authensor-mcp-server

Two Sides of the Same Problem

Most AI safety tooling either defends or attacks. Authensor does both.

Free safety stack. Open-source, MIT-licensed, self-hostable. Policy engine, content scanner, behavioral monitor, cryptographic audit trail, approval workflows. Deploy it, protect your agents, pay nothing.

Frontier adversarial red teaming. Automated, mass-scale safety testing. Thousands of multi-step attack chains against your agents, MCP servers, and safety infrastructure. We break it before someone else does.

We give away the defense because safety tooling shouldn't have a paywall. We sell the offense because finding out your system breaks after deployment costs more.

Track Record

• 168+ repos audited across NVIDIA, Microsoft, Meta, Google, HuggingFace, OpenAI, and 50+ organizations

• 350+ verified vulnerabilities, 126 responsible disclosure reports prepared, coordinated disclosure in progress

• 2 novel vulnerability classes -- SafeTensors Bypass (pickle inside "safe" model files) and AST Sandbox Escape via allowed library semantics

• Critical findings in PyTorch core, DeepSpeed, BentoML, TorchServe, Ray, Ollama, vLLM, LangChain, Gradio, NVIDIA Triton, and dozens more

• Security fix merged into UK AISI's ControlArena (PR #798)

• Found that NVIDIA's NeMo Guardrails loads its jailbreak classifier via pickle.load()

• Found SQL injection in Microsoft's AI red teaming tool (PyRIT)

The systems built to secure AI have bugs. We find them.

Try It in 30 Seconds

npx @authensor/create-authensor my-agent
cd my-agent && npm install && npm run demo

The demo runs an agent that attempts destructive file operations, unauthorized API calls, and data exfiltration. Authensor catches each one through policy enforcement, content scanning, and approval workflows.

One-Click Deploy

The Free Safety Stack

Everything below is open-source, self-hostable, MIT-licensed. No usage-based pricing. No enterprise sales calls. No feature gates.

We open-source all of this because safety tooling shouldn't have a paywall. The more people who deploy proper agent governance, the safer the ecosystem gets for everyone.

Architecture

+---------------------------------------------------------------------+
|                           Your Agent                                |
|  (Claude, GPT, LangChain, CrewAI, Vercel AI, custom, etc.)          |
+----------------------------------+----------------------------------+
                                   | SDK / MCP / Hook
                                   v
+---------------------------------------------------------------------+
|                          Authensor Stack                            |
|                                                                     |
|  +------------+  +------------+  +------------+  +--------------+   |
|  |   Aegis    |->|   Engine   |->|  Control   |->|   Sentinel   |   |
|  |  (content  |  |   (pure    |  |   Plane    |  |  (real-time  |   |
|  |   safety)  |  |   logic)   |  |  (HTTP API)|  |  monitoring) |   |
|  +------------+  +------------+  +-----+------+  +--------------+   |
|                                        |                            |
|  +------------+  +------------+  +-----v------+  +--------------+   |
|  |  SafeClaw  |  |SpiroGrapher|  |  Receipts  |  |   Adapters   |   |
|  |(local gate)|  |(web govern)|  |(hash chain)|  | (8 adapters) |   |
|  +------------+  +------------+  +------------+  +--------------+   |
+---------------------------------------------------------------------+

How It Works

Agent wants to act
  │
  ▼
Action Envelope created (who, what, where, constraints)
  │
  ▼
Aegis scans for injection, jailbreak, PII, memory poisoning
  │
  ▼
Session rules check forbidden sequences + risk threshold
  │
  ▼
Policy engine evaluates conditions, rate limits, budgets
  │
  ▼
Decision: allow | deny | require_approval | rate_limited
  │
  ▼
Receipt created (hash-chained, policy-versioned)
  │
  ▼
Sentinel monitors for anomalies
  │
  ▼
Action executes (or doesn't) → receipt updated

Five Layers

Packages

Core

Framework Adapters

Companion Tools

Quickstart

Self-hosted (recommended)

git clone https://github.com/authensor/authensor.git
cd authensor
docker compose up -d
# Control plane running at http://localhost:3000
# Admin token printed to logs: docker compose logs control-plane

That's it. Postgres starts, migrations run, a bootstrap admin key is created, and a default-safe policy (deny-by-default) is provisioned. Aegis content safety and Sentinel monitoring are enabled out of the box.

Add to any agent (TypeScript)

import { Authensor } from '@authensor/sdk';

const authensor = new Authensor({
  controlPlaneUrl: 'http://localhost:3000',
  principalId: 'my-agent',
});

const result = await authensor.execute(
  'stripe.charges.create',
  'stripe://customers/cus_123/charges',
  async () => stripe.charges.create({ amount: 1000, currency: 'usd' }),
  { constraints: { maxAmount: 10000 } }
);
// Receipt created, policy enforced, action audited

Add to any agent (Python)

from authensor import Authensor

async with Authensor(
    control_plane_url="http://localhost:3000",
    principal_id="my-agent",
) as authensor:
    result = await authensor.execute(
        action_type="stripe.charges.create",
        resource="stripe://customers/cus_123/charges",
        executor=lambda: create_charge(),
        constraints={"max_amount": 10000},
    )

Framework adapters

Drop-in integration for popular agent frameworks:

// LangChain / LangGraph
import { AuthensorGuardrail } from '@authensor/langchain';
const guardrail = new AuthensorGuardrail({ controlPlaneUrl: '...' });

// OpenAI Agents SDK
import { AuthensorGuardrail } from '@authensor/openai';

// CrewAI
import { AuthensorGuardrail } from '@authensor/crewai';

// Vercel AI SDK
import { AuthensorGuardrail } from '@authensor/vercel-ai-sdk';

// Claude Agent SDK
import { AuthensorGuardrail } from '@authensor/claude-agent-sdk';

// Claude Code (hooks-based integration)
// See docs/claude-code-hooks.md

Why Authensor

1. Defense and offense, same team. The safety stack is free. The adversarial testing that proves it holds (or shows where it doesn't) is the service.

2. Action-level governance. Not prompt filtering. Authensor evaluates what the agent does: every tool call, API request, and side effect goes through policy before execution.

3. Research-validated. 350+ verified vulnerabilities across 168+ repos. Two novel vulnerability classes. We broke PyTorch, DeepSpeed, BentoML, TorchServe, and the tools built to secure AI (NeMo Guardrails, PyRIT, Garak). When we test yours, we test at that depth.

4. Seven layers. Aegis content scanning, session rules, policy engine, approval workflows, Sentinel behavioral monitoring, hash-chained receipts, TOCTOU protection.

5. Fail-closed. No policy loaded? Denied. Control plane unreachable? Denied. Unknown action type? Denied.

6. Cross-provider. Claude, GPT, LangChain, CrewAI, Vercel AI, Claude Code, or any framework. One safety layer, all your agents.

7. Free stack, paid testing. Self-host everything at no cost. No usage-based pricing, no feature gates on safety. Revenue comes from adversarial testing services, not from gating the defense.

Features

Content Safety (Aegis)

Zero-dependency content scanner that runs before policy evaluation:

• Prompt injection detection -- 15+ heuristic rules

• Jailbreak detection -- pattern matching for common bypass techniques

• PII detection -- emails, SSNs, credit cards, phone numbers

• Memory poisoning detection -- 22 MINJA-informed rules for persistent memory attacks

• Multimodal safety -- 6 heuristic categories for image/file content

• Output scanning -- post-execution content validation

Session Rules

Detect privilege escalation through multi-action patterns:

• Forbidden sequences -- block [auth.login, admin.escalate] chains with glob matching

• Risk scoring -- cumulative per-session risk with configurable weights

• Max actions -- cap total actions per session

• Lookback windows -- configurable history depth for sequence matching

Budget Enforcement

Per-principal spending limits with period-based resets:

• Daily, weekly, monthly, or yearly periods

• Per-action cost caps

• Alert thresholds at configurable utilization levels

• Budget utilization exposed via OpenTelemetry metrics

Real-Time Monitoring (Sentinel)

Zero-dependency anomaly detection engine:

• Per-agent baselines via EWMA (Exponentially Weighted Moving Average)

• CUSUM change detection for gradual behavioral drift

• Configurable alerts on deny rate, latency, cost, chain depth, and fan-out

• Cross-agent chain tracking -- depth and fan-out metrics for delegation chains

Shadow/Canary Policy Testing

Test new policies alongside active ones without enforcement:

• ?shadow=policy-id query parameter or AUTHENSOR_SHADOW_POLICY_ID env var

• Divergence reports: agreement rate, rule breakdown, per-receipt comparison

• Zero-risk policy migration path

Transparency & Compliance

• Hash-chained receipts -- SHA-256 chain makes audit trail tamper-evident

• Sigstore/Rekor integration -- optional publishing to public transparency log

• Cross-agent tracing -- parentReceiptId links receipts across delegation chains

• TOCTOU protection -- re-evaluates policy on claim to prevent stale-approval attacks

• Principal binding -- bind API keys to specific agent identities

• OpenTelemetry -- spans and metrics for every evaluation

OWASP Agentic Top 10 Coverage

Authensor addresses all 10 risks in the OWASP Top 10 for Agentic Applications (2026):

See full OWASP alignment document for detailed mapping.

Compliance

Authensor's architecture maps directly to major regulatory requirements:

• EU AI Act (August 2, 2026 deadline): Article 12 logging via receipt chain, Article 14 human oversight via approval workflows. See compliance guide.

• SOC 2: Immutable audit trail, RBAC, rate limiting, access logging

• SOX: Segregation of duties via approval workflows, receipt retention support

• HIPAA: Action-level audit logging, access controls, principal binding

• NIST AI RMF: Govern, Map, Measure, Manage pillars addressed via policies, receipts, and controls

Adversarial Red Teaming

Defense without testing is hope.

Proprietary automated pipeline. Same methodology that produced 350+ verified vulnerabilities across 168+ repos at NVIDIA, Microsoft, Meta, Google, HuggingFace, OpenAI, and 50+ other organizations. Two novel vulnerability classes discovered.

Your AI system
      │
      ▼
Authensor Red Team Pipeline
      │
      ├── Static + dynamic analysis (custom rules, not off-the-shelf)
      ├── ML-specific vulnerability detection
      ├── Multi-signal correlation and attack chain discovery
      └── Automated triage + false positive elimination
      │
      ▼
CVE-quality output
      │
      ├── Verified findings with reproduction steps
      ├── CVSS scoring with exploitability assessment
      ├── Remediation recommendations
      └── PR patches where applicable

What Gets Tested

How It Works

Chainbreaker is the engine. It generates and executes multi-step attack chains using:

• MITRE ATLAS mapping -- every attack chain maps to documented tactics and techniques

• 15-dimension Chainbreaker Behavioral Score (CBS) -- quantitative safety rating, not vibes

• Automated at scale -- thousands of attack variations, not a handful of manual tests

• Rust core -- fast, auditable, zero runtime dependencies

Findings feed back into Authensor's defense layer: new Aegis detection rules, policy templates, Sentinel behavioral signatures. The loop closes.

For Auditors and Certification Bodies

If you're conducting AI safety assessments (AIUC-1, EU AI Act conformity, NIST AI RMF): the evaluation frameworks underlying those assessments have confirmed vulnerabilities we documented. We validate assessment infrastructure itself. Testing whether your testing works.

Contact: security@authensor.com

API Reference

Self-Hosting vs. Hosted

Everything is open source. Self-host it all, or use the managed version:

Deployment

Docker Compose (simplest)

docker compose up -d

Helm (Kubernetes)

helm install authensor deploy/helm/authensor \
  --set postgresql.auth.password=your-password \
  --set controlPlane.env.AUTHENSOR_BOOTSTRAP_ADMIN_TOKEN=your-token

Terraform

Modules available for AWS (ECS + RDS), GCP (Cloud Run + Cloud SQL), and Railway:

cd deploy/terraform/aws
terraform init && terraform apply

One-line install (CLI only)

curl -fsSL https://raw.githubusercontent.com/authensor/authensor/main/install.sh | sh

CLI

# Lint a policy for common issues
authensor policy lint policy.json

# Test a policy against scenarios
authensor policy test policy.json scenarios.json

# Diff two policy versions
authensor policy diff v1.json v2.json

Development

# Prerequisites: Node.js 20+, Docker, pnpm
corepack enable
pnpm install

# Start the stack
docker compose up -d    # Postgres + control plane
pnpm dev                # Dev servers with hot reload

# Test (1,148+ tests across 16 packages)
pnpm test

# Build all packages
pnpm build

# Verify generated types match schemas
pnpm gen:check

Contributing

We welcome contributions! See CONTRIBUTING.md for guidelines.

Authensor is built on the belief that safety tooling should not have a paywall. We open-source every line of safety code because the more people who use these tools, the safer agents get for everyone.

License

MIT -- use it however you want.