR8vMYwjGsZF1CUj2o

  • Solana Devnet: BeCYVJYfbUu3k2TPGmh9VoGWeJwzm2hg2NdtnvbdBNCj

  • Ethereum: 0xAA8b52adD3CEce6269d14C6335a79df451543820

πŸ“„ Skill: compliance-auditing


πŸ‘₯ Witan β€” The Council

Multi-agent consensus and governance. Unanimous, majority, weighted, and quorum protocols. Rule enforcement, escalation, agent bus.

New in v1.1.0 β€” autonomous spending caps. Per-window budgets on LLM cost, tokens, tool calls, and per-tool spend limits. Gated by three actions: block, require_approval, notify. Multi-provider LLM pricing built in (Anthropic, OpenAI, Google, local). Interactive TTY prompt or async callback for approval workflows. Safe defaults for non-interactive contexts.

npx @weave_protocol/witan spending caps        # inspect WARD.md spending caps
npx @weave_protocol/witan spending simulate    # dry-run scenarios
import { SpendingTracker } from '@weave_protocol/witan/spending';

const tracker = new SpendingTracker({
  caps: [{ window: 'day', budget: { usd: 5.00 }, onExceeded: 'require_approval' }],
});
const check = await tracker.checkAction({ kind: 'tool', tool: 'send_payment', amountUSD: 1000 });
if (check.blocked) throw new Error(check.reason);
if (check.requiresApproval && !(await check.approve!())) throw new Error('denied');

πŸ“„ Skill: consensus-governance


πŸ” Hundredmen β€” The Watchers

Real-time MCP security proxy. v1.1.0 enforces WARD.md as the first gate in the decision flow, ahead of reputation, drift, and approval checks.

πŸ“„ Skill: security-inspection


πŸ›‚ Tollere β€” The Customs Inspector

Supply chain security for AI-generated code. Catches malicious packages, Docker images, and IDE extensions before they reach node_modules/, your container, or your editor. npm, PyPI, Cargo, Go, Maven, Docker Hub, VS Code Marketplace, Open VSX, JetBrains.

πŸ“„ Skill: supply-chain-security


βš”οΈ Adversary β€” The Red Team

Where the other packages defend, Adversary attacks. 68 documented and novel attacks across 5 categories: IPI (33), tool-use coercion (15), jailbreak (10), extraction (5), goal corruption (5). Three targets: pattern-mock (CI smoke tests, no API), real-LLM (--real via Anthropic API, ~$0.02/full run), and real-browser (Playwright with four breach signal channels: network, form, DOM, console). WARD-aware attack selection prioritizes probes against capabilities your policy claims to enforce.

npx @weave_protocol/adversary demo               # mock, ~50ms
npx @weave_protocol/adversary demo --real        # real LLM, ~$0.02
npx @weave_protocol/adversary attack --url=...   # real browser agent
npx @weave_protocol/adversary demo --real --redact-evidence   # shareable scorecard

Locked scorecard schema v1.0 β€” consumed unchanged by AgentSecBench.

πŸ“„ Skill: adversarial-testing


🎯 AgentSecBench β€” The Benchmark

The interpretation layer on top of Adversary. Locked, versioned attack suites that produce tier-graded reports. ASB-Browser-v1 (v1.0) is 40 curated attacks: all 33 IPI + 4 critical tool-coercion + 3 highest-impact extraction.

npx @weave_protocol/agentsecbench run                          # default suite, tier-graded report
npx @weave_protocol/agentsecbench run --measure-ward-delta     # quantify policy effectiveness
npx @weave_protocol/agentsecbench compare baseline.json new.json

Tier grades A–F, four trophy attacks (Atlan, EchoLeak, Brave/Comet, Forcepoint), category gap analysis, optional WARD delta, plain-English interpretation prose. Reports are paste-ready Markdown β€” for blog posts, RFP responses, vendor audits, internal reviews.

πŸ“„ Skill: security-benchmarking Β· πŸ“‹ Methodology: METHODOLOGY.md β†’


πŸ”Œ API + Operator Dashboard

npx @weave_protocol/api
# β†’ http://localhost:3000/dashboard

Live monitoring across all five enforcement surfaces in one view. The dashboard renders WARD.md at the top of a hierarchy diagram, fanning out to your configured enforcers (Hundredmen + the three vendor adapters + browser). Surfaces you're not using appear dimmed, so it's instantly clear what's protecting your agent versus what's available.

Includes a live activity feed (allows / denies / IPI detections / approvals), a WARD policy panel, and 24-hour aggregate stats. Auto-refreshes every 5 seconds. Monochrome design β€” built for ops rooms, not marketing decks.

πŸ“„ Skill: weave-api-calling


πŸ”— Langchain β€” The Bridge

Security integration for LangChain.js applications. Drop-in callbacks, secured tool wrappers, RAG retriever scanning with PII redaction.

πŸ“„ Skill: langchain-security


πŸ—οΈ Architecture

flowchart TD
    CLI["πŸ•ΈοΈ <b>weave init / audit</b><br/><i>front door β€” @weave_protocol/cli</i>"]
    WARD["πŸ›‘οΈ <b>WARD.md</b><br/><i>policy standard β€” declares what the agent can't do</i>"]
    CLI --> WARD

    WARD -.->|enforced at runtime by| HM
    WARD -.->|enforced at runtime by| CC
    WARD -.->|enforced at runtime by| AG
    WARD -.->|enforced at runtime by| MSAF
    WARD -.->|enforced at runtime by| BR

    HM["πŸ” <b>Hundredmen</b><br/>MCP layer<br/><i>open standard</i>"]
    CC["πŸ›‘οΈ <b>adapter-claudecode</b><br/>Anthropic<br/>βœ… Live"]
    AG["πŸ›‘οΈ <b>adapter-antigravity</b><br/>Google Β· desktop + agy + SDK<br/>βœ… Live"]
    MSAF["πŸ›‘οΈ <b>adapter-msaf</b><br/>Microsoft Β· middleware<br/>βœ… Live"]
    BR["🌐 <b>browser</b><br/>Browser agents<br/>βœ… Live"]

    HM --> AGENT
    CC --> AGENT
    AG --> AGENT
    MSAF --> AGENT
    BR --> AGENT

    subgraph AGENT["πŸ€– AI Agent System"]
        direction TB
        subgraph CORE["Defense β€” Core security"]
            direction LR
            MUND["πŸ›‘οΈ Mund<br/>Guardian<br/><i>scanning</i>"]
            HORD["πŸ›οΈ Hord<br/>Vault<br/><i>encryption</i>"]
            DOMERE["βš–οΈ Domere<br/>Judge<br/><i>compliance</i>"]
            WITAN["πŸ‘₯ Witan<br/>Council<br/><i>consensus</i>"]
        end
        subgraph OPS["Operations"]
            direction LR
            TOLLERE["πŸ›‚ Tollere<br/>Customs<br/><i>supply chain</i>"]
            API["πŸ”Œ API + Dashboard<br/><i>REST + UI</i>"]
            LC["πŸ”— LangChain bridge"]
        end
        CORE --> OPS
    end

    subgraph OFFENSIVE["βš”οΈ Offensive β€” we attack what we defend"]
        direction LR
        ADV["βš”οΈ <b>Adversary</b><br/>68 attacks Β· 5 categories<br/><i>offensive engine</i>"]
        ASB["🎯 <b>AgentSecBench</b><br/>locked suites Β· tier A–F<br/><i>citable benchmark</i>"]
        ADV --> ASB
    end

    AGENT -.->|attacked by| OFFENSIVE
    OFFENSIVE -.->|scorecards inform| WARD

    classDef policy fill:#1f2937,stroke:#60a5fa,stroke-width:2px,color:#fff
    classDef enforcer fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#fff
    classDef core fill:#312e81,stroke:#818cf8,stroke-width:1px,color:#fff
    classDef ops fill:#1e3a8a,stroke:#60a5fa,stroke-width:1px,color:#fff
    classDef offensive fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff

    class CLI,WARD policy
    class HM,CC,AG,MSAF,BR enforcer
    class MUND,HORD,DOMERE,WITAN core
    class TOLLERE,API,LC ops
    class ADV,ASB offensive

The diagram shows the loop. Defense surfaces enforce the policy at runtime. The offensive engine attacks the agent. Scorecards feed back into WARD as new evidence β€” what attacks land, which need new policy domains, what regressed since the last release. The loop is what makes the moat.


πŸ” Security Model

Defense-in-depth across the entire AI agent lifecycle, validated continuously by an offensive engine that lives in the same monorepo:

  1. πŸ›‘οΈ Ward declares what the agent can and can't do (policy-as-code)

  2. πŸ›‘οΈ Harness adapters enforce WARD inside the IDE / CLI / framework:

    • adapter-claudecode for Claude Code (PreToolUse hooks)

    • adapter-antigravity for Google Antigravity (PreToolUse hooks across desktop/CLI/SDK)

    • adapter-msaf for Microsoft Agent Framework (middleware pipeline)

    • browser for browser-driving agents (runtime IPI scanning)

  3. πŸ›‚ Tollere inspects every dependency, image, and extension before it enters your project

  4. πŸ›‘οΈ Mund scans all inputs for threats before processing

  5. πŸ›οΈ Hord encrypts sensitive data at rest and in transit

  6. βš–οΈ Domere logs all actions with tamper-evident checksums and blockchain anchoring

  7. πŸ‘₯ Witan requires consensus for high-risk operations

  8. πŸ” Hundredmen intercepts and gates tool calls in real-time β€” enforcing WARD policy at the MCP layer

  9. πŸ”— Langchain / Python secures LangChain.js and LlamaIndex chains and agents

  10. βš”οΈ Adversary attacks the entire stack with 68 documented and novel attacks

  11. 🎯 AgentSecBench scores it, grades it A–F, and reports it in a standardized, citable format

CORS Model Integration

CORS Layer

Weave Package

Function

Policy

πŸ›‘οΈ Ward

Declares allowed/denied actions, behavioral limits, attestation requirements

Policy Enforcement (Claude Code)

πŸ›‘οΈ adapter-claudecode

Reads WARD, gates Claude Code tool calls via hooks

Policy Enforcement (Antigravity)

πŸ›‘οΈ adapter-antigravity

Reads WARD, gates Antigravity calls across desktop/CLI/SDK

Policy Enforcement (MSAF)

πŸ›‘οΈ adapter-msaf

Reads WARD, gates Microsoft Agent Framework calls via middleware

Policy Enforcement (Browser)

🌐 browser

Runtime IPI scanning for browser-driving agents

Policy Enforcement (MCP)

πŸ” Hundredmen

Reads WARD, gates tool calls at the MCP layer

Supply Chain

πŸ›‚ Tollere

Vets dependencies, images, extensions before install

Origin Validation

πŸ›‘οΈ Mund

Validates input sources, detects injection

Context Integrity

πŸ›οΈ Hord

Protects data integrity through encryption

Deterministic Enforcement

βš–οΈ Domere

Ensures consistent policy application

Adversarial Validation

βš”οΈ Adversary + 🎯 AgentSecBench

Continuously tests every layer above


πŸ› οΈ Development

git clone https://github.com/Tyox-all/Weave_Protocol.git
cd Weave_Protocol

# Build each package
for pkg in mund hord domere witan hundredmen tollere langchain api cli ward \
           adapter-claudecode adapter-antigravity adapter-msaf browser \
           adversary agentsecbench; do
  (cd $pkg && npm install && npm run build)
done

πŸ—ΊοΈ Roadmap

Shipped

  • GDPR / CCPA / SOC2 / HIPAA / PCI-DSS / ISO27001 compliance frameworks

  • MCP server reputation scoring

  • Automated threat intelligence updates

  • LangChain.js integration package

  • Python/LlamaIndex integration

  • Web dashboard for monitoring

  • Supply chain security (Tollere) β€” npm, PyPI, Cargo, Go, Maven, Docker images, IDE extensions, sandwich pattern detection

  • Bundle package + CLI (weave init)

  • WARD.md agent security policy standard

  • Hundredmen ↔ WARD enforcement integration (v1.1.0)

  • Claude Code harness adapter (Anthropic)

  • Google Antigravity harness adapter (Google)

  • Microsoft Agent Framework harness adapter (Microsoft)

  • Cross-platform thesis complete β€” same WARD.md works across all three major vendor harnesses + MCP

H2 2026 Q3 β€” Adoption Quarter

  • Browser agent security (@weave_protocol/browser)

  • Dashboard v2 with orchestration visualization

  • State of AI Agent Security: Q3 Report β€” Industry analysis of agent security trends, platform maturity, supply chain risks, and market gaps

H2 2026 Q4 β€” Moat Quarter

  • Adversarial agents (@weave_protocol/adversary v0.2.1) β€” 68 documented + novel attacks, real Playwright browser target, real-LLM demo mode

  • AgentSecBench (@weave_protocol/agentsecbench v0.1.0) β€” standardized benchmark, tier grades A–F

  • Witan autonomous spending caps (@weave_protocol/witan v1.1.0) β€” per-window budgets on LLM cost + tokens + tool calls, gated by block / approval / notify

  • Yoxallismus v2 (multi-agent, memory-aware, post-quantum cipher) β€” under-development / research, targeted for Q3 2027 release after external cryptographic review


🀝 Contributing

Bug reports and feature requests welcome via GitHub Issues.

For security issues, please see SECURITY.md.

For all other inquiries: TYox-all@tutamail.com

See CONTRIBUTING.md for guidelines.


πŸ“„ License

Apache 2.0 β€” See LICENSE



Built with ❀️ for the AI agent ecosystem. We attack what we defend.

A
license - permissive license
-
quality - not tested
A
maintenance

Maintenance

–Maintainers
11dResponse time
–Release cycle
–Releases (12mo)
Commit activity

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Tyox-all/Weave_Protocol'

If you have feedback or need assistance with the MCP directory API, please join our Discord server