Spieon

Spieon is an open-source AI red team for the agent economy. It is an autonomous LangGraph agent that scans paid AI agents and MCP servers- recon, plan, probe, reflect, attest, consolidate- and narrates every step over WebSocket so you watch it think.

Every probe settles in real USDC over x402, so each finding ships with the on-chain cost of exploitation. Findings are deduped across engines, LLM-judged, and attested on Base Sepolia via EAS with OWASP Agentic Top 10 / MITRE ATLAS / MAESTRO taxonomy fields populated. Detail bundles are encrypted with age + X25519 to an operator key generated in the browser- the agent itself has no decryption capability.

A BountyPool contract pays module authors when their probe code lands, gated by per-severity caps and a per-module daily cap. A ModuleRegistry maps probe hashes to author addresses; the agent's procedural memory (heuristics that survive consolidation) is published per version and hash-attested onchain. Scans are free for operators in V1; Spieon-the-agent is a subsidized demo.

Agent runtime: LangGraph orchestrates an adaptive scan workflow (recon -> plan -> probe -> reflect -> adapt -> verify -> attest -> consolidate). Every node is checkpointable and emits structured narration events. Probe selection uses an Anthropic select_probes tool call with a deterministic fallback; LangMem on pgvector backs a three-tier memory system (hot buffer -> working memory with usefulness scoring -> long-term, with promotion to public procedural heuristics).

Backend: FastAPI + SQLModel (async, asyncpg) on Postgres + pgvector. Probes execute inside e2b sandboxes wrapped by a safety harness - per-host token bucket, destructive-action blocklist, auto-stop on budget exhaustion / 5xx streak / max attempts, attribution headers (User-Agent: Spieon-Pentest/1.0, X-Spieon-Scan-Id). A CostMeter reads real USDC Transfer amounts from the x402 payment receipts so cost-of-exploit is grounded in on-chain spend, not estimates.

x402 + Coinbase facilitator: every probe is a payable HTTP call, settled per-request. The agent has a hot wallet capped at $50 with auto-sweep to a cold Safe.

Onchain: Foundry contracts (ModuleRegistry, BountyPool) deployed on Base Sepolia. EAS attestations carry sha256(ciphertext), the bundle URI (ZeroG / IPFS / local fallback), severity, cost, and full taxonomy IDs. Bounty payouts enforce per-severity caps and a per-module daily cap.

Frontend: Next.js 15 + Tailwind + viem/wagmi. The browser generates the X25519 recipient at scan submission - only the public age1… form goes to the backend, so encrypted bundles can never be decrypted server-side. The narration WebSocket renders the live agent stream.

Defense layers: target responses pass through an LLM Guard scanner, get length-capped, and land in an isolated sub-agent context that cannot directly call tools - only the main agent makes structured tool calls (payouts only to registered modules, attestations only for recorded probes, memory writes scoped to scan).

Observability: self-hosted Langfuse traces every agent decision, tool call, memory op, and chain interaction.

AI tooling disclosure: Claude Code assisted with scaffolding, refactors, doc consistency, and a concurrency fix in backend/app/api/agent.py; all architectural, probe-design, and sponsor-scoping decisions are hu