Skip to main content

Adversarial Co-Generation Engine — concurrent Builder + Breaker agents for production-grade AI-generated code

Project description

⚔️ GAUNTLEX

Adversarial Co-Generation Engine

Generates code and adversarial attacks from the same specification, at the same time — before a commit exists.

Tests Python PyPI License: MIT OS

What it is · See it run · Quickstart · Commands · Domains · Deep Dive


What it is

Every AI coding tool ships code and hopes someone tests it for security later. GAUNTLEX removes the "later." It runs two agents concurrently against the same specification:

  • Builder — generates the implementation
  • Breaker — generates adversarial attacks against the same spec, at the same instant

An Arbiter scores every attack (mitigated / partial / missed) and produces an Adversarial Resilience Score (ARS). A configurable gate blocks your CI pipeline when the score falls below threshold — the same way a failing test suite blocks a merge.

No manual test authoring. No separate security review step. No waiting for a scanner to catch up to code that shipped last week.


See it run

📊 One-page overview — what it is, what's different, how it deploys. Built for sharing with a technical lead or architecture review board.

GAUNTLEX overview — slide 1 GAUNTLEX overview — slide 2

Download the full PDF

GAUNTLEX demo video

Watch the demo — setup through CI gate, real terminal output, real dashboard.


Why it's structurally different

Three properties, not features — the reasoning behind each is in the Deep Dive:

  1. Concurrent, not sequential. Builder and Breaker fire at the same instant via asyncio.gather(). The Breaker never sees generated code — it reasons from the specification alone, the same surface a real attacker would work from before your implementation choices exist.
  2. A native MCP integration, both directions. GAUNTLEX exposes itself as an MCP server so Claude Code, Cursor, Windsurf, or Zed can trigger and poll runs directly from your coding tool — and it consumes external MCP servers (plus built-in CISA KEV / NIST NVD feeds) to enrich every run with live threat data. See the Domain Intelligence page for exactly what's live vs. static.
  3. Regulatory domains as first-class input. FINRA, HIPAA, PCI DSS, SOC 2, and OWASP Top 10 playbooks steer the Breaker toward the scenarios that actually matter for a regulated codebase — not a generic scan re-labeled per industry.

Quickstart

# 1. Install
pip install gauntlex-ai

# 2. Interactive setup — detects and validates the best model for your environment
#    (Ollama for free/air-gapped, OpenRouter free tier, or your own API key)
gauntlex setup

# 3. Run on the included demo spec
gauntlex run --issue examples/demo_issue.md --mode quick --pretty

gauntlex setup writes a .gauntlex.yml for you — there is no manual configuration step, and no fallback to whatever API key happens to be lying around the environment. What you configure is what runs.

──────────────────────────────────────────────────────────────────────
  GAUNTLEX Adversarial Run
  Mode:      quick (5 attacks)
  Language:  python  [signals: filesystem, async]
  Domain:    owasp_top10
──────────────────────────────────────────────────────────────────────
  ARS Score: 0.87  ✅  PASSED  (gate: ≥ 0.80)

  ✅ CWE-89  SQL Injection via username param     mitigated
  ✅ CWE-502 Unsafe deserialization                mitigated
  ✅ CWE-78  OS command injection in file path     mitigated
  ✅ CWE-22  Path traversal in upload handler       mitigated
  ❌ CWE-79  Reflected XSS in error message         MISSED
──────────────────────────────────────────────────────────────────────

Wall-clock time depends on which model you configure — anywhere from single-digit seconds with a fast paid API to several minutes with a free-tier or local model. Attack count is fixed per mode regardless of provider: quick = 5, standard = 20, thorough = 50.

Run against a GitHub issue directly

gauntlex run --issue https://github.com/your-org/your-repo/issues/42 --mode standard --domain hipaa --pretty

Requirements

  • Python 3.11+
  • macOS, Linux, or Windows (WSL2 recommended on Windows)
  • One model provider: Ollama (free, local), OpenRouter free tier, or an Anthropic/OpenAI API key

CLI reference

All 22 commands, grouped by when you'd reach for them:

Getting started
gauntlex setup Configure model provider and integrations (run any time to reconfigure)
gauntlex init Scaffold .gauntlex.yml with sensible defaults
gauntlex doctor Full environment health check
gauntlex validate Dry run — checks config and connectivity, fires zero attacks
Running assessments
gauntlex run Run adversarial Builder + Breaker on a spec
gauntlex status Show running and recently completed runs
gauntlex findings Vulnerability findings from the last run — fix-first, score last
gauntlex compare Diff two Resilience Reports — ARS delta and attack-level changes
gauntlex learn Feed a completed run into the Knowledge Forge
Evidence & compliance
gauntlex report Render a stored report in any output format (HTML/SARIF/JUnit/JSON)
gauntlex verify Re-derive SHA-256 integrity hash, confirm a report hasn't been altered
gauntlex audit List all reports with compliance control mapping over a time window
gauntlex vault Browse the Forge Ledger — human-readable Markdown attack records
gauntlex stats ARS trends, learning-curve, and cost metrics
Domains & policy
gauntlex policy List, install, search, or validate policy domains — see Domain Intelligence
Team & CI deployment
gauntlex integrate One command: wire GAUNTLEX into Claude Code, Cursor, Windsurf, Copilot, Codex, or GitHub Actions
gauntlex mcp-server Start GAUNTLEX as an MCP server (stdio transport) for local IDE use
gauntlex serve Start GAUNTLEX as a webhook/CI service, with optional GitHub team-based RBAC
gauntlex dashboard Launch the Combat Dashboard web UI
gauntlex leaderboard Build an ARS leaderboard across multiple agents/runs
gauntlex forge-network Opt-in community adversarial pattern sharing
gauntlex prune Remove expired reports

Full usage, flags, and examples for every command: Deep Dive → Complete CLI Reference.


Language support

Auto-detected from the specification — no per-project configuration:

Language Priority CWEs (examples)
Python SQL injection, OS command injection, unsafe deserialization, path traversal
JavaScript / TypeScript Prototype pollution, XSS, CSRF, SSRF
Java Deserialization, XXE, authorization bypass
Go Race conditions, nil-pointer dereference, resource exhaustion

Compliance & domain coverage

5 regulated-industry playbooks ship today — 43 attack scenarios total, each mapped to a specific rule or control, not a generic label:

Domain Scenarios Regulatory framework
owasp_top10 12 OWASP Top 10 (2021/2025)
finra 9 FINRA Rules 4370, 3110; SEC Rule 17a-4
hipaa 9 HIPAA Security Rule (45 CFR §§160, 164)
soc2 7 AICPA SOC 2 Trust Service Criteria
pci_dss 6 PCI DSS v4.0

Two more (owasp_api_security, nist_ssdf) are available via gauntlex policy install. GDPR, FedRAMP, and DORA are on the roadmap — not available today.

For exactly what's live threat data vs. static playbook content, and how to bring your own domain, see the full Domain Intelligence page.


Enterprise deployment

  • gauntlex dashboard — ARS trend, gate status, and attack-outcome breakdown across every connected repository. One URL for the team.
  • gauntlex serve --rbac — GitHub team-based access control (admin / reviewer / developer) across a shared instance.
  • gauntlex audit — every run listed with NIST SSDF / OWASP SAMM / SOC 2 control mapping, for a configurable window.
  • Air-gapped operation — the full engine runs on local Ollama with zero outbound calls, for environments that can't reach the internet.

Full detail on each: Deep Dive → Enterprise Features.


Learn more

  • Deep Dive — the full story: why concurrent execution matters, how GAUNTLEX compares to SAST/DAST/pentest, the complete CLI and configuration reference, architecture, FAQ, and roadmap.
  • Domain Intelligence — exactly what's covered per regulated domain, what's live vs. static, and how to extend it.
  • Contributing — how to add a policy domain, a language profile, or a feature.

MIT License · Built by Sanjoy Ghosh

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gauntlex_ai-0.1.0.tar.gz (187.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gauntlex_ai-0.1.0-py3-none-any.whl (168.6 kB view details)

Uploaded Python 3

File details

Details for the file gauntlex_ai-0.1.0.tar.gz.

File metadata

  • Download URL: gauntlex_ai-0.1.0.tar.gz
  • Upload date:
  • Size: 187.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for gauntlex_ai-0.1.0.tar.gz
Algorithm Hash digest
SHA256 5675cee63571107753af2a745f81b95a2c9bcca78f8ea4ffaede2971f9e2c50d
MD5 d1186b0df13c327ae041fe45b7e217b4
BLAKE2b-256 5773f256b966c689cbf1b59e48407633aa42a72b8bd9b65ce8f15be8a267112f

See more details on using hashes here.

File details

Details for the file gauntlex_ai-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: gauntlex_ai-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 168.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for gauntlex_ai-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8bf1cce6d0f37a7725f204b1f98e545a8637b349c98bded9ba83b83dff895a6b
MD5 6997e457205bb189cc459320039fbe7e
BLAKE2b-256 613e2b4079a07d0fc80abcd8fa737c71f67c8969e3dee556cb7dd809890875c4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page