Cori
GitHubStar on GitHub
v0.1 — MCP Server
Single Binary

The Secure Kernel
for AI Agents.

Stop giving agents raw database access. Cori is the MCP-native security layer that enforces tenant isolation and role-based permissions at the data layer.

Biscuit Token Auth
Dynamic MCP Tools
Multi-Tenant Isolation
Full Audit Trail
cori — preview

Join the waitlist for upcoming access.

Open Source Core

Start with the OSS MCP Server

The core MCP server is fully open source. Add secure database access to your AI agents today.

MCP Server (stdio)

Schema-derived typed tools for Claude Desktop and compatible clients.

Role-Based Access

Define roles with table, column, and operation-level permissions.

Biscuit Tokens

Cryptographic tokens with attenuable permissions. No external PDP needed.

Full System Preview

Dashboard, HTTP transport, audit logs, human-in-the-loop approvals.

Limited Alpha →

01_THE_PROBLEM

AI agents shouldn't have database credentials.

Enterprise databases contain multi-tenant data. When you deploy AI agents, you need guarantees: Client A's agent must never see Client B's data. Traditional app-level isolation fails when agents act autonomously. Cori bridges this trust gap.

02_THE_APPROACH

Token = Policy. No external engines.

We reject complexity. No Cerbos. No OPA. No policy-as-code sprawl. Biscuit tokens ARE your policy — cryptographically signed, attenuable, verified locally. Define roles in YAML, mint tokens, done.

03_THE_RESULT

Agents discover tools, Cori enforces policy.

AI agents connect via MCP and see only the tools their token permits. Every operation is tenant-scoped, column-filtered, and audit-logged. Sensitive actions gate on human approval.

How It Works

From database to secure AI agent in minutes

01

Connect Database

Point Cori at your Postgres. Schema is introspected automatically.

02

Define Roles

YAML config: tables, columns, operations, constraints per role.

03

Mint Tokens

Generate Biscuit tokens. Attenuate to tenant + expiration.

04

Connect Agent

Agent discovers typed MCP tools. Every call is scoped and audited.

Configuration

Define a role in 15 lines of YAML

roles/support_agent.yaml
role_name: support_agent
tables:
  customers:
    operations: [read]
    readable: [id, name, email, plan]
  tickets:
    operations: [read, update]
    readable: [id, subject, status, priority]
    editable:
      status:
        allowed_values: [open, in_progress, resolved]
      priority:
        requires_approval: true  # Human-in-the-loop
blocked_tables: [users, billing, api_keys]
max_rows_per_query: 100