Documentation
¶
Directories
¶
| Path | Synopsis |
|---|---|
|
clients
|
|
|
conformance/gen
command
Command gen mints golden conformance vectors with the REAL Legant signer and writes clients/conformance/vectors.json.
|
Command gen mints golden conformance vectors with the REAL Legant signer and writes clients/conformance/vectors.json. |
|
cmd
|
|
|
legant
command
|
|
|
examples
|
|
|
agent-obo
command
Command agent-obo is a runnable, self-contained demonstration of Legant's agent-identity wedge: an AI agent acting *on behalf of* a human user with scoped, constrained, auditable delegation — RFC 8693 style.
|
Command agent-obo is a runnable, self-contained demonstration of Legant's agent-identity wedge: an AI agent acting *on behalf of* a human user with scoped, constrained, auditable delegation — RFC 8693 style. |
|
blastdoor
command
Command blastdoor is the k8s MCP-gateway companion to the cloudops demo.
|
Command blastdoor is the k8s MCP-gateway companion to the cloudops demo. |
|
charter
command
Command charter is a self-contained, runnable demonstration of an agent-run "company" where the ORG CHART IS THE AUTHORITY GRAPH.
|
Command charter is a self-contained, runnable demonstration of an agent-run "company" where the ORG CHART IS THE AUTHORITY GRAPH. |
|
cloudops
command
Command cloudops is a self-contained, runnable demonstration of Legant on a DevOps / infrastructure resource — "give an AI agent your kubectl, safely." During an incident, an SRE delegates to an AI ops agent the authority to operate ONE service in ONE namespace for one hour: scale (≤ a replica cap), restart, and read logs — but never delete, never touch another namespace.
|
Command cloudops is a self-contained, runnable demonstration of Legant on a DevOps / infrastructure resource — "give an AI agent your kubectl, safely." During an incident, an SRE delegates to an AI ops agent the authority to operate ONE service in ONE namespace for one hour: scale (≤ a replica cap), restart, and read logs — but never delete, never touch another namespace. |
|
conductor
command
Command conductor is a self-contained, runnable demonstration of Legant's flagship use case: ONE AI agent wired to a FLEET of MCP servers behind one Legant gateway, where every tool call is individually authorized against the agent's delegated authority, minted a fresh single-tool/single-audience downstream token (confused-deputy protection), and recorded in a tamper-evident hash-chained "flight recorder" you can hand to an auditor.
|
Command conductor is a self-contained, runnable demonstration of Legant's flagship use case: ONE AI agent wired to a FLEET of MCP servers behind one Legant gateway, where every tool call is individually authorized against the agent's delegated authority, minted a fresh single-tool/single-audience downstream token (confused-deputy protection), and recorded in a tamper-evident hash-chained "flight recorder" you can hand to an auditor. |
|
driftstop
command
Command driftstop re-enacts the Salesloft–Drift / UNC6395 OAuth-token theft (Aug 2025, ~700 orgs) and shows the token that survives it.
|
Command driftstop re-enacts the Salesloft–Drift / UNC6395 OAuth-token theft (Aug 2025, ~700 orgs) and shows the token that survives it. |
|
enterprise/ai-sre-on-kubernetes
command
Command ai-sre is the host program for the "AI-SRE on real Kubernetes" enterprise demo.
|
Command ai-sre is the host program for the "AI-SRE on real Kubernetes" enterprise demo. |
|
enterprise/entitlement-copilot
command
Command entitlement-copilot is an enterprise, INTEGRATED demo of the #1 fear with internal AI copilots: "the copilot showed me data I'm not entitled to." A shared analytics copilot serves two humans — Alice (finance + sales) and Bob (sales only) — over a REAL Postgres warehouse.
|
Command entitlement-copilot is an enterprise, INTEGRATED demo of the #1 fear with internal AI copilots: "the copilot showed me data I'm not entitled to." A shared analytics copilot serves two humans — Alice (finance + sales) and Bob (sales only) — over a REAL Postgres warehouse. |
|
enterprise/oauth-breach-replay
command
Command oauth-breach-replay re-enacts the Salesloft–Drift / UNC6395 OAuth-token theft (Aug 2025) against REAL HTTP services guarded by Legant's shipped resource-server middleware — the same `sdk.Authenticate` + `sdk.RequireAction` you'd wire into your own API (see `legant snippet`).
|
Command oauth-breach-replay re-enacts the Salesloft–Drift / UNC6395 OAuth-token theft (Aug 2025) against REAL HTTP services guarded by Legant's shipped resource-server middleware — the same `sdk.Authenticate` + `sdk.RequireAction` you'd wire into your own API (see `legant snippet`). |
|
foureyes
command
Command foureyes demonstrates SEGREGATION OF DUTIES (the "four-eyes" / maker- checker rule) as a property of the token.
|
Command foureyes demonstrates SEGREGATION OF DUTIES (the "four-eyes" / maker- checker rule) as a property of the token. |
|
helpdesk
command
Command helpdesk is a self-contained, runnable demonstration that Legant is NOT a coding-agent tool — it is general delegated authorization for ANY agent acting on ANY resource.
|
Command helpdesk is a self-contained, runnable demonstration that Legant is NOT a coding-agent tool — it is general delegated authorization for ANY agent acting on ANY resource. |
|
honeytool
command
Command honeytool is a self-contained, runnable demonstration of using Legant as INTRUSION DETECTION for AI agents.
|
Command honeytool is a self-contained, runnable demonstration of using Legant as INTRUSION DETECTION for AI agents. |
|
leash
command
Command leash is a self-contained, runnable demonstration of the consumer "kill-switch" use case: give your personal AI agent real spending power for a short window with HARD offline limits, then yank it — and have even the token the agent ALREADY holds die at the merchant within seconds, via a signed revocation feed the merchant polls (no callback to Legant).
|
Command leash is a self-contained, runnable demonstration of the consumer "kill-switch" use case: give your personal AI agent real spending power for a short window with HARD offline limits, then yank it — and have even the token the agent ALREADY holds die at the merchant within seconds, via a signed revocation feed the merchant polls (no callback to Legant). |
|
mcp-gateway
command
Command mcp-gateway is a runnable, self-contained demonstration of Legant's MCP auth-gateway: an AI agent calls an MCP server *through* Legant, which enforces per-tool delegation and mints a fresh, narrowly-scoped downstream token (confused-deputy protection) rather than forwarding the agent's token.
|
Command mcp-gateway is a runnable, self-contained demonstration of Legant's MCP auth-gateway: an AI agent calls an MCP server *through* Legant, which enforces per-tool delegation and mints a fresh, narrowly-scoped downstream token (confused-deputy protection) rather than forwarding the agent's token. |
|
protect-your-endpoint
command
A Legant-protected resource server, wired to the OFFLINE local setup that `legant apply` writes into .legant/ (keys, JWKS, signed revocation feed).
|
A Legant-protected resource server, wired to the OFFLINE local setup that `legant apply` writes into .legant/ (keys, JWKS, signed revocation feed). |
|
splice
command
Command splice demonstrates MONOTONIC ATTENUATION across a multi-hop agent delegation chain — the property that "a sub-agent can only ever do LESS than its parent" — and how Legant enforces it where the standards punt.
|
Command splice demonstrates MONOTONIC ATTENUATION across a multi-hop agent delegation chain — the property that "a sub-agent can only ever do LESS than its parent" — and how Legant enforces it where the standards punt. |
|
twoasks
command
Command twoasks demonstrates the #1 cross-cutting AI-agent authorization problem — the CONFUSED DEPUTY — and how Legant closes it.
|
Command twoasks demonstrates the #1 cross-cutting AI-agent authorization problem — the CONFUSED DEPUTY — and how Legant closes it. |
|
internal
|
|
|
authz
Package authz models the authenticated caller (a Principal) and the authorization decisions made about it.
|
Package authz models the authenticated caller (a Principal) and the authorization decisions made about it. |
|
ccguard
Package ccguard turns a Legant delegation token into a policy decision for every tool call Claude Code makes — Read, Write, Edit, Bash, WebFetch and MCP tools alike — enforced OFFLINE from the signed token.
|
Package ccguard turns a Legant delegation token into a policy decision for every tool call Claude Code makes — Read, Write, Edit, Bash, WebFetch and MCP tools alike — enforced OFFLINE from the signed token. |
|
delegation
Package delegation implements the core authorization primitives that make Legant an agent-identity layer rather than a generic OIDC server:
|
Package delegation implements the core authorization primitives that make Legant an agent-identity layer rather than a generic OIDC server: |
|
delegation/chains
Package chains is the database adapter for delegation grants: it hydrates a stored delegation into the pure delegation.Grant the signer mints from, and records the consent that authorizes a root delegation.
|
Package chains is the database adapter for delegation grants: it hydrates a stored delegation into the pure delegation.Grant the signer mints from, and records the consent that authorizes a root delegation. |
|
grants
Package grants turns Legant's delegated authority into a declarative, version-controllable file.
|
Package grants turns Legant's delegated authority into a declarative, version-controllable file. |
|
keystore
Package keystore is the single source of signing material for Legant.
|
Package keystore is the single source of signing material for Legant. |
|
live
Package live is an in-process pub/sub hub for real-time activity events that feed the /admin/live console: every gateway tool-call decision, token mint, and revocation is published here and fanned out to connected SSE clients.
|
Package live is an in-process pub/sub hub for real-time activity events that feed the /admin/live console: every gateway tool-call decision, token mint, and revocation is published here and fanned out to connected SSE clients. |
|
mcpauth
Package mcpauth implements the MCP / OAuth 2.1 authorization surface: RFC 8707 resource indicators, RFC 9728 protected-resource metadata, and the RFC 6750/9728 WWW-Authenticate challenges resource servers return.
|
Package mcpauth implements the MCP / OAuth 2.1 authorization surface: RFC 8707 resource indicators, RFC 9728 protected-resource metadata, and the RFC 6750/9728 WWW-Authenticate challenges resource servers return. |
|
mcpgw
Package mcpgw is the MCP auth-gateway: a reverse proxy that enforces per-tool delegation in front of MCP servers.
|
Package mcpgw is the MCP auth-gateway: a reverse proxy that enforces per-tool delegation in front of MCP servers. |
|
metrics
Package metrics is a small, dependency-free Prometheus metrics registry.
|
Package metrics is a small, dependency-free Prometheus metrics registry. |
|
retention
Package retention implements data-retention pruning for Legant's operational tables.
|
Package retention implements data-retention pruning for Legant's operational tables. |
|
revocation
Package revocation records every composite (sub/act) delegation token minted by the token-exchange endpoint and lets it be revoked before expiry.
|
Package revocation records every composite (sub/act) delegation token minted by the token-exchange endpoint and lets it be revoked before expiry. |
|
safehttp
Package safehttp provides an HTTP client hardened against SSRF, for fetching attacker-influenced URLs (CIMD documents, JWKS, MCP upstreams).
|
Package safehttp provides an HTTP client hardened against SSRF, for fetching attacker-influenced URLs (CIMD documents, JWKS, MCP upstreams). |
|
testsupport
Package testsupport provides shared helpers for integration tests that need a real Postgres database.
|
Package testsupport provides shared helpers for integration tests that need a real Postgres database. |
|
Package sdk is a self-contained client for resource servers (and MCP servers) that accept Legant delegation tokens.
|
Package sdk is a self-contained client for resource servers (and MCP servers) that accept Legant delegation tokens. |
Click to show internal directories.
Click to hide internal directories.
