Mund
πΈοΈ Weave_Protocol
Infrastructure security for AI agents. We attack what we defend.
Make agent behavior verifiable, auditable, and cryptographically provable across any harness, any platform. Built as a TypeScript monorepo with MCP integration, blockchain anchoring, and β as of Q4 β a published red-team engine that tests our own defenses.
The thesis: every security platform claims its defenses work. We're the first to publish the attacks that prove it. Same suite. Same scorecard. Same locked benchmark β applied to our own packages, every release.
π Get started in one command
npx @weave_protocol/cli initThe CLI detects your framework (LangChain, LlamaIndex, MCP, OpenAI, Anthropic, Microsoft, Google) and scaffolds the right security middleware for your stack. Or install everything at once:
npm install @weave_protocol/fullRelated MCP server: agent-audit
π What's New
βοΈ Q4 Moat Quarter β we attack what we defend
The first agent security platform to publish its own offensive engine. Two new packages flipped the suite from purely defensive to defense + offense in the same monorepo, validated against each other:
Package | Role | Version |
Offensive engine β 68 documented + novel attacks across 5 categories (IPI, tool-coercion, jailbreak, extraction, goal-corruption). Real Playwright browser target with 4 breach signal channels. Real-LLM demo mode via Anthropic API. | β v0.2.1 | |
Standardized benchmark β locked attack suites, tier grades AβF, paste-ready reports, side-by-side comparison | β v0.1.0 |
Trophy attacks β documented in-the-wild incidents reproduced in the corpus:
π¦ Atlan autonomous-fraud (Dec 2025) β first documented agent-driven financial fraud
π EchoLeak (CVE-2025-32711) β Microsoft Copilot zero-click exfil
π» Brave/Comet OTP exfil (2025) β browser agent secret leak via hidden CSS
π« Forcepoint false copyright (Apr 2026) β DoS via fake copyright claim
# Run the canonical benchmark against the demo target β proves the suite lands
npx @weave_protocol/agentsecbench run
# Or run the full 68-attack corpus directly
npx @weave_protocol/adversary demoWhy this matters: every model release, every WARD policy change, every adapter update can be re-benchmarked against the same locked suite. Did your score regress? agentsecbench compare will show you. Does your WARD policy actually defend anything? --measure-ward-delta will tell you. This is how a category gets defined.
See Adversary README β Β· See AgentSecBench README β Β· See METHODOLOGY.md β
π° Q4 Governance β autonomous spending caps
Every enterprise agent question today is "what's my ceiling on this thing?" β measured in dollars, not just tool calls. @weave_protocol/witan@1.1.0 answers it. Per-window budgets (run / hour / day / week / month) that gate LLM calls and tool calls, with three actions: block, require approval/consensus, or notify.
Multi-provider LLM pricing built in β Anthropic, OpenAI, Google, and local (free). Per-tool amount caps (send_payment max $500/day). Interactive TTY approval prompt for human-in-loop terminals. Async callback for Slack/PagerDuty/custom UIs. Safe defaults β never silent approval in non-interactive contexts.
npx @weave_protocol/witan@1.1.0 spending caps # inspect WARD.md caps
npx @weave_protocol/witan@1.1.0 spending simulate # dry-run scenarios# Extend your WARD.md:
spending_limits:
- window: day
budget: { usd: 5.00 }
on_exceeded: require_approval
- window: run
budget: { tool_calls: 100 }
on_exceeded: block
- window: day
budget:
tools:
send_payment: { max_amount_usd: 500 }
on_exceeded: require_approvalBackward compatible with the existing behavioral_limits.maxCostUSD. In-memory storage in v1.1 with a pluggable interface for the v1.2 Redis/SQLite backends. Programmatic API via import { SpendingTracker } from '@weave_protocol/witan/spending'.
See Witan spending caps README β
π‘οΈ Four runtimes. Three vendors. One policy file.
The thesis was that WARD.md could be a portable agent security standard β write it once, enforce it everywhere. As of today, that's shipped and live across the entire agent harness landscape:
Runtime | Vendor | Enforcer | Status |
MCP servers | Open standard | β Live on npm | |
Claude Code | Anthropic | β Live on npm | |
Google Antigravity (desktop + | β Live on npm | ||
Microsoft Agent Framework | Microsoft | β Live on npm | |
Browser agents | Open standard | β Live on npm |
The same WARD.md file in your project root is now read and enforced by Anthropic's, Google's, Microsoft's, MCP's, and the browser harness's runtimes β without any platform-specific edits.
my-agent-project/
βββ AGENTS.md # what the agent does
βββ SKILL.md # how the agent does it
βββ WARD.md # what the agent can't do β all five surfaces respect thisπ Browser agent security (Q3) β fifth enforcement surface
@weave_protocol/browser adds runtime IPI (indirect prompt injection) scanning to browser-driving agents. 33 detection patterns cover the documented threat surface: hidden CSS payloads, role-hijack directives, tool-call mimicry, action-injection directives, payment-recipient proximity patterns (Atlan), copyright-DoS markers (Forcepoint), and more.
Pair with the Browser Guard extension for client-side visibility into what your agent sees vs. what you see.
π State of AI Agent Security: Q3 2026 Report
Industry analysis of agent security trends, platform maturity, supply chain risks, and market gaps. Live at: tyox-all.github.io/Weave_Protocol/q3-2026.html
Previously shipped (Q3)
adapter-msaf v0.1.0 β Microsoft Agent Framework enforcement via middleware.
WardMiddlewareclass, one-line integration, Azure credential heuristic.adapter-antigravity v0.1.0 β Google Antigravity enforcement. One install protects desktop +
agyCLI + SDK.adapter-claudecode v0.1.0 β Claude Code enforcement via PreToolUse hooks.
Hundredmen v1.1.0 β WARD.md is now the first gate in the MCP decision flow, ahead of reputation/drift/approval.
WARD.md v0.1.0 β Agent security policy standard. Ten domains: filesystem, network, capabilities, data boundaries, behavioral limits, multi-agent, compliance, verification, threat model, incident response. Spec β
Tollere v0.2.2 β Multi-channel supply chain security. npm, PyPI, Cargo, Go, Maven, Docker Hub, VS Code Marketplace, Open VSX, JetBrains. Sandwich pattern detection.
Weave CLI v0.1.0 + Full Bundle v0.1.0 β
weave init/audit/dashboard/doctor. One-command security setup.
π¦ Packages
The suite is now organized into three layers β defense, offensive, and operations. All 17 packages live on npm under the @weave_protocol scope, plus one Python package on PyPI.
π‘οΈ Defense Layer (11 packages)
The packages that keep your agent within policy: declare it, enforce it across every harness, scan everything that enters, encrypt everything that exits.
Package | Version | Description |
0.1.0 | WARD.md β agent security policy standard (parser, validator, runtime checks) | |
0.1.0 | Claude Code adapter β enforces WARD.md via PreToolUse hooks | |
0.1.0 | Google Antigravity adapter β enforces WARD.md across desktop, | |
0.1.0 | Microsoft Agent Framework adapter β middleware-based WARD enforcement | |
0.1.0 | Browser agent security β runtime IPI scanner (33 patterns) for headless agents | |
1.1.0 | MCP proxy β intercept, scan, gate tool calls; enforces WARD.md as first gate | |
0.2.2 | Scanner β secrets, PII, injection, MCP vetting, threat intel | |
0.1.6 | Vault β encrypted storage with Yoxallismus dual-tumbler cipher | |
1.3.4 | Judge β compliance (PCI-DSS, ISO27001, SOC2, HIPAA, GDPR, CCPA), blockchain anchoring | |
1.1.0 | Council β multi-agent consensus & governance, autonomous spending caps (Q4 v1.1) | |
0.2.2 | Customs β supply chain security (npm, PyPI, Docker, IDE extensions, sandwich detection) |
βοΈ Offensive Layer (2 packages) β NEW Q4
The red team. We attack what we defend.
Package | Version | Description |
0.2.1 | Offensive engine β 68 attacks Β· real Playwright browser target Β· real-LLM demo mode Β· WARD-aware attack selection | |
0.1.0 | Standardized benchmark β locked suites (ASB-Browser-v1), tier grading AβF, trophy attacks, WARD delta, paste-ready reports |
π§ Operations & Integrations (5 packages, plus 1 PyPI)
The front door, the dashboard, the bridges to other frameworks.
Package | Version | Description |
0.1.0 | The | |
0.1.0 | Bundle β installs all packages in one command | |
1.1.1 | REST API + Operator Dashboard β | |
1.0.2 | LangChain.js security callbacks & tool wrappers (0 audit vulnerabilities via npm overrides) | |
0.1.0 | Python/LlamaIndex security callbacks & tools (on PyPI) |
π€ AI Agent Skills
Each package includes a SKILL.md file following the Claude Agent Skills specification. These teach AI agents how to use Weave Protocol tools effectively.
Package | Skill Name | Triggers |
πΈοΈ CLI |
| set up Weave, init project, scaffold security, audit, dashboard, doctor |
π‘οΈ Ward |
| WARD.md, agent security policy, guardrails, lock down agent |
π‘οΈ adapter-claudecode |
| secure Claude Code, install WARD hooks, block Claude Code actions |
π‘οΈ adapter-antigravity |
| secure Antigravity, agy hooks, block GCP credential reads |
π‘οΈ adapter-msaf |
| secure MSAF agent, WardMiddleware, lock down Copilot SDK, Azure enforcement |
π browser |
| secure browser agent, IPI scanning, hidden CSS detection, page-context safety |
π‘οΈ Mund |
| scan, detect secrets, check injection, vet MCP server, threat intel |
ποΈ Hord |
| encrypt, decrypt, vault, Yoxallismus, protect |
βοΈ Domere |
| audit, checkpoint, SOC2, HIPAA, PCI-DSS, GDPR, CCPA, blockchain |
π₯ Witan |
| consensus, vote, approve, policy, escalate |
π Hundredmen |
| intercept, drift, reputation, approve, block, live feed, enforce WARD |
π Tollere |
| npm install, docker pull, install extension, typosquat, CVE, sandwich pattern |
βοΈ Adversary |
| red-team agent, attack, penetration test, find vulnerabilities, IPI test, run attack corpus |
π― AgentSecBench |
| benchmark agent, security score, tier grade, ASB-Browser, citable security report, compare runs |
π Langchain |
| LangChain, callback, secure tool, RAG security, PII redaction |
π API |
| REST API, HTTP endpoint, curl, fetch |
Installation:
The SKILL.md format is shared across Claude Code and Antigravity, so the same files work for both β only the install path differs.
git clone https://github.com/Tyox-all/Weave_Protocol.git
cd Weave_Protocol
# For Claude Code:
mkdir -p ~/.claude/skills/weave-protocol
cp */SKILL.md ~/.claude/skills/weave-protocol/
# For Google Antigravity (global, all sessions):
mkdir -p ~/.gemini/antigravity-cli/skills/weave-protocol
cp */SKILL.md ~/.gemini/antigravity-cli/skills/weave-protocol/
# Or per-project under .agents/:
mkdir -p .agents/skills/weave-protocol
cp /path/to/Weave_Protocol/*/SKILL.md .agents/skills/weave-protocol/For Microsoft Agent Framework, skills aren't used β MSAF is code-level. Use the WardMiddleware class from @weave_protocol/adapter-msaf instead.
π Quick Start
Option 1: Guided setup (recommended)
npx @weave_protocol/cli initOption 2: Install everything
npm install @weave_protocol/fullOption 3: Install individual packages
npm install @weave_protocol/mund @weave_protocol/tollere @weave_protocol/wardOption 4: Benchmark first, defend second
# See what attacks land on your agent before you start hardening
npx @weave_protocol/agentsecbench run --measure-ward-deltaClaude Desktop Integration (MCP)
Add to claude_desktop_config.json:
{
"mcpServers": {
"mund": { "command": "npx", "args": ["-y", "@weave_protocol/mund"] },
"hord": { "command": "npx", "args": ["-y", "@weave_protocol/hord"] },
"domere": { "command": "npx", "args": ["-y", "@weave_protocol/domere"] },
"hundredmen": { "command": "npx", "args": ["-y", "@weave_protocol/hundredmen"] },
"tollere": { "command": "npx", "args": ["-y", "@weave_protocol/tollere"] }
}
}Claude Code / Antigravity / MSAF Integration
# Anthropic
npm install -g @weave_protocol/adapter-claudecode && weave-claude-code init
# Google
npm install -g @weave_protocol/adapter-antigravity && weave-antigravity init
# Microsoft (code-level)
npm install @weave_protocol/adapter-msafimport { WardMiddleware } from '@weave_protocol/adapter-msaf';
const ward = new WardMiddleware();
agent.useFunctionMiddleware(ward.functionMiddleware());Drop a WARD.md in your project root. Any (or all) of the adapters will gate every tool call.
β¨ Package Details
πΈοΈ CLI β One Command for Everything
npx @weave_protocol/cli init # detect framework, scaffold middleware
npx @weave_protocol/cli audit # supply chain scan (Tollere)
npx @weave_protocol/cli dashboard # launch monitoring UI
npx @weave_protocol/cli doctor # environment health checkπ Skill: weave-cli
π‘οΈ Ward β The Policy Standard
WARD.md files declare what an agent is allowed to do, version-controlled alongside AGENTS.md and SKILL.md.
Section | Controls |
Filesystem | Read/write/execute/delete/list rules with glob patterns |
Network | Outbound HTTP allowlist with optional method restrictions |
Capabilities | Tools the agent may invoke (with optional approval gating) |
Data Boundaries | Egress classifications (PII, PHI, credentials...) and redaction |
Behavioral Limits | Iterations, runtime, cost, tokens, tool calls |
Multi-Agent | Trust chain, isolation level, semantic drift threshold |
Compliance | SOC2 / HIPAA / GDPR / CCPA / ISO27001 / PCI-DSS |
Verification | Attestation backend (DΕmere), blockchain, frequency |
Threat Model | In-scope / out-of-scope threats |
Incident Response | Actions on violation (log / alert / terminate / attest) |
Enforced at runtime by five independent surfaces: Hundredmen (MCP), adapter-claudecode (Claude Code), adapter-antigravity (Antigravity), adapter-msaf (Microsoft Agent Framework), and browser (Browser agents).
π Skill: ward Β· π Spec: WARD.md SPEC β
π‘οΈ The Harness Adapters
All four enforcement surfaces share the same WARD.md file. Pick the adapter(s) for your harness:
adapter-claudecode β Claude Code via PreToolUse hooks
adapter-antigravity β Google Antigravity (one install, three surfaces)
adapter-msaf β Microsoft Agent Framework via middleware
browser β Browser agents (Playwright/Stagehand/Puppeteer-driven), 33-pattern IPI scanner
WARD resolution (all adapters): $WEAVE_WARD_PATH β <cwd>/WARD.md β <cwd>/.weave/WARD.md β harness-specific user-global location.
π‘οΈ Mund β The Guardian
Real-time security scanning for AI agents. Catches secrets (30+ patterns), PII, prompt injection, dangerous code, malicious MCP server descriptions. Threat intel auto-updates from community feeds.
π Skill: security-scanning
ποΈ Hord β The Vault
Encrypted storage with the Yoxallismus dual-tumbler cipher. AES-256-GCM, ChaCha20-Poly1305, Argon2id key derivation, secure memory handling.
π Skill: encrypting-data
βοΈ Domere β The Judge
Enterprise-grade verification, orchestration, compliance, and audit infrastructure. SOC2, HIPAA, PCI-DSS, ISO27001, GDPR, CCPA. Solana and Ethereum blockchain anchoring for immutable audit trails.
Blockchain Anchoring:
Solana Mainnet:
6g7raTAHU2h331VKtfVtkS5pmuvR8vMYwjGsZF1CUj2oSolana Devnet:
BeCYVJYfbUu3k2TPGmh9VoGWeJwzm2hg2NdtnvbdBNCjEthereum:
0xAA8b52adD3CEce6269d14C6335a79df451543820
π Skill: compliance-auditing
π₯ Witan β The Council
Multi-agent consensus and governance. Unanimous, majority, weighted, and quorum protocols. Rule enforcement, escalation, agent bus.
New in v1.1.0 β autonomous spending caps. Per-window budgets on LLM cost, tokens, tool calls, and per-tool spend limits. Gated by three actions: block, require_approval, notify. Multi-provider LLM pricing built in (Anthropic, OpenAI, Google, local). Interactive TTY prompt or async callback for approval workflows. Safe defaults for non-interactive contexts.
npx @weave_protocol/witan spending caps # inspect WARD.md spending caps
npx @weave_protocol/witan spending simulate # dry-run scenariosimport { SpendingTracker } from '@weave_protocol/witan/spending';
const tracker = new SpendingTracker({
caps: [{ window: 'day', budget: { usd: 5.00 }, onExceeded: 'require_approval' }],
});
const check = await tracker.checkAction({ kind: 'tool', tool: 'send_payment', amountUSD: 1000 });
if (check.blocked) throw new Error(check.reason);
if (check.requiresApproval && !(await check.approve!())) throw new Error('denied');π Skill: consensus-governance
π Hundredmen β The Watchers
Real-time MCP security proxy. v1.1.0 enforces WARD.md as the first gate in the decision flow, ahead of reputation, drift, and approval checks.
π Skill: security-inspection
π Tollere β The Customs Inspector
Supply chain security for AI-generated code. Catches malicious packages, Docker images, and IDE extensions before they reach node_modules/, your container, or your editor. npm, PyPI, Cargo, Go, Maven, Docker Hub, VS Code Marketplace, Open VSX, JetBrains.
π Skill: supply-chain-security
βοΈ Adversary β The Red Team
Where the other packages defend, Adversary attacks. 68 documented and novel attacks across 5 categories: IPI (33), tool-use coercion (15), jailbreak (10), extraction (5), goal corruption (5). Three targets: pattern-mock (CI smoke tests, no API), real-LLM (--real via Anthropic API, ~$0.02/full run), and real-browser (Playwright with four breach signal channels: network, form, DOM, console). WARD-aware attack selection prioritizes probes against capabilities your policy claims to enforce.
npx @weave_protocol/adversary demo # mock, ~50ms
npx @weave_protocol/adversary demo --real # real LLM, ~$0.02
npx @weave_protocol/adversary attack --url=... # real browser agent
npx @weave_protocol/adversary demo --real --redact-evidence # shareable scorecardLocked scorecard schema v1.0 β consumed unchanged by AgentSecBench.
π Skill: adversarial-testing
π― AgentSecBench β The Benchmark
The interpretation layer on top of Adversary. Locked, versioned attack suites that produce tier-graded reports. ASB-Browser-v1 (v1.0) is 40 curated attacks: all 33 IPI + 4 critical tool-coercion + 3 highest-impact extraction.
npx @weave_protocol/agentsecbench run # default suite, tier-graded report
npx @weave_protocol/agentsecbench run --measure-ward-delta # quantify policy effectiveness
npx @weave_protocol/agentsecbench compare baseline.json new.jsonTier grades AβF, four trophy attacks (Atlan, EchoLeak, Brave/Comet, Forcepoint), category gap analysis, optional WARD delta, plain-English interpretation prose. Reports are paste-ready Markdown β for blog posts, RFP responses, vendor audits, internal reviews.
π Skill: security-benchmarking Β· π Methodology: METHODOLOGY.md β
π API + Operator Dashboard
npx @weave_protocol/api
# β http://localhost:3000/dashboardLive monitoring across all five enforcement surfaces in one view. The dashboard renders WARD.md at the top of a hierarchy diagram, fanning out to your configured enforcers (Hundredmen + the three vendor adapters + browser). Surfaces you're not using appear dimmed, so it's instantly clear what's protecting your agent versus what's available.
Includes a live activity feed (allows / denies / IPI detections / approvals), a WARD policy panel, and 24-hour aggregate stats. Auto-refreshes every 5 seconds. Monochrome design β built for ops rooms, not marketing decks.
π Skill: weave-api-calling
π Langchain β The Bridge
Security integration for LangChain.js applications. Drop-in callbacks, secured tool wrappers, RAG retriever scanning with PII redaction.
π Skill: langchain-security
ποΈ Architecture
flowchart TD
CLI["πΈοΈ <b>weave init / audit</b><br/><i>front door β @weave_protocol/cli</i>"]
WARD["π‘οΈ <b>WARD.md</b><br/><i>policy standard β declares what the agent can't do</i>"]
CLI --> WARD
WARD -.->|enforced at runtime by| HM
WARD -.->|enforced at runtime by| CC
WARD -.->|enforced at runtime by| AG
WARD -.->|enforced at runtime by| MSAF
WARD -.->|enforced at runtime by| BR
HM["π <b>Hundredmen</b><br/>MCP layer<br/><i>open standard</i>"]
CC["π‘οΈ <b>adapter-claudecode</b><br/>Anthropic<br/>β
Live"]
AG["π‘οΈ <b>adapter-antigravity</b><br/>Google Β· desktop + agy + SDK<br/>β
Live"]
MSAF["π‘οΈ <b>adapter-msaf</b><br/>Microsoft Β· middleware<br/>β
Live"]
BR["π <b>browser</b><br/>Browser agents<br/>β
Live"]
HM --> AGENT
CC --> AGENT
AG --> AGENT
MSAF --> AGENT
BR --> AGENT
subgraph AGENT["π€ AI Agent System"]
direction TB
subgraph CORE["Defense β Core security"]
direction LR
MUND["π‘οΈ Mund<br/>Guardian<br/><i>scanning</i>"]
HORD["ποΈ Hord<br/>Vault<br/><i>encryption</i>"]
DOMERE["βοΈ Domere<br/>Judge<br/><i>compliance</i>"]
WITAN["π₯ Witan<br/>Council<br/><i>consensus</i>"]
end
subgraph OPS["Operations"]
direction LR
TOLLERE["π Tollere<br/>Customs<br/><i>supply chain</i>"]
API["π API + Dashboard<br/><i>REST + UI</i>"]
LC["π LangChain bridge"]
end
CORE --> OPS
end
subgraph OFFENSIVE["βοΈ Offensive β we attack what we defend"]
direction LR
ADV["βοΈ <b>Adversary</b><br/>68 attacks Β· 5 categories<br/><i>offensive engine</i>"]
ASB["π― <b>AgentSecBench</b><br/>locked suites Β· tier AβF<br/><i>citable benchmark</i>"]
ADV --> ASB
end
AGENT -.->|attacked by| OFFENSIVE
OFFENSIVE -.->|scorecards inform| WARD
classDef policy fill:#1f2937,stroke:#60a5fa,stroke-width:2px,color:#fff
classDef enforcer fill:#064e3b,stroke:#10b981,stroke-width:2px,color:#fff
classDef core fill:#312e81,stroke:#818cf8,stroke-width:1px,color:#fff
classDef ops fill:#1e3a8a,stroke:#60a5fa,stroke-width:1px,color:#fff
classDef offensive fill:#7f1d1d,stroke:#ef4444,stroke-width:2px,color:#fff
class CLI,WARD policy
class HM,CC,AG,MSAF,BR enforcer
class MUND,HORD,DOMERE,WITAN core
class TOLLERE,API,LC ops
class ADV,ASB offensiveThe diagram shows the loop. Defense surfaces enforce the policy at runtime. The offensive engine attacks the agent. Scorecards feed back into WARD as new evidence β what attacks land, which need new policy domains, what regressed since the last release. The loop is what makes the moat.
π Security Model
Defense-in-depth across the entire AI agent lifecycle, validated continuously by an offensive engine that lives in the same monorepo:
π‘οΈ Ward declares what the agent can and can't do (policy-as-code)
π‘οΈ Harness adapters enforce WARD inside the IDE / CLI / framework:
adapter-claudecodefor Claude Code (PreToolUse hooks)adapter-antigravityfor Google Antigravity (PreToolUse hooks across desktop/CLI/SDK)adapter-msaffor Microsoft Agent Framework (middleware pipeline)browserfor browser-driving agents (runtime IPI scanning)
π Tollere inspects every dependency, image, and extension before it enters your project
π‘οΈ Mund scans all inputs for threats before processing
ποΈ Hord encrypts sensitive data at rest and in transit
βοΈ Domere logs all actions with tamper-evident checksums and blockchain anchoring
π₯ Witan requires consensus for high-risk operations
π Hundredmen intercepts and gates tool calls in real-time β enforcing WARD policy at the MCP layer
π Langchain / Python secures LangChain.js and LlamaIndex chains and agents
βοΈ Adversary attacks the entire stack with 68 documented and novel attacks
π― AgentSecBench scores it, grades it AβF, and reports it in a standardized, citable format
CORS Model Integration
CORS Layer | Weave Package | Function |
Policy | π‘οΈ Ward | Declares allowed/denied actions, behavioral limits, attestation requirements |
Policy Enforcement (Claude Code) | π‘οΈ adapter-claudecode | Reads WARD, gates Claude Code tool calls via hooks |
Policy Enforcement (Antigravity) | π‘οΈ adapter-antigravity | Reads WARD, gates Antigravity calls across desktop/CLI/SDK |
Policy Enforcement (MSAF) | π‘οΈ adapter-msaf | Reads WARD, gates Microsoft Agent Framework calls via middleware |
Policy Enforcement (Browser) | π browser | Runtime IPI scanning for browser-driving agents |
Policy Enforcement (MCP) | π Hundredmen | Reads WARD, gates tool calls at the MCP layer |
Supply Chain | π Tollere | Vets dependencies, images, extensions before install |
Origin Validation | π‘οΈ Mund | Validates input sources, detects injection |
Context Integrity | ποΈ Hord | Protects data integrity through encryption |
Deterministic Enforcement | βοΈ Domere | Ensures consistent policy application |
Adversarial Validation | βοΈ Adversary + π― AgentSecBench | Continuously tests every layer above |
π οΈ Development
git clone https://github.com/Tyox-all/Weave_Protocol.git
cd Weave_Protocol
# Build each package
for pkg in mund hord domere witan hundredmen tollere langchain api cli ward \
adapter-claudecode adapter-antigravity adapter-msaf browser \
adversary agentsecbench; do
(cd $pkg && npm install && npm run build)
doneπΊοΈ Roadmap
Shipped
GDPR / CCPA / SOC2 / HIPAA / PCI-DSS / ISO27001 compliance frameworks
MCP server reputation scoring
Automated threat intelligence updates
LangChain.js integration package
Python/LlamaIndex integration
Web dashboard for monitoring
Supply chain security (Tollere) β npm, PyPI, Cargo, Go, Maven, Docker images, IDE extensions, sandwich pattern detection
Bundle package + CLI (
weave init)WARD.md agent security policy standard
Hundredmen β WARD enforcement integration (v1.1.0)
Claude Code harness adapter (Anthropic)
Google Antigravity harness adapter (Google)
Microsoft Agent Framework harness adapter (Microsoft)
Cross-platform thesis complete β same WARD.md works across all three major vendor harnesses + MCP
H2 2026 Q3 β Adoption Quarter
Browser agent security (
@weave_protocol/browser)Dashboard v2 with orchestration visualization
State of AI Agent Security: Q3 Report β Industry analysis of agent security trends, platform maturity, supply chain risks, and market gaps
H2 2026 Q4 β Moat Quarter
Adversarial agents (
@weave_protocol/adversaryv0.2.1) β 68 documented + novel attacks, real Playwright browser target, real-LLM demo modeAgentSecBench (
@weave_protocol/agentsecbenchv0.1.0) β standardized benchmark, tier grades AβFWitan autonomous spending caps (
@weave_protocol/witanv1.1.0) β per-window budgets on LLM cost + tokens + tool calls, gated by block / approval / notifyYoxallismus v2 (multi-agent, memory-aware, post-quantum cipher) β under-development / research, targeted for Q3 2027 release after external cryptographic review
π€ Contributing
Bug reports and feature requests welcome via GitHub Issues.
For security issues, please see SECURITY.md.
For all other inquiries: TYox-all@tutamail.com
See CONTRIBUTING.md for guidelines.
π License
Apache 2.0 β See LICENSE
π Links
npm packages: https://www.npmjs.com/~tyox-all
MCP Registry: https://registry.modelcontextprotocol.io (search "mund")
Q3 2026 Report: https://tyox-all.github.io/Weave_Protocol/q3-2026.html
Adversary on npm: https://www.npmjs.com/package/@weave_protocol/adversary
AgentSecBench on npm: https://www.npmjs.com/package/@weave_protocol/agentsecbench
Built with β€οΈ for the AI agent ecosystem. We attack what we defend.
This server cannot be installed
Maintenance
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Tyox-all/Weave_Protocol'
If you have feedback or need assistance with the MCP directory API, please join our Discord server