Skip to content

edamametechnologies/edamame_core_api

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

22 Commits
.gitignore
.gitignore
 
 
API_REFERENCE.md
API_REFERENCE.md
 
 
EVENTS.md
EVENTS.md
 
 
LICENSE
LICENSE
 
 
MCP.md
MCP.md
 
 
README.md
README.md
 
 

Repository files navigation

EDAMAME Core API

Public documentation for the EDAMAME Core API -- the closed-source Rust engine that powers the EDAMAME security platform.

EDAMAME Core provides cross-platform security assessment, threat remediation, network visibility, AI-powered automation, and compliance reporting through a unified API surface. It is consumed by GUI applications (Flutter), CLI tools, and external AI agents via MCP.

EDAMAME Core is available for OEM integration. If you are interested in embedding EDAMAME's security engine into your own product, contact EDAMAME Technologies.

For the full ecosystem overview, see the EDAMAME Technologies profile.

Table of Contents

  1. Architecture
  2. Language and Build
  3. Feature Flags
  4. Multi-Platform Support
  5. API Overview
  6. Event System
  7. gRPC Interface
  8. MCP Server -- see also MCP.md for complete tool reference
  9. Integration Patterns
  10. API Reference
  11. OEM Licensing

Architecture

EDAMAME Core follows a strict three-layer architecture:

+------------------------------------------------------------------+
|                    Consumer Layer                                |
|   Flutter Bridge (GUI)  |  gRPC (CLI)  |  MCP (AI Agents)        |
+------------------------------------------------------------------+
                              |
                              v
+------------------------------------------------------------------+
|                      API Layer (api_*.rs)                        |
|  - Thin wrappers around business logic                           |
|  - Type conversions (internal -> serializable API types)         |
|  - RPC endpoint registration via rpc!() macro                    |
|  - Background task orchestration                                 |
+------------------------------------------------------------------+
                              |
                              v
+------------------------------------------------------------------+
|               Core Manager Layer (core_manager_*.rs)             |
|  - ALL business logic                                            |
|  - State management                                              |
|  - Guard protection for concurrent access                        |
|  - Event triggering                                              |
+------------------------------------------------------------------+
                              |
                              v
+------------------------------------------------------------------+
|                    Core State (core_state.rs)                    |
|  - Shared state containers (Arc<CustomRwLock<>>)                 |
|  - Thread-safe concurrent access                                 |
|  - Feature-gated fields                                          |
+------------------------------------------------------------------+

Key Principles

  • API Layer is always thin: no business logic, only type conversion and delegation
  • CoreManager owns all workflows, validation, and orchestration
  • CoreState wraps all shared data in Arc<CustomRwLock<>> for thread safety
  • Events broadcast state changes to all consumers (Flutter streams, gRPC streams, internal listeners)

API Domains

Domain Description
Core Initialization, lifecycle, device info, logging, versioning
Score & Threats Security scoring, threat detection, remediation, rollback
Network (Flodbadd) LAN scanning, packet capture, session analysis, whitelists
Breach Detection Email breach monitoring via HaveIBeenPwned
Trust Domain connection, policy enforcement, compliance reporting
Advisor Security recommendations, RAG-enriched advice
Agentic AI-powered automation, LLM integration, action history
MCP Model Context Protocol server for external AI agents

Language and Build

EDAMAME Core is written in Rust using the Tokio async runtime. It compiles as a static library (for Apple platforms), dynamic library (for Windows/Linux/Android), or standalone binary (for CLI tools).

# Default build (with Flutter bridge)
cargo build

# Standalone build (CLI tools, no Flutter)
cargo build --features standalone

# macOS CLI with Swift linking
cargo build --features swiftrs

Key Dependencies

Crate Purpose
tokio Async runtime (full features)
flutter_rust_bridge Flutter FFI bridge (pinned v2.11.1)
tonic / prost gRPC server and client
rmcp MCP server (Streamable HTTP, v0.8)
oauth2 / jsonwebtoken OAuth 2.0 and JWT validation
serde / serde_json Serialization for API types

Crate Types

[lib]
crate-type = ["staticlib", "cdylib", "lib"]
  • staticlib: Apple platforms (macOS, iOS) -- linked into Xcode projects
  • cdylib: Windows, Linux, Android -- dynamic library for Flutter or standalone use
  • lib: Rust library for direct linking (CLI tools like edamame_posture, edamame_cli)

Feature Flags

Feature flags control which capabilities are compiled into the binary:

Feature Default Description
standalone No Builds without Flutter bridge; enables packet capture for CLI tools
swiftrs No Enables Swift-RS linking for macOS CLI tools (without Xcode project)
pwned Yes Password breach detection via HaveIBeenPwned
flodbadd Yes Network scanning, packet capture, session analysis, ML anomaly detection
trust Yes Domain connection, policy enforcement, compliance
agentic Yes AI-powered security automation (OAuth, JWT, LLM providers)
mcp Yes MCP server for AI agent integration (requires agentic)
userdefaults Yes macOS UserDefaults for settings persistence

Default Feature Set

default = ["userdefaults", "pwned", "flodbadd", "trust", "agentic", "mcp"]

Feature Dependencies

mcp --> agentic --> [oauth2, jsonwebtoken, webbrowser, async-stream]
standalone --> [edamame_foundation/packetcapture, flodbadd/packetcapture, flodbadd/asyncpacketcapture]

Multi-Platform Support

EDAMAME Core targets all major desktop and mobile platforms through conditional compilation:

Platform GUI App Posture CLI Helper Daemon Network Capture eBPF
macOS Yes Yes Yes Yes No
Windows Yes Yes Yes Yes (Npcap) No
Linux Yes Yes Yes Yes Yes (x86_64, aarch64)
iOS Yes No No Limited No
Android Yes No No Limited No

Platform-Specific Code

Platform-specific functionality is isolated behind #[cfg(target_os = "...")] gates:

  • macOS/iOS: Native Swift integration via swift-rs for system APIs (notifications, UserDefaults, keychain)
  • Windows: Windows Service integration, Npcap for network capture
  • Linux: eBPF support for zero-copy packet capture and process attribution
  • Android: JNI integration for native Android APIs

How the Flutter App Uses EDAMAME Core

EDAMAME Security is a Flutter desktop/mobile application that consumes EDAMAME Core through flutter_rust_bridge:

Flutter (Dart)
    |
    v
flutter_rust_bridge (auto-generated FFI)
    |
    v
EDAMAME Core API Layer (api_*.rs)
    |
    v
CoreManager (business logic) --> CoreState (shared state)
    |
    v
Events --> StreamSink<u64> --> BehaviorSubject --> Flutter UI

Key integration points:

  • Direct function calls: Each rpc!() endpoint becomes a callable Dart function (e.g., getScore(), remediate(), agenticProcessTodos())
  • Reactive event streams: CoreEvent bitmasks flow through StreamSink to Dart BehaviorSubject, driving UI updates
  • Bridge regeneration: After modifying API endpoints, run tear_down_walls.sh to regenerate the Flutter bridge code

How the Posture CLI Uses EDAMAME Core

EDAMAME Posture is a CLI tool for CI/CD and headless environments that links directly to EDAMAME Core as a Rust library:

edamame_posture (Rust binary)
    |
    v  (direct Rust function calls)
EDAMAME Core API Layer
    |
    v
CoreManager --> CoreState

Key integration points:

  • Direct static linking: edamame_posture calls API functions directly (e.g., compute_score(), remediate(), get_sessions())
  • Feature flag standalone: Built without Flutter bridge, enables packet capture
  • Synchronous wrappers: Uses the _sync variants of async functions for CLI convenience
  • Exit codes: Translates API results into CI/CD-compatible exit codes (0=success, 1=policy fail, 2=server error, 3=param error, 4=timeout)

Example Posture CLI commands and the API calls they map to:

CLI Command API Calls
edamame-posture get-score compute_score() then get_score(true)
edamame-posture remediate-all-threats get_score(false) then remediate(name, false) for each threat
edamame-posture check-policy 3.5 "firewall" "SOC-2" check_policy(3.5, [...], [...])
edamame-posture lanscan get_lanscan(true, false, false)
edamame-posture get-sessions get_sessions()
edamame-posture background-start ... initialize() + start_capture() + daemon loop

How EDAMAME CLI Provides Generic API Access

EDAMAME CLI provides dynamic RPC access to the entire EDAMAME Core API surface:

edamame_cli (Rust binary)
    |
    v  (dynamic RPC dispatch)
rpc_call(method_name, json_args) --> EDAMAME Core Handler Registry
    |
    v
API Layer --> CoreManager --> CoreState

Key integration points:

  • Method discovery: list-methods and get-method-info enumerate all registered RPC endpoints at runtime
  • Dynamic invocation: rpc <method> [json_args] calls any API method by name with JSON arguments
  • Interactive REPL: interactive mode for exploring the API
  • Remote RPC: Can connect to a running EDAMAME Core instance over TLS-secured gRPC

Example EDAMAME CLI usage:

# List all available API methods
edamame-cli list-methods

# Get method signature and types
edamame-cli get-method-info get_score

# Call API methods with JSON arguments
edamame-cli rpc get_score '["true"]'
edamame-cli rpc get_device_info --pretty
edamame-cli rpc remediate '["firewall_disabled", "false"]'

# Interactive exploration
edamame-cli interactive

API Overview

All API methods are registered via the rpc!() macro, which generates:

  1. Async implementation (method_name_async()) -- the actual function
  2. Handler -- registered in the handler registry for gRPC dispatch
  3. Remote RPC wrappers -- for calling a remote EDAMAME Core instance
  4. API metadata -- parameter names, types, and return type for discovery

RPC Macro Pattern

// Declaration
rpc!(get_score(complete_only: bool) -> ScoreAPI);

// Generated async function (implemented by developer)
pub async fn get_score_async(complete_only: bool) -> ScoreAPI {
    CORE_MANAGER.read().await.get_score(complete_only).await
}

// Auto-generated: handler, remote RPC wrappers, metadata registration

API Registries

Registry Purpose
HANDLER_REGISTRY Maps method name to async handler for gRPC dispatch
RPC_REGISTRY Maps method name to sync RPC wrapper
RPC_ASYNC_REGISTRY Maps method name to async RPC wrapper
API_REGISTRY Maps method name to APIInfo (args, return type) for discovery

Event System

EDAMAME Core uses a bitmask-based event system for broadcasting state changes. Each event is a power of 2, allowing efficient OR-combined event masks.

Events are delivered to all registered consumers:

  • Flutter: StreamSink<u64> delivering to Dart BehaviorSubject
  • gRPC: Server-streaming RPC (subscribe_to_events)
  • Internal: mpsc::Sender channels for in-process listeners

Event Definitions (52 events)

See EVENTS.md for the complete event reference.

Event Value Description
AppOutdated 1 Application version is outdated
ConnectionError 2 Backend connection failed
ConnectionStatusUpdated 4 Connection status changed
ConnectionSuccess 8 Backend connection established
DeviceAdded 16 New device discovered on network
DevicesProgress 32 Device scan progress update
DevicesUpdated 64 Device list changed
HealthChanged 128 Health-monitoring state changed
HealthCompleted 256 Health-monitoring run completed
HealthStarted 512 Health-monitoring run started
HelperStateChanged 1024 Privileged helper daemon state changed
LANScanCancelStarted 2048 LAN scan cancellation initiated
LANScanCompleted 4096 LAN scan finished
LANScanStarted 8192 LAN scan started
MetricCompleted 16384 Single threat metric evaluation completed
NetworkChanged 32768 Network configuration changed
PINError 65536 Domain PIN verification failed
PINSuccess 131072 Domain PIN verification succeeded
ScoreCanceled 262144 Score computation was canceled
LANScanUpdated 524288 LAN scan results updated incrementally
ScoreComputationRequested 1048576 Score computation was requested
ScoreComputationStarted 2097152 Score computation began
ScoreDecreased 4194304 Security score decreased
ScoreIncreased 8388608 Security score increased
ScoreCompleted 16777216 Score computation finished
ScoreReported 33554432 Score was reported to backend
PoliciesStatusChanged 67108864 Policy compliance status changed
CommunityDevicesUpdated 134217728 Community/P2P device list updated
BreachesUpdated 268435456 Breach data updated
SessionsUpdated 536870912 Network sessions updated
AnomalousSessionsAdded 1073741824 ML-detected anomalous sessions found
BlacklistedSessionsAdded 2147483648 Blacklisted sessions detected
AdvisorUpdated 4294967296 Security advisor recommendations changed
AgenticUpdated 8589934592 AI automation state changed
AgenticConfirmed 17179869184 AI action confirmed
AgenticEscalated 34359738368 AI action escalated for review
DomainLimitReached 68719476736 Domain device limit reached
AgenticStatusUpdated 137438953472 AI subscription/status changed
LimitReached 274877906944 Subscription usage limit reached
ConnectivityChanged 549755813888 Internet connectivity state changed
BehavioralModelUpdated 1099511627776 Behavioral model added, updated, or cleared
DivergenceDetected 2199023255552 Divergence verdict transitioned to DIVERGENCE
DivergenceClean 4398046511104 Divergence verdict returned to CLEAN
L7TagsUpdated 8796093022208 Layer-7 enrichment tags changed
DivergenceUpdated 17592186044416 Divergence or vulnerability-monitor state changed

Event Broadcasting

// Trigger an event from CoreManager
event_manager.trigger_event(CoreEvent::ScoreCompleted);

// Events are OR-combined for efficient delivery
// A consumer receiving value 16777224 means:
//   ScoreCompleted (16777216) | ConnectionSuccess (8) both fired

gRPC Interface

EDAMAME Core exposes a gRPC server for remote API access and event streaming. This is the interface used by edamame_cli and can be used by any gRPC client.

Protocol Definition

syntax = "proto2";
package edamame;

message HelperRequest {
  required string ordertype = 1;
  required string subordertype = 2;
  required string arg1 = 3;
  required string arg2 = 4;
  required string signature = 5;
  required string version = 6;
}

message HelperResponse {
  required string output = 1;
}

service EDAMAMEHelper {
  rpc Execute(HelperRequest) returns (HelperResponse);
}

RPC Call Flow

Client (edamame_cli / custom)
    |
    | TLS (mTLS with client certificates)
    v
gRPC Server (api_rx.rs)
    |
    v
HANDLER_REGISTRY.get(method_name)
    |
    v
API Handler --> CoreManager --> Response (JSON serialized)

Security

  • mTLS: Client and server certificates for mutual authentication
  • Certificate configuration via environment variables:
    • EDAMAME_CA_PEM -- Certificate Authority
    • EDAMAME_CLIENT_PEM -- Client certificate
    • EDAMAME_CLIENT_KEY -- Client private key

Event Streaming

Clients can subscribe to real-time events via server-streaming RPC:

Client --> subscribe_to_events() --> Stream<u64>
                                      |
                                      v
                              Bitmask of fired events

MCP Server

EDAMAME Core includes an MCP (Model Context Protocol) server, enabling external AI assistants (like Claude Desktop, n8n, or custom agents) to interact with the security platform.

Configuration

Setting Default Description
Transport Streamable HTTP rmcp SDK v0.8
Port 3000 Configurable
Bind address 127.0.0.1 listen_all_interfaces for remote access
Authentication Dual-mode Per-client credentials or shared PSK

Dual-Mode Authentication

The MCP server supports two authentication modes:

  1. Per-client credentials (app-mediated pairing): Desktop clients POST to the unauthenticated /mcp/pair endpoint with client metadata. The user approves the request in the host app UI. The client receives an edm_mcp_... credential and uses it as Authorization: Bearer edm_mcp_.... See MCP.md for pairing endpoint details.

  2. Shared PSK (CLI/headless): A legacy Bearer token passed at server start. Used by CLI tools, provisioning scripts, and automation. The PSK can be provided via the EDAMAME_MCP_PSK environment variable or stored in ~/.edamame_psk (owner-read/write only, chmod 600).

For edamame_posture, generate a PSK with:

edamame_posture background-mcp-generate-psk

For the EDAMAME Security desktop app, configure credentials under AI tab > MCP Server Settings (pairing UI or shared PSK).

MCP Tools Exposed (33 tools)

See MCP.md for the complete MCP tools reference with parameters, return types, and L7 session field documentation.

# Tool Category Description
1 advisor_get_todos Advisor Security todos list
2 advisor_get_action_history Advisor AI action audit trail
3 advisor_undo_action Advisor Rollback specific action
4 advisor_undo_all_actions Advisor Rollback all actions
5 get_sessions Observation All sessions with L7 enrichment (active_only, limit)
6 get_anomalous_sessions Observation ML-flagged anomalous sessions
7 get_blacklisted_sessions Observation Sessions to known-bad destinations
8 get_exceptions Observation Whitelist/policy violations
9 get_lan_devices Observation LAN device inventory
10 get_lan_host_device Observation This host's LAN identity
11 get_breaches Observation HIBP breach data
12 get_score Observation Full posture score
13 add_pwned_email Identity Add email to breach monitoring
14 remove_pwned_email Identity Remove email from monitoring
15 get_pwned_emails Identity List monitored emails
16 set_lan_auto_scan LAN Config Toggle continuous scanning
17 agentic_process_todos Agentic AI-powered todo processing
18 agentic_execute_action Agentic Execute pending action
19 agentic_get_workflow_status Agentic Workflow progress
20 upsert_behavioral_model Divergence Push reasoning-plane behavioral model
21 upsert_behavioral_model_from_raw_sessions Divergence Push raw sessions, EDAMAME LLM generates model
22 get_behavioral_model Divergence Read stored behavioral model
23 get_divergence_verdict Divergence Get latest divergence verdict (read-only)
24 get_divergence_history Divergence Rolling divergence verdict history (read-only)
25 get_divergence_engine_status Divergence Divergence engine status (read-only)
26 get_vulnerability_findings Vulnerability CVE-aligned heuristic findings (read-only)
27 get_vulnerability_detector_status Vulnerability Detector runtime status (read-only)
28 get_vulnerability_history Vulnerability Rolling history of attack pattern detector reports (read-only)
29 list_agentic_dismissal_rules Dismissal Read-only: active recurrence-aware dismissal rules with telemetry
30 list_agentic_dismissal_audit_log Dismissal Read-only: audit log of dismissal-rule lifecycle events
31 get_file_events FIM Recent FIM events snapshot
32 get_file_monitor_status FIM FIM watcher running state and roots
33 get_file_event_summary FIM Aggregated FIM event summary

Observer-independence policy (CRITICAL): The reasoning plane (LLM agent) must not be able to silence security findings about its own behavior. Therefore, the MCP surface for divergence and vulnerability findings is read-only. Dismissal mutation operations (dismiss_*, undismiss_*, dismiss_*_with_scope, clear_divergence_state, clear_vulnerability_history, reset_vulnerability_suppressions, remove_agentic_dismissal_rule, set_agentic_dismissal_rule_severity_ceiling, reset_agentic_dismissal_rules, clear_agentic_dismissal_audit_log) are operator-only via the EDAMAME app UI (AI tab > Dismissal rules) and the edamame_cli RPC surface. The corresponding RPC endpoints remain available -- only their MCP tool exposure is removed.

Lifecycle controls (start_divergence_engine, start_vulnerability_detector, agentic_set_auto_processing, start_file_monitor, stop_file_monitor) are direct RPC/CLI control plane methods and are intentionally not exposed via MCP tools either.

Behavioral-model payloads use the v3 schema:

  • expected dimensions: expected_traffic, expected_sensitive_files, expected_lan_devices, expected_local_open_ports, expected_process_paths, expected_parent_paths, expected_grandparent_paths, expected_open_files, expected_l7_protocols, expected_system_config
  • negative dimensions: not_expected_traffic, not_expected_sensitive_files, not_expected_lan_devices, not_expected_local_open_ports, not_expected_process_paths, not_expected_parent_paths, not_expected_grandparent_paths, not_expected_open_files, not_expected_l7_protocols, not_expected_system_config
  • scope filters: scope_process_paths, scope_parent_paths, scope_grandparent_paths, scope_any_lineage_paths
  • expected traffic: domain-suffix (host:port) or ASN (asn:OWNER_SUBSTRING)

MCP API Methods

mcp_start_server(port, psk, enable_cors, listen_all_interfaces) -> String
mcp_stop_server() -> String
mcp_get_server_status() -> String
mcpApprovePairing(request_id: String) -> String
mcpRejectPairing(request_id: String) -> String
mcpListPairedClients() -> String
mcpGetPendingPairingRequests() -> String
mcpRevokePairedClient(client_id: String) -> String
mcpRotatePairedClient(client_id: String) -> String

PSK generation is available via the Posture CLI: edamame-posture mcp-generate-psk

Integration Patterns

Pattern 1: GUI Application (Flutter)

Used by EDAMAME Security.

Flutter App
    |-- flutter_rust_bridge (FFI) --> EDAMAME Core (staticlib/cdylib)
    |-- Event streams via StreamSink
    |-- Direct function calls to all API endpoints
    |-- Full feature set (all default features enabled)

Build: cargo build (default features, with Flutter bridge)

Pattern 2: CLI Tool with Domain-Specific Commands

Used by EDAMAME Posture.

edamame_posture (Rust binary)
    |-- Links edamame_core as Rust library dependency
    |-- Calls API functions directly (no FFI overhead)
    |-- Built with `standalone` feature (no Flutter, enables packet capture)
    |-- Translates results to exit codes for CI/CD

Build: cargo build --features standalone

Pattern 3: Generic RPC Explorer

Used by EDAMAME CLI.

edamame_cli (Rust binary)
    |-- Links edamame_core as Rust library dependency
    |-- Dynamic method discovery via API_REGISTRY
    |-- Calls any method by name with JSON arguments
    |-- Interactive REPL for exploration
    |-- Can also connect to remote instances via gRPC

Build: cargo build --features standalone,swiftrs (macOS) or cargo build --features standalone (other)

Pattern 4: AI Agent via MCP

Used by Claude Desktop, n8n, or custom AI agents.

AI Agent (Claude Desktop / n8n / custom)
    |-- Streamable HTTP (localhost:3000)
    |-- Bearer token authentication (per-client credential or shared PSK)
    |-- Tool calls: advisor_get_todos, agentic_process_todos, etc.
    |-- Human-in-the-loop: agents escalate risky actions

Configuration: Start MCP server via mcp_start_server() API call or edamame-posture mcp-start. Use app-mediated pairing for per-client credentials, or shared PSK for CLI/headless.

API Reference

Complete list of all RPC-registered API methods, organized by domain. Each method is callable via:

  • Direct Rust function call (CLI tools)
  • Flutter bridge (GUI app)
  • gRPC RPC dispatch (remote clients)
  • MCP tools (AI agents, for selected methods)

See API_REFERENCE.md for the full API reference with parameter types and descriptions.

Core (26 methods)

System lifecycle, device information, and platform management.

Method Parameters Returns Description
initialize executable_type, branch, locale, ... void Initialize EDAMAME Core
terminate exit: bool void Clean shutdown
get_device_info -- SystemInfoAPI Device hardware/OS info
get_core_version -- String Core library version
get_core_info -- String Core build info
get_branch -- String Active threat model branch
get_admin_status -- bool Whether running with admin/root
is_helper_enabled -- bool Helper daemon availability
get_helper_state -- String Helper daemon state
get_helper_url -- String Helper daemon URL
is_outdated_app -- bool Whether app is outdated
get_app_url -- String App download URL
get_app_latest_version -- String Latest available version
is_from_store -- bool Whether installed from app store
set_demo_mode demo_mode_on: bool void Toggle demo mode
set_demo_platform platform: String void Override platform for demo
clear_demo_platform -- void Clear platform override
get_demo_platform -- String Current demo platform
get_all_logs -- String Complete log output
get_new_logs -- String Logs since last call
unified_log level: LogLevel, log: String void Send log from consumer
get_globalpreferences_status -- bool macOS privacy settings
prompt_globalpreferences title, message void Prompt for privacy access
withdraw_globalpreferences -- void Withdraw privacy prompt
get_community_devices -- Vec<CommunityDeviceAPI> P2P community devices
get_p2p_stats -- P2PStatsAPI P2P network statistics

Score & Threats (11 methods)

Security scoring, threat detection, and remediation.

Method Parameters Returns Description
compute_score -- void Trigger score computation
get_score complete_only: bool ScoreAPI Get security score and threats
get_last_computed_secs -- i64 Seconds since last computation
get_threat_by_name name: String Option<ThreatAPI> Get specific threat details
check_policy minimum_score, threat_ids, tag_prefixes bool Check policy compliance
get_tag_prefixes -- Vec<String> Available threat tag prefixes
remediate name: String, dont_report: bool ThreatResultAPI Remediate a threat
rollback name: String, dont_report: bool ThreatResultAPI Rollback a remediation
update_threats -- void Update threat models from cloud
get_threats_url -- String Threat model source URL
get_history -- OrderHistoryAPI Remediation history

Network / Flodbadd (71 methods)

LAN scanning, packet capture, session analysis, whitelists/blacklists, and anomaly detection.

Method Parameters Returns Description
get_lanscan scan, deep_scan, wide_scan LANScanAPI Perform LAN scan
get_devices -- Vec<DeviceInfoAPI> All discovered devices
get_active_local_devices -- Vec<DeviceInfoAPI> Currently active devices
cancel_scan -- void Cancel running scan
start_capture -- void Start packet capture
stop_capture -- void Stop packet capture
is_capturing -- bool Capture running status
get_sessions -- Vec<SessionInfoAPI> All captured sessions
get_current_sessions -- Vec<SessionInfoAPI> Active sessions
get_lan_sessions all: bool LANSessionsAPI LAN-specific sessions
get_anomalous_sessions -- Vec<SessionInfoAPI> ML-detected anomalies
get_blacklisted_sessions -- Vec<SessionInfoAPI> Blacklisted sessions
get_whitelist_exceptions -- Vec<SessionInfoAPI> Whitelist violations
get_whitelist_conformance -- bool Whitelist compliance status
get_anomalous_status -- bool Any anomalies detected
get_blacklisted_status -- bool Any blacklisted traffic
set_whitelist whitelist_name: String void Set active whitelist
set_custom_whitelists whitelist_json: String void Set custom whitelist rules
create_custom_whitelists -- String Generate whitelist from traffic
set_custom_blacklists blacklist_json: String void Set custom blacklist rules
set_filter filter: SessionFilterAPI void Set session display filter
get_filter -- SessionFilterAPI Get current filter
get_network -- NetworkAPI Current network info
set_network network: NetworkAPI void Set network config
get_device_remediation ip_address: String String AI remediation for device
get_session_remediation uid: String String AI remediation for session
get_packet_stats -- PacketStatsAPI Capture statistics
get_analyzer_stats -- AnalyzerStatsAPI ML analyzer statistics
... See API_REFERENCE.md for all 71 methods

L7 Session Enrichment

Every session returned by get_sessions and related methods includes deep L7 process attribution fields. See MCP.md for the complete field reference.

Key fields: pid, process_name, process_path, cmd, cwd, parent_pid, parent_process_name, parent_process_path, parent_cmd, parent_script_path, grandparent_pid, grandparent_process_name, grandparent_process_path, grandparent_cmd, grandparent_script_path, spawned_from_tmp, open_files, memory, cpu_usage, disk_usage.

  • Process lineage: Full parent and grandparent chain for detecting script-based and interpreter-wrapped attacks
  • Sensitive file detection: SSH keys, credentials, keychains tracked in open_files (sticky across refresh cycles)
  • Temp-origin detection: spawned_from_tmp flags processes originating from /tmp/, /var/tmp/, /dev/shm/
  • Refresh cycles: Full L7 refresh every 5 minutes; sensitive files re-scanned every 30s (Linux), 60s (macOS), 120s (Windows)

Breach Detection / Pwned (8 methods)

Email breach monitoring via HaveIBeenPwned integration. Supports dynamic add/remove of monitored emails via add_pwned_email and remove_pwned_email, enabling runtime identity registration (e.g., from an AI agent's introspection loop). Also available as MCP tools (see MCP.md).

Method Parameters Returns Description
add_pwned_email email: String bool Monitor email for breaches
remove_pwned_email email: String bool Stop monitoring email
get_breaches_for_email email: String PwnedAPI Breaches for specific email
get_all_breaches -- PwnedAPI All breaches across emails
get_breach_by_name_and_email name, email Option<PwnedItemAPI> Specific breach details
get_multi_email_summary -- PwnedMultiEmailAPI Summary across all emails
toggle_breach_for_email email, name, dismiss: bool void Dismiss/undismiss a breach
get_breach_remediation name, description, is_service String AI remediation advice

Trust & Compliance (13 methods)

Domain connection, policy enforcement, and compliance reporting.

Method Parameters Returns Description
set_credentials user, domain, pin void Set domain credentials
connect_domain -- void Connect to managed domain
disconnect_domain -- void Disconnect from domain
request_pin -- void Request domain PIN
get_connection -- ConnectionStatusAPI Connection status
get_last_report_secs -- i64 Seconds since last report
get_last_report_signature -- String Cryptographic report signature
get_signature_from_score_with_email email: String String Generate signed score
request_report_from_signature email, signature, format void Request compliance report
check_policy_for_domain signature, domain, policy_name bool Check specific policy
check_policies_for_domain signature, domain Vec<PoliciesStatusAPI> Check all policies
check_policies_for_current_domain -- Vec<PoliciesStatusAPI> Policies for current domain
user_feedback context, note, email, app_log, helper_log void Submit user feedback

Advisor (6 methods)

Security recommendations and AI-enriched advice.

Method Parameters Returns Description
get_advisor -- AdvisorAPI Full advisor state with todos
get_advisor_state -- AdvisorStateAPI Summary advisor state
is_advisor_fully_resolved -- bool All todos resolved
get_advisor_rag_prompt -- String RAG-enriched prompt for LLM
get_advisor_remediation question: String String AI advice for question
request_advisor_report email: String void Email advisor report

Agentic / AI Automation (69 methods)

AI-powered security automation with multiple LLM providers.

Method Parameters Returns Description
agentic_process_todos confirmation_level: i32 AgenticResultsAPI AI-powered todo processing
agentic_get_action_history -- Vec<ActionRecordAPI> Action audit trail
agentic_execute_action action_id: String bool Execute pending action
agentic_undo_action action_id: String bool Undo specific action
agentic_retry_action action_id: String bool Retry failed action
agentic_undo_all_actions -- UndoAllResultAPI Undo all actions
agentic_cancel_processing -- bool Cancel current processing
agentic_set_auto_processing enabled, interval_secs, mode bool Configure auto-processing
agentic_get_auto_processing_status -- AgenticAutoProcessingStatusAPI Auto-processing config
agentic_set_llm_config provider, api_key, model, ... bool Configure LLM provider
agentic_get_llm_config -- LLMConfigInfoAPI Current LLM and delivery config
agentic_set_telegram_interactive_config enabled: bool, allowed_user_ids: Vec<i64> bool Configure Telegram predefined interactive replies
agentic_test_llm -- LLMTestResultAPI Test LLM connectivity
agentic_get_workflow_status -- Option<AgenticWorkflowStatusAPI> Current workflow state
agentic_get_status -- AgenticStatusAPI Overall agentic status
agentic_get_summary -- AgenticSummaryAPI Summary statistics
agentic_get_token_usage_stats -- TokenUsageStatsAPI LLM token consumption
agentic_get_subscription_status -- AgenticSubscriptionStatusAPI Subscription info
agentic_get_portal_url -- String EDAMAME Portal URL
agentic_set_edamame_api_key api_key: String bool Set EDAMAME API key
agentic_has_edamame_api_key -- bool API key configured
agentic_clear_error -- bool Clear error state
agentic_clear_action_history -- bool Clear action history
agentic_mark_action_read action_id: String bool Mark action as read
agentic_mark_action_unread action_id: String bool Mark action as unread
agentic_mark_all_actions_read -- bool Mark all as read
agentic_dismiss_action finding_key: String bool Dismiss agentic finding
agentic_undismiss_action finding_key: String bool Restore dismissed agentic finding
get_agentic_memory_stats -- String In-memory cache snapshot for diagnostics
get_agentic_notification_history limit: usize String Recent agentic notifications dispatched
oauth_signin_internal -- String OAuth sign-in to EDAMAME Portal
oauth_refresh_internal -- String Refresh OAuth tokens
oauth_signout_internal -- String Sign out
oauth_get_status -- OAuthStatusAPI OAuth authentication status
oauth_open_signup -- bool Open sign-up page
upsert_behavioral_model window_json: String String Upsert behavioral model for two-plane correlation
upsert_behavioral_model_from_raw_sessions raw_sessions_json: String String Build behavioral model from raw sessions
get_behavioral_model -- String Get current behavioral model
get_behavioral_model_history limit: usize String Get behavioral-model injection history
get_behavioral_model_contributors -- String List components feeding the behavioral model
get_divergence_verdict -- String Get latest divergence verdict
get_divergence_history limit: usize String Get divergence verdict history
dismiss_divergence_evidence finding_key: String String Dismiss divergence evidence item
undismiss_divergence_evidence finding_key: String String Restore dismissed divergence evidence item
reset_divergence_suppressions -- String Reset every dismissed divergence finding
get_divergence_debug_trace entry_id: String String Per-rule trace for a divergence verdict
debug_run_divergence_tick -- String Force a divergence-engine tick (diagnostic)
clear_behavioral_model -- void Clear behavioral model (testing/debug)
clear_behavioral_model_history -- void Clear behavioral-model injection history
clear_divergence_history -- void Clear divergence verdict history
clear_divergence_state -- void Clear live divergence state
start_divergence_engine enabled: bool, interval_secs: u64 String Start/stop divergence engine (control plane)
get_divergence_engine_status -- String Get divergence engine runtime status
start_vulnerability_detector enabled: bool, interval_secs: u64 String Start/stop attack pattern detector
get_vulnerability_findings -- String Get latest vulnerability/safety-floor report
get_vulnerability_history limit: usize String Get attack pattern detector history
dismiss_vulnerability_finding finding_key: String String Dismiss vulnerability finding
undismiss_vulnerability_finding finding_key: String String Restore dismissed vulnerability finding
clear_vulnerability_history -- void Clear attack pattern detector history
reset_vulnerability_suppressions -- String Reset every dismissed finding so it surfaces again
get_vulnerability_debug_trace report_id: String String Per-check evaluation trace for a specific report
debug_run_vulnerability_detector_tick -- String Force an attack-pattern-detector tick (diagnostic)
get_vulnerability_detector_status -- String Get attack pattern detector runtime status
list_agent_plugins -- String List supported agent plugins (Cursor/Claude/...)
get_agent_plugin_status agent_type: String String Status of a specific agent plugin
provision_agent_plugin agent_type, workspace_root String Install or update an agent plugin
test_agent_plugin agent_type: String String Run an agent plugin's self-test
uninstall_agent_plugin agent_type: String String Remove an agent plugin

MCP Server (10 methods)

MCP server management and pairing (feature-gated: mcp).

Method Parameters Returns Description
mcp_start_server port, psk, enable_cors, listen_all_interfaces String Start MCP server
mcp_stop_server -- String Stop MCP server
mcp_get_server_status -- String Server running status
mcpApprovePairing request_id: String String Approve a pending pairing request
mcpRejectPairing request_id: String String Reject a pending pairing request
mcpListPairedClients -- String List all paired clients (JSON array)
mcpGetPendingPairingRequests -- String List pending pairing requests (JSON array)
mcpRevokePairedClient client_id: String String Revoke a paired client
mcpRotatePairedClient client_id: String String Rotate a client's credential
mcp_delete_paired_client client_id: String String Permanently delete a revoked paired client

Note: PSK generation (mcp_generate_psk) is provided by the EDAMAME Posture CLI, not by EDAMAME Core directly.

OEM Licensing

EDAMAME Core is closed source and available for OEM integration into third-party products. OEM partners receive:

  • Pre-built libraries for all supported platforms (macOS, Windows, Linux, iOS, Android)
  • API documentation and integration guides
  • Feature flag configuration to include only the capabilities needed
  • Technical support for integration

What You Get

  • The complete EDAMAME security engine as a linkable library
  • All 175+ API methods across security scoring, network analysis, breach detection, AI automation, and compliance
  • Cross-platform support from a single codebase
  • Reactive event system for building responsive UIs
  • gRPC interface for remote management
  • MCP server for AI agent integration

Contact

For OEM licensing inquiries: EDAMAME Technologies

Related Resources

About

No description, website, or topics provided.

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors