Saluca · Zero-Trust for agent memory

Your agents' memory is yours.
Govern every request to it.

Tiresias-ZT is a zero-trust (PDP/PEP) proxy that sits in front of your AI agents' memory backend. Every request is authenticated, policy-decided deny-by-default, injection-screened, routed to your own store, and recorded in a SoulKey-signed, tamper-evident audit trail.

No LLM in the decision path Bring your own backend MCP-native
Tiresias — a blindfolded prophet holding a gilded armillary sphere around a lapis cube, symbolizing governed sight over data.

The zero-trust request path

One deterministic, deny-by-default pipeline. Every stage can stop the request — and every decision, allow or deny, is signed into the audit trail.

inbound agent request → tiresias-zt
AUTHN
API key → tenant (SHA-256 lookup). No key, no identity.
unknown → 401
RATE
Per-tenant sliding-window RPM limit.
exceeded → 429
PDP
Deny-by-default route policy → required scope; SoulGuard capability token must be authentic, unexpired & scoped.
else → 403
QUARANTINE
SoulWatch store — a misbehaving agent (or whole tenant) is denied at the door.
active → 403
SCREEN
Deterministic injection screen — OWASP LLM Top-10 pattern table + risk scoring.
block → 403
ROUTE
Tenant → backend registry; only the contracted surface is forwardable.
off-surface → 404
FORWARD
Reverse-proxy to the tenant's own backend — proxy creds stripped, backend auth injected, never exposed.
→ your store
AUDIT
Hash-chained, SoulKey-signed entry for every decision: who / tenant / scope / route / verdict / body digest.
signed + chained
└─ subscribe() fan-out → SoulWatch analytics · SIEM export (CEF / syslog / webhook)

The MCP endpoint (POST /mcp, Streamable HTTP) exposes the same governed path to agents as tools — a protocol surface, never a bypass.

Governance you can prove

Not another data store — the control plane in front of the one you already run.

Bring your own backend

MSSPs, enterprises, and independent devs each keep their own memory store — soul-svc or any generic HTTP memory API. Tiresias-ZT brings the governance; your data never changes hands.

Deterministic by design

No LLM sits anywhere in the security decision path. Every allow, deny, detection, and quarantine is HMAC + SHA-256 hash chain + Ed25519 / ML-DSA signatures + threshold analytics. A lapsed license shrinks the proxy — it never loosens the deny path.

Analyst-ready

Per-agent behavioral baselines, Sigma detection rules, and composite risk scoring quarantine misbehaving agents — which the enforcement point then denies. A read-only investigation console and SIEM export put every event in front of your SOC.

MCP-native

The same governed path is exposed to agents as MCP tools — memory_search, memory_write, http_request. MCP adds a protocol surface, never a bypass.

Attributable audit

Every entry is hash-chained and signed by the per-instance SoulKey (hybrid Ed25519 + ML-DSA-44). An attacker can rewrite the JSONL and recompute the chain — but can't re-sign it. verify() is strict.

Observe → detect → quarantine → enforce

SoulWatch fans out from the audit stream into baselines, anomaly detection, Sigma rules, and a 0–100 risk score. Cross a threshold and the enforcement point denies the agent — through HTTP and MCP — on one governed path.

Self-hosted licensing

Offline-verifiable, Saluca-signed install license — no phone-home. Tiers map to three segments; entitlement is min(install, tenant). HA/DR runs N stateless pods with pluggable redis/postgres stores.

Who it's for

Teams running AI agents against a memory / context backend who need zero-trust access control, attribution, and audit — without handing their data to a third party.

Independent devs

Ship agents on a governed path

Run the full zero-trust core against your own store, from one command. Start small, keep every request attributable.

Tiers community · starter
Enterprise

One control plane, many teams

Multi-tenant isolation, per-tenant policy & capability scopes, signed audit, and native SIEM export into your existing SOC — Splunk, Elastic, Sentinel.

Tier enterprise · up to 50 tenants
MSS providers

Govern agents for your clients

Bring managed zero-trust governance to every client's own backend, with per-child-tenant policy, quarantine, and audit under one signed install.

Tier mssp · up to 500 child tenants
Private beta

Request access

Tell us about your setup and we'll be in touch. No spam — just an early look at Tiresias-ZT and a conversation about your backend.

Or email hello@saluca.com directly.