Skip to content

contexa-security/contexa

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1,197 Commits
.claude
.claude
 
 
.github
.github
 
 
contexa-autoconfigure
contexa-autoconfigure
 
 
contexa-common
contexa-common
 
 
contexa-core
contexa-core
 
 
contexa-iam
contexa-iam
 
 
contexa-identity
contexa-identity
 
 
data
data
 
 
docs
docs
 
 
gradle/wrapper
gradle/wrapper
 
 
spring-boot-starter-contexa
spring-boot-starter-contexa
 
 
.dockerignore
.dockerignore
 
 
.editorconfig
.editorconfig
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
Dockerfile
Dockerfile
 
 
GOVERNANCE.md
GOVERNANCE.md
 
 
LICENSE
LICENSE
 
 
MAINTAINERS.md
MAINTAINERS.md
 
 
README.md
README.md
 
 
RELEASE_NOTES.md
RELEASE_NOTES.md
 
 
SECURITY.md
SECURITY.md
 
 
build.gradle
build.gradle
 
 
codecov.yml
codecov.yml
 
 
ctxa.png
ctxa.png
 
 
docker-compose.yml
docker-compose.yml
 
 
gradle.properties
gradle.properties
 
 
gradlew
gradlew
 
 
gradlew.bat
gradlew.bat
 
 
logo.jpg
logo.jpg
 
 
settings.gradle
settings.gradle
 
 

Repository files navigation

Contexa Logo

Open-source AI-native Post-Authentication Runtime Control Plane


License   Java   Spring Boot


Security does not end at login. CONTEXA continuously evaluates authenticated runtime behavior and applies zero-trust controls inside the application.

What CONTEXA Is

CONTEXA is an open-source AI-native Post-Authentication Runtime Control Plane.

It is built for what happens after authentication succeeds:

  • request-time runtime zero trust
  • authenticated human access decisions
  • workload and service-client continuity
  • delegated agent execution governance
  • exploit-window compensating controls
  • verification-backed benchmark and proof generation

What CONTEXA Is Not

CONTEXA is not:

  • a vulnerability scanner
  • a binary analysis engine
  • a penetration testing framework
  • a SIEM replacement
  • a generic IAM admin SaaS product

CONTEXA complements upstream security discovery by constraining authenticated runtime behavior after risk is discovered.

Why CONTEXA

Most material security failures occur after successful authentication.

At that point, the attacker may already hold one or more of the following:

  • a valid session
  • a valid token
  • a valid workload credential
  • an approved tool path
  • an authenticated delegated agent

Traditional security often concentrates on login, network edges, and endpoint state. CONTEXA starts where those layers leave off: inside the application runtime, at request time, with zero-trust decisions that can challenge, block, contain, or escalate.

Dimension Traditional Security With CONTEXA
Decision point Login or coarse policy checkpoints Every protected request
Scope Network, endpoint, perimeter Inside the application runtime
Subject Mostly users and devices Humans, workloads, service clients, delegated agents
Response Allow or deny ALLOW, CHALLENGE, BLOCK, ESCALATE, PENDING_ANALYSIS
Proof Logs and dashboards Verification, benchmark, publication-ready proof

Glasswing Relevance

Glasswing discovers. CONTEXA constrains.

Anthropic Project Glasswing represents upstream AI-driven defensive discovery. CONTEXA addresses the downstream runtime problem that remains after discovery:

  • how to reduce exploit windows before remediation is complete
  • how to constrain authenticated humans, workloads, and delegated agents
  • how to apply compensating controls in production
  • how to prove those controls with verification and benchmark artifacts

This repository contains the open-source runtime control engine for that downstream layer.

Project Status

  • Current public OSS version: 0.1.0
  • Repository stage: initial public open-source release
  • Core focus: post-authentication runtime control inside Spring applications

CONTEXA should be reviewed as early-stage security infrastructure with material category relevance. Its public scale is still developing, but the category it addresses is already operationally important: constraining authenticated runtime behavior after risk is discovered and before remediation is complete.

Why Review CONTEXA at an Early OSS Stage

CONTEXA does not yet claim mature open-source scale. It should instead be assessed on structural security relevance:

  • it addresses the post-authentication runtime problem that remains after upstream discovery
  • it operates at the application layer, where authenticated requests are actually executed
  • it provides public documentation, benchmark surfaces, and a security contact path
  • it is built as an open-source runtime control engine rather than a marketing-only concept
  • it is relevant to downstream exploit-window reduction for authenticated humans, workloads, service clients, and delegated agents

Runtime Decision Path

flowchart LR
    A[Authenticated Request\nPost-auth subject request] --> B[contexa-identity\nAuth flows, MFA, adaptive challenge]
    B --> C[contexa-iam\nPolicy, resource protection, method protection]
    C --> D[contexa-core\nContext, analysis, RAG, LLM adjudication]
    D --> E{Runtime Decision\nRequest-time control decision}
    E --> F[ALLOW\nPermit request]
    E --> G[CHALLENGE\nRequire extra verification]
    E --> H[BLOCK\nDeny immediately]
    E --> I[ESCALATE\nStronger control or review]
    E --> J[PENDING_ANALYSIS\nWait for analysis]
Loading

Open-source Core and Enterprise Surfaces

This repository contains the open-source core platform:

  • contexa-core
  • contexa-identity
  • contexa-iam
  • contexa-common
  • contexa-autoconfigure
  • spring-boot-starter-contexa

Commercial and enterprise operational surfaces exist separately. Those surfaces include multi-tenant operations, publication workflows, advanced review planes, and commercial runtime delivery features.

The open-source core remains a meaningful platform on its own. It provides the runtime decision, control, and integration foundation.

Current Public Release

Quick Start

1. Add the dependency

dependencies {
    implementation "ai.ctxa:spring-boot-starter-contexa:0.1.0"
}

2. Enable AI security

@SpringBootApplication
@EnableAISecurity
public class MyApplication {
}

3. Protect resources

@Protectable
@PostMapping("/api/users/{id}/disable")
public void disableUser(@PathVariable Long id) {
    service.disable(id);
}

4. Start infrastructure

docker compose up -d postgres ollama
docker exec contexa-ollama ollama pull qwen2.5:7b
docker exec contexa-ollama ollama pull mxbai-embed-large

5. Run

./gradlew bootRun

For full setup, configuration, and architecture guidance, use the documentation site at https://docs.ctxa.ai.

Runtime Zero Trust Actions

Every protected request receives a runtime decision.

Action HTTP Meaning
ALLOW 200 Behavior is within acceptable bounds
CHALLENGE 401 Additional verification is required
BLOCK 403 Active risk requires immediate denial
ESCALATE 423 Human review or higher-friction handling is required
PENDING_ANALYSIS 503 Runtime analysis has not completed yet

How It Works

Request (Human / Workload / Service Client / Delegated Agent)
  |
  +-- contexa-identity
  |     Authentication flows, MFA, adaptive challenges
  |
  +-- contexa-iam
  |     URL, method, and resource policy evaluation
  |     @Protectable method protection
  |
  +-- contexa-core
        Context collection
        Behavioral analysis
        RAG and LLM reasoning
        Runtime zero-trust decision
        Control action application

Modules

Module Responsibility
contexa-core AI pipeline, LLM orchestration, RAG, autonomous security processing, runtime zero-trust state
contexa-identity Authentication flows, MFA, passkey, adaptive zero-trust access control
contexa-iam Dynamic authorization, policy evaluation, resource scanning, policy workflows
contexa-common Shared annotations, DTOs, enums, contracts
contexa-autoconfigure Spring Boot auto-configuration
spring-boot-starter-contexa Starter entry point for community adoption

Key Capabilities

Runtime Behavioral Security

CONTEXA compares each request against runtime context, history, and policy signals to detect behavior that static rules miss.

Dynamic Authorization

CONTEXA evaluates URL, method, and resource-level access decisions and supports method-level protection through @Protectable.

AI-native Control Decisions

CONTEXA can challenge, block, escalate, or defer based on runtime analysis instead of relying only on static roles and ACLs.

Proof-backed Security

CONTEXA is designed to support verification, replay, benchmarking, and publication-ready reporting rather than simple vendor claims.

Operating Modes

Mode Infrastructure Use Case
standalone PostgreSQL + Ollama Development and smaller deployments
distributed PostgreSQL + Redis + Kafka Production and multi-instance deployments 
contexa:
  infrastructure:
    mode: standalone

Trust and Public References

License

Apache License 2.0. See LICENSE for details.

About

AI-Native Post-Authentication Runtime Control Plane. LLM-driven Zero Trust security platform for Spring Boot applications. Continuously evaluates authenticated runtime behavior with 5-action dynamic control (ALLOW · CHALLENGE · BLOCK · ESCALATE · PENDING).

ctxa.ai

Topics

java agent oauth2 spring-boot mcp prompt context spring-security zero-trust ai-security runtime-security rag behavioral-analysis ai-agent llm agent-ai post-authentication

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases

1 tags

Packages

 
 
 

Contributors

Languages