SARK (Security Audit and Resource Kontroler)

Enterprise-Grade Multi-Protocol AI Governance Platform

"He's not any kind of user, SARK, he's a program." —MCP, probably

SARK provides zero-trust governance for AI deployments at scale. Built for Model Context Protocol (MCP), with support for MCP, HTTP/REST, gRPC, and custom protocols through a universal adapter interface.

Target Scale: 50,000+ employees, 10,000+ AI resources

📖 Quick Start | Changelog | Full Documentation

---

What is This?

The Problem: AI assistants accessing enterprise systems (databases, APIs, cloud infrastructure) without governance creates security chaos—no visibility, no control, no audit trail.

The Solution: SARK sits between AI and your systems, providing:

• 🔐 Authentication - OIDC, LDAP, SAML, API Keys
• 🛡️ Authorization - Policy-based access control (OPA)
• 📊 Audit - Complete trail of every AI action
• ⚡ Performance - <100ms p95 latency, 847 req/s sustained

Example: Developer asks AI "Show P0 bugs for my team" → AI uses MCP → SARK validates auth & policy → If approved, executes → Logs everything.

📖 What is MCP? | Architecture | Use Cases

---

Quick Start

Prerequisites:

• Python 3.11+
• Rust 1.92+ (install Rust) - Required for building native extensions

# 1. Clone and setup
git clone <repository-url>
cd sark
python3.11 -m venv venv && source venv/bin/activate
pip install -e ".[dev]"

# 2. Build Rust extensions
maturin develop

# 3. Start services
docker compose --profile full up -d

# 4. Access UI and API
# UI: http://localhost:5173 (admin/password)
# API: http://localhost:8000/docs

Next Steps:

• 📖 15-Minute Quick Start - Complete getting started guide
• 💻 Development Guide - Development workflow and standards
• 🎓 Tutorials - Step-by-step examples
• 📚 API Reference - Complete API documentation

---

Features

Multi-Protocol Support

• MCP - SSE and HTTP transports functional (stdio in development)
• HTTP/REST - OpenAPI discovery, 5 auth strategies
• gRPC - Reflection-based, mTLS support
• Custom - Plugin system for any protocol

Enterprise Security (v1.3.0 Enhanced)

• Authentication - OIDC, LDAP, SAML, API Keys
• Authorization - OPA policy engine, ReBAC+ABAC
• Audit - Immutable logs, SIEM integration (Splunk, Datadog)
• Federation - Cross-organization governance with mTLS
• 🆕 Prompt Injection Detection - 20+ patterns, entropy analysis, 30x faster
• 🆕 Anomaly Detection - Behavioral baselines, real-time alerts
• 🆕 Secret Scanning - 25+ patterns, automatic redaction, 50x faster
• 🆕 MFA - TOTP/SMS/Push/Email for critical actions
• 🆕 Network Controls - Kubernetes policies, egress filtering

Production Ready

• ✅ 64% test coverage (improving to 85%), 1 low-severity vulnerability (Windows-only, dev dependency)
• ✅ <100ms p95 latency, 847 req/s sustained throughput
• ✅ Kubernetes-native, Helm charts, Terraform modules
• ✅ 100+ pages of documentation

📖 Features Overview | Security | Performance

---

Web UI

Modern React UI for managing AI governance:

• 📊 Dashboard with metrics
• 🖥️ Server/resource management
• 📝 Policy editor (Rego syntax)
• 📜 Audit log viewer
• 🔑 API key management

cd frontend && npm install && npm run dev
# Access: http://localhost:5173

📖 UI User Guide | UI Deployment

---

Deployment

Development

docker compose --profile full up -d

Production

# Kubernetes with Helm
helm install sark ./helm/sark -n production --create-namespace

# Or with kubectl
kubectl apply -f k8s/

Cloud Platforms

• AWS EKS, GCP GKE, Azure AKS
• Terraform modules included for all platforms

Home Deployment (v1.7.0)

Lightweight deployment for home networks and low-resource environments:

# Quick start with Docker
make home-up

# Or with Docker Compose directly
docker compose -f docker-compose.home.yml up -d

• Target: 512MB RAM, single core
• Database: SQLite (instead of PostgreSQL)
• Platform: OPNsense plugin or Docker
• Features: Family governance (bedtime, parental controls, cost limits)

📖 Home Deployment Guide | Policy Cookbook

Enterprise Deployment

Full-featured deployment with PostgreSQL, Redis, and external OPA:

# Kubernetes with Helm
helm install sark ./helm/sark -n production --create-namespace

📖 Deployment Guide | Terraform Guide | Production Readiness

---

Documentation

Getting Started

• Quick Start - 15-minute setup
• MCP Introduction - What is MCP?
• Architecture - System design
• Use Cases - Real-world examples

Deployment & Operations

• Deployment Guide - Production deployment
• Monitoring - Observability setup
• Operations Runbook - Day-2 operations

Development

• Development Guide - Setup and workflow
• API Reference - Complete API docs
• Contributing - Contribution guidelines

Security & Compliance

• Security Guide - Security best practices
• OPA Policy Guide - Policy authoring
• Audit & Compliance - Compliance features

📚 Full Documentation Index

---

Project Status

🚀 v1.7.0 - Current Release (Released Feb 2, 2026)

New in v1.7.0 - YORI Home Deployment:

• ✅ Home Deployment Profile - 512MB RAM, single-core target for home networks
• ✅ Governance Modules - Allowlist, time rules, emergency override, consent tracking
• ✅ Policy Templates - Bedtime, parental controls, privacy, cost limits
• ✅ Analytics Services - Token tracking, cost calculation, usage reporting
• ✅ OPNsense Plugin - Web UI dashboard, service management, policy configuration
• ✅ Comprehensive Tests - Unit, integration, and OPA policy tests

v1.6.0 - Polish & Validation:

• ✅ Security Hardening - 96% vulnerability remediation (24/25 CVEs fixed)
• ✅ Test Infrastructure - 39 tests fixed, 100% pass rate for export + tools routers
• ✅ Dependency Cleanup - Eliminated ecdsa, migrated to PyJWT[crypto]
• ✅ Bug Fixes - Keyword detection for snake_case, FastAPI route ordering
• ✅ Documentation - Comprehensive release notes, migration guides

v1.5.0 - Production Readiness:

• ✅ Gateway Transport Implementations (HTTP, SSE, stdio)
• ✅ Security Fixes (LDAP injection, CSRF, credentials)
• ✅ Frontend Authentication UI (Login, MFA, API key management)
• ✅ E2E Integration Tests (Complete user flow testing)
• ✅ Performance Benchmark Infrastructure (Locust, pytest-benchmark)

v1.4.0 - Rust Foundation:

• ✅ Embedded Rust OPA engine (4-10x faster policy evaluation)
• ✅ Rust in-memory cache (10-50x faster than Redis)
• ✅ Feature flags & gradual rollout (0% → 100% with instant rollback)
• ✅ 2.4x higher throughput (2,100+ req/s)
• ✅ 2.3x faster requests (42ms p95, down from 98ms)
• ✅ 100% backwards compatible with v1.3.0
• ✅ Automatic Python fallback for safety
• ✅ Comprehensive migration and performance documentation

Completed (v1.3.0):

• ✅ Enterprise authentication (OIDC, LDAP, SAML, API Keys)
• ✅ Policy-based authorization (OPA)
• ✅ MCP Gateway integration (opt-in)
• ✅ SIEM integration (Splunk, Datadog)
• ✅ Prompt injection detection (20+ patterns, 30x faster than target)
• ✅ Behavioral anomaly detection (30-day baseline, real-time alerts)
• ✅ Secret scanning & redaction (25+ patterns, 50x faster than target)
• ✅ MFA for critical actions (TOTP, SMS, Push, Email)
• ✅ Network security controls (NetworkPolicies, egress filtering)
• ✅ Comprehensive testing (350+ unit, 530+ integration, 2200+ performance)
• ✅ Complete documentation (100+ pages)
• ✅ Production deployment guides

Future Roadmap:

• v1.8.0 - OPNsense plugin submission to official repository
• v1.9.0 - Local LLM support (Ollama integration)
• v2.0.0 - GRID Reference Implementation (protocol abstraction, federation, cost attribution)

📖 Roadmap | Changelog

---

Requirements

• Python 3.11+
• Docker with Docker Compose v2
• PostgreSQL 15+, Valkey 7+ (Redis-compatible)
• Open Policy Agent 0.60+
• Kong Gateway 3.8+ (production)
• Kubernetes 1.28+ (production)

📖 Requirements

---

GRID Protocol

SARK is the reference implementation of GRID Protocol Specification v0.1.

GRID (Governed Resource Interaction Definition) is a universal governance protocol for machine-to-machine interactions—protocol-agnostic, federated, zero-trust, policy-first.

SARK v1.1.0 Compliance: 85% of GRID v0.1 specification

📖 Gap Analysis - Detailed compliance matrix

📖 GRID Specification | Gap Analysis

---

Related Projects

YORI - Home LLM Gateway (Integrated in v1.7.0)

YORI (Your Observant Router Intelligence) provides zero-trust LLM governance for home networks. As of v1.7.0, YORI's home deployment profile is integrated directly into SARK.

Deployment Options:

• SARK Home Profile - Use make home-up or the OPNsense plugin (recommended)
• Standalone YORI - See YORI repository for standalone builds

Features:

• Target: OPNsense routers, home users (512MB RAM, 1 CPU)
• Database: SQLite (lightweight, no external dependencies)
• Policies: Bedtime rules, parental controls, privacy protection, cost limits
• Governance: Allowlist, time-based rules, emergency override, consent tracking
• Analytics: Token tracking, cost estimation, usage reports

YORI reuses SARK's battle-tested Rust core (sark-opa, sark-cache) via PyO3 bindings, bringing enterprise-grade policy evaluation to resource-constrained home routers.

📖 YORI Repository | Project Plan

---

Contributing

We welcome contributions! See CONTRIBUTING.md for:

• Code style and standards
• Development workflow
• PR process
• Multi-agent collaboration guidelines

---

License

MIT License - see LICENSE file for details.

Copyright © 2025 James Henry. All rights reserved.

---

Built with ❤️ for enterprise AI governance at scale.