README
¶
Posture
A cross-platform security posture assessment tool with Model Context Protocol (MCP) server support. Posture provides unified security inspection across macOS, Windows, and Linux, enabling AI assistants to query hardware security modules, boot security, disk encryption, and biometric capabilities.
Features
Security Assessment
- Platform Security Chip - Secure Enclave (macOS) / TPM (Windows/Linux) detection and status
- Secure Boot - UEFI/Apple Secure Boot verification
- Disk Encryption - FileVault (macOS), BitLocker (Windows), LUKS (Linux)
- Biometrics - Touch ID, Face ID, Windows Hello, fprintd
- Security Summary - Unified security score with recommendations
System Metrics
- CPU Usage - Overall and per-core monitoring
- Memory Usage - Total, used, free, available memory
- Process List - Running processes with resource usage
Output Formats
- JSON (default) - Structured data for programmatic use
- Table - Rich ASCII tables with ANSI colors and UTF-8 icons
Installation
Pre-built Binary
Download the latest release for your platform from the Releases page.
Build from Source
Requires Go 1.23 or later.
git clone https://github.com/agentplexus/posture.git
cd posture
go build -o posture ./cmd/posture/
Usage
Posture can be used in three ways:
- CLI - Command-line tool for interactive use
- MCP Server - Model Context Protocol server for AI assistants
- Go Module - Programmatic access in Go applications
CLI Usage
# Show security summary with score
posture summary -f table
# Check platform security chip (Secure Enclave / TPM) status
posture security-chip -f table
# Check Secure Boot status
posture secureboot -f table
# Check disk encryption status
posture encryption -f table
# Check biometric capabilities
posture biometrics -f table
# System metrics
posture cpu -f table
posture memory -f table
posture processes -n 10 -f table
MCP Server Usage
Claude Desktop Configuration
Add to your Claude Desktop configuration file:
macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json
{
"mcpServers": {
"posture": {
"command": "/path/to/posture",
"args": ["serve"]
}
}
}
MCP Tools
| Tool | Description |
|---|---|
get_platform_security_chip |
Secure Enclave (macOS) / TPM (Windows/Linux) status |
get_secure_boot_status |
UEFI Secure Boot verification |
get_encryption_status |
Disk encryption (FileVault/BitLocker/LUKS) |
get_biometric_capabilities |
Biometric authentication status |
get_security_summary |
Unified security posture with score |
get_cpu_usage |
CPU usage statistics |
get_memory |
Memory usage statistics |
list_processes |
Running process list |
Go Module Usage
Import the inspector package for programmatic access to all security and system metrics.
Installation
go get github.com/agentplexus/posture
Example: Security Summary
package main
import (
"context"
"encoding/json"
"fmt"
"log"
"github.com/agentplexus/posture/inspector"
)
func main() {
// Get unified security summary
summary, err := inspector.GetSecuritySummary()
if err != nil {
log.Fatal(err)
}
fmt.Printf("Security Score: %d/100\n", summary.OverallScore)
fmt.Printf("Status: %s\n", summary.OverallStatus)
// Output as JSON
data, _ := json.MarshalIndent(summary, "", " ")
fmt.Println(string(data))
// Or use built-in table formatting
fmt.Println(inspector.FormatSecuritySummaryTable(summary))
}
Example: Individual Checks
package main
import (
"context"
"fmt"
"log"
"github.com/agentplexus/posture/inspector"
)
func main() {
ctx := context.Background()
// Platform Security Chip (Secure Enclave / TPM)
if inspector.IsTPMSupported() {
tpm, err := inspector.GetTPMStatus()
if err == nil {
fmt.Printf("Security Chip: %s (enabled: %v)\n", tpm.Type, tpm.Enabled)
}
}
// Secure Boot
if inspector.IsSecureBootSupported() {
boot, err := inspector.GetSecureBootStatus()
if err == nil {
fmt.Printf("Secure Boot: %v (mode: %s)\n", boot.Enabled, boot.Mode)
}
}
// Disk Encryption
if inspector.IsEncryptionSupported() {
enc, err := inspector.GetEncryptionStatus()
if err == nil {
fmt.Printf("Encryption: %s (status: %s)\n", enc.Type, enc.Status)
}
}
// Biometrics
if inspector.IsBiometricsSupported() {
bio, err := inspector.GetBiometricCapabilities()
if err == nil {
fmt.Printf("Biometrics: %s (enrolled: %v)\n",
bio.BiometryType, bio.TouchIDEnrolled || bio.FaceIDEnrolled)
}
}
// System Metrics
cpu, _ := inspector.GetCPUUsage(ctx)
fmt.Printf("CPU Usage: %.1f%%\n", cpu.OverallPercent)
mem, _ := inspector.GetMemory(ctx)
fmt.Printf("Memory: %s / %s (%.1f%%)\n",
inspector.FormatBytes(mem.Used),
inspector.FormatBytes(mem.Total),
mem.UsedPercent)
}
Available Functions
| Function | Description |
|---|---|
GetSecuritySummary() |
Unified security posture with score |
GetTPMStatus() |
Platform security chip status |
GetSecureBootStatus() |
Secure Boot configuration |
GetEncryptionStatus() |
Disk encryption status |
GetBiometricCapabilities() |
Biometric authentication status |
GetCPUUsage(ctx) |
CPU usage statistics |
GetMemory(ctx) |
Memory usage statistics |
ListProcesses(ctx, limit) |
Running process list |
Each function has a corresponding IsXXXSupported() function to check platform availability.
Platform Support
| Feature | macOS | Windows | Linux |
|---|---|---|---|
| Platform Security Chip | ✅ Secure Enclave | ✅ TPM 1.2/2.0 | ✅ TPM 2.0 |
| Secure Boot | ✅ Apple Secure Boot | ✅ UEFI Secure Boot | ✅ UEFI Secure Boot |
| Disk Encryption | ✅ FileVault | ✅ BitLocker | ✅ LUKS/dm-crypt |
| Biometrics | ✅ Touch ID/Face ID | ✅ Windows Hello | ✅ fprintd/Howdy |
| CPU/Memory/Processes | ✅ | ✅ | ✅ |
Example Output
Security Summary (Table Format)
🛡️ Security Summary
────────────────────────────────────────────────────────────
Platform: 🍎 macOS
Security Score: 75/100
██████████████████████████████░░░░░░░░░░
Status: ✓ Good
Security Features:
┌──────────────────────────┬──────────────┬────────────────────┐
│ Feature │ Status │ Details │
├──────────────────────────┼──────────────┼────────────────────┤
│ 🛡️ Secure Enclave │ ✓ Enabled │ secure_enclave │
│ 🔒 Secure Boot │ ✓ Enabled │ full │
│ 🔒 FileVault │ ✗ Disabled │ disabled │
│ 👆 Biometrics │ ✓ Enabled │ touch_id │
└──────────────────────────┴──────────────┴────────────────────┘
⚠️ Recommendations:
──────────────────────────────────────────────────
1. Enable FileVault to protect data at rest
Security Summary (JSON Format)
{
"platform": "darwin",
"overall_score": 75,
"overall_status": "good",
"tpm": {
"present": true,
"enabled": true,
"type": "secure_enclave"
},
"secure_boot": {
"enabled": true,
"mode": "full"
},
"encryption": {
"enabled": false,
"type": "filevault",
"status": "disabled"
},
"biometrics": {
"available": true,
"configured": true,
"type": "touch_id"
},
"recommendations": [
"Enable FileVault to protect data at rest"
]
}
Architecture
┌─────────────────────────────────────────────────────────────┐
│ Claude Desktop │
│ ┌────────────────────────────────────────────────────────┐ │
│ │ MCP Client │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
│
│ stdio (JSON-RPC)
▼
┌─────────────────────────────────────────────────────────────┐
│ Posture │
│ ┌──────────────────┐ ┌──────────────────────────────────┐ │
│ │ MCP Server │ │ Security Tools │ │
│ │ │ │ 🛡️ get_platform_security_chip │ │
│ │ - Tool registry │ │ 🔒 get_secure_boot_status │ │
│ │ - JSON-RPC │ │ 🔐 get_encryption_status │ │
│ │ - stdio │ │ 👆 get_biometric_capabilities │ │
│ │ │ │ 📊 get_security_summary │ │
│ └──────────────────┘ └──────────────────────────────────┘ │
│ │ │
│ ┌───────────────────────────┴────────────────────────────┐ │
│ │ Inspectors │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ darwin │ │ windows │ │ linux │ │ common │ │ │
│ │ │ (cgo) │ │ (WMI) │ │ (sysfs) │ │(gopsutil│ │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
Security Considerations
This tool is designed with security in mind:
- Read-only operations - No system modifications are possible
- No secrets exposed - Does not access keychain, passwords, or private keys
- Non-invasive checks - Only tests capability, never extracts keys
- Process listing is informational - Cannot terminate or modify processes
What This Tool Does NOT Do
- Access or export any cryptographic keys
- Read keychain items or passwords
- Modify system settings
- Execute arbitrary commands
- Access file contents
- Make network requests
Building for Different Platforms
# macOS (includes Secure Enclave)
GOOS=darwin GOARCH=arm64 go build -o posture-darwin-arm64 ./cmd/posture/
GOOS=darwin GOARCH=amd64 go build -o posture-darwin-amd64 ./cmd/posture/
# Linux (includes TPM, LUKS)
GOOS=linux GOARCH=amd64 go build -o posture-linux-amd64 ./cmd/posture/
GOOS=linux GOARCH=arm64 go build -o posture-linux-arm64 ./cmd/posture/
# Windows (includes TPM, BitLocker)
GOOS=windows GOARCH=amd64 go build -o posture-windows-amd64.exe ./cmd/posture/
Note: Cross-compiling for macOS from other platforms will not include Secure Enclave support due to cgo dependencies.
Dependencies
- modelcontextprotocol/go-sdk - Official MCP Go SDK
- shirou/gopsutil/v4 - Cross-platform system metrics
- spf13/cobra - CLI framework
Related Projects
License
MIT License - see LICENSE file for details.
Contributing
Contributions are welcome! Please feel free to submit a Pull Request.
Directories
Click to show internal directories.
Click to hide internal directories.