Tiresias-ZT is a zero-trust (PDP/PEP) proxy that sits in front of your AI agents' memory backend. Every request is authenticated, policy-decided deny-by-default, injection-screened, routed to your own store, and recorded in a SoulKey-signed, tamper-evident audit trail.
One deterministic, deny-by-default pipeline. Every stage can stop the request — and every decision, allow or deny, is signed into the audit trail.
The MCP endpoint (POST /mcp, Streamable HTTP) exposes the
same governed path to agents as tools — a protocol surface, never a bypass.
Not another data store — the control plane in front of the one you already run.
MSSPs, enterprises, and independent devs each keep their own memory store — soul-svc or any generic HTTP memory API. Tiresias-ZT brings the governance; your data never changes hands.
No LLM sits anywhere in the security decision path. Every allow, deny, detection, and quarantine is HMAC + SHA-256 hash chain + Ed25519 / ML-DSA signatures + threshold analytics. A lapsed license shrinks the proxy — it never loosens the deny path.
Per-agent behavioral baselines, Sigma detection rules, and composite risk scoring quarantine misbehaving agents — which the enforcement point then denies. A read-only investigation console and SIEM export put every event in front of your SOC.
The same governed path is exposed to agents as MCP tools —
memory_search,
memory_write,
http_request.
MCP adds a protocol surface, never a bypass.
Every entry is hash-chained and signed by the per-instance SoulKey
(hybrid Ed25519 + ML-DSA-44). An attacker can rewrite the JSONL and recompute the
chain — but can't re-sign it. verify() is strict.
SoulWatch fans out from the audit stream into baselines, anomaly detection, Sigma rules, and a 0–100 risk score. Cross a threshold and the enforcement point denies the agent — through HTTP and MCP — on one governed path.
Offline-verifiable, Saluca-signed install license — no phone-home. Tiers map to three
segments; entitlement is min(install, tenant). HA/DR runs N stateless pods
with pluggable redis/postgres stores.
Teams running AI agents against a memory / context backend who need zero-trust access control, attribution, and audit — without handing their data to a third party.
Run the full zero-trust core against your own store, from one command. Start small, keep every request attributable.
Multi-tenant isolation, per-tenant policy & capability scopes, signed audit, and native SIEM export into your existing SOC — Splunk, Elastic, Sentinel.
Bring managed zero-trust governance to every client's own backend, with per-child-tenant policy, quarantine, and audit under one signed install.
Tell us about your setup and we'll be in touch. No spam — just an early look at Tiresias-ZT and a conversation about your backend.