sark

SARK is an enterprise-grade multi-protocol governance platform built for the MCP ecosystem. It sits between AI assistants and your systems to enforce authentication, authorization, and auditing across MCP, HTTP/REST, gRPC, and custom protocols via a universal adapter interface. With SARK you get policy-driven access control, immutable audit logs, and integration hooks for SIEMs. The system exposes a UI for governance configuration and a REST/gRPC API for programmatic control, making it suitable for large-scale AI deployments where you need visibility and safety controls over every action.

To use SARK, start the deployment (for example via Docker as shown in the Quick Start): once up, you can manage policies, register resources and clients, and monitor audit events from the UI. The API reference and documentation provide endpoints for authentication configuration (OIDC, LDAP, SAML, API Keys), policy authoring (OPA-based), and resource access requests. You can also use the UI to define governance rules, and rely on the audit trail to track every interaction. In production, SARK supports federation with mTLS across organizations, and it includes features like prompt injection detection, anomaly detection, secret scanning, and MFA for critical actions to strengthen security posture.

Key capabilities you’ll typically use:

• Authentication and policy enforcement: configure OIDC/LDAP/SAML or API Key flows and attach them to MCP endpoints.
• Policy authoring: define access rules using OPA and RBAC/ABAC patterns to govern who can access which AI resources.
• Auditing and observability: review immutable logs, integrate with SIEMs, and set up real-time alerts for anomalies.
• Multi-protocol support: leverage MCP, HTTP/REST, gRPC, and custom protocols through the adapter interface, enabling governance across diverse AI workloads.

For day-to-day use, start with the Quick Start guide, then explore the API reference for programmatic control of policies and resources, and the UI for policy editors and audit dashboards. The documentation also covers deployment in Kubernetes (Helm), Docker-based home deployments, and enterprise deployments with PostgreSQL, Redis, and external OPA.

Prerequisites

• Docker and Docker Compose installed on your host
• Optional: Kubernetes cluster if deploying via Helm
• Python 3.11+ and Rust toolchain if building native extensions (per Quick Start)

Installation steps (Docker-based single-node/home deployment as an example):

1. Clone the repository and navigate to the project root
2. If you want to build native extensions locally (optional but recommended for performance):
   • python3.11 -m venv venv
   • source venv/bin/activate
   • pip install -e ".[dev]"
   • maturin develop
3. Start the services using Docker Compose (development/full profile as described in Quick Start):

   docker compose --profile full up -d
   

4. Access the UI and API:
   • UI: http://localhost:5173 (default admin/password or configured via env)
   • API: http://localhost:8000/docs (OpenAPI docs)

Production deployment (Kubernetes):

• Helm: helm install sark ./helm/sark -n production --create-namespace
• Kubernetes: kubectl apply -f k8s/

Home deployment (lightweight, v1.7.0):

• Quick start with Docker:

  make home-up
  

• Or with Docker Compose directly:

  docker compose -f docker-compose.home.yml up -d
  

• Target: 512MB RAM, single core, SQLite database, optional OPNsense plugin or Docker platform

Prerequisites recap:

• Docker or Kubernetes for orchestration
• Dependency tooling if building natives (Rust, maturin) for performance
• Access to a terminal and basic networking to reach UI/API endpoints

Tips and troubleshooting:

• If you’re running in development mode, stdio MCP transport may be used; in production, enable HTTP/gRPC transports and ensure proper TLS/mTLS configuration.
• Environment variables for production: configure SARK_API_PORT, SARK_UI_PORT, and OIDC/LDAP/SAML or API Key settings in your deployment manifest. Use the UI to fill in identity provider details or wire up external identity services.
• Ensure that your Kubernetes or Docker network allows access between UI (5173), API (8000), and any resource backends (PostgreSQL, Redis) if enabled in your deployment profile.
• For security, enable MFA for critical actions, turn on anomaly detection, and configure SIEM integrations (Splunk, Datadog) via the Audit & Compliance docs.
• If you encounter port conflicts, customize ports in your deployment configuration and update the mcp_config accordingly.
• Regularly check the documentation indexes (docs/ and the full docs site) for updates on MCP features, as SARK frequently introduces new governance capabilities and performance improvements.