SKILL PACK · SECURITY
Catch leaks. Catch agents.
Snyk, Semgrep, and 1Password through MCP. Agents request scans and credential reads; you approve every write. Anomaly detection on access patterns and secret-leak risk.
WHAT'S INSIDE
Three guardrails, one boundary.
Static analysis, dependency vulnerability feeds, and your secret store plug in as MCP servers. Reads stream live; writes wait for a swipe.
APPROVAL TEMPLATES
Every credential touch asks first.
Four templates for the high-blast-radius actions agents reach for when given access. Cost and tier shown up-front so there are no surprises.
ANOMALY DETECTORS
Two detectors watching the perimeter.
14-day baselines on access patterns and outbound payload entropy. Any anomalous read freezes agent writes pending Guardian review.
- Outbound payload entropy
- High-entropy strings in prompts
- Unusual cred-read frequency
- New IP / device combos
- After-hours read spikes
- Privilege-escalation hops
THREAT CONTEXT
“CVE-2026-0003 (libsec auth bypass) trending. 4 of your dependencies affected. Patch + redeploy?”
Security Pack pulls live CVE feeds and matches them against your dependency tree. Agents propose patches; you approve the deployment chain.
GOVERNANCE PROOF
Cost watched. Risk scored. Per pack.
Every paid tier ships the live governance console — the same one running over this page right now.
GOVERNANCE SCORE
- Cost VisibilityPer-provider spend + live burn rate aggregated into the Cost Radar.
- Agent AuditEvery agent action stamped with risk level and a 5-year retention log.
- GuardrailsRisk Console + emergency kill-switch wired to a kairon-guardian binary.
- Dynamic RoutingWorkloads are routed across providers by cost / quality / latency / context.
- Identity ProvenanceMCP token issued and at least one client (Claude Desktop / AEGIS / Cursor) connected.
COST RADAR · LIVE
Aggregate cloud-LLM spend across the monitored workload.
UNLOCK