Skip to content
/
Tier B A3 MCP-anchored

Corsair

corsair · corsairdev/corsair · ★ 759 · last commit 2026-05-24

Unified permissioned integration layer for AI agents: 70+ third-party services accessible via typed API calls with credential isolation and human-approval gates for destructive actions.

Best whenAgents should never see credentials; every destructive external action should require explicit human approval before execution.
Skip ifPassing API keys directly to agents, Allowing agents unrestricted write/delete access to external services
vs seeds
claude-flow(Archetype 3 — MCP toolserver) but Corsair's domain is external third-party service integrations rather than agent capab…
Primitive shape 1 total
MCP tools 1
00

Summary

Corsair — Summary

Corsair is a unified integration layer for AI agents: connect your Corsair instance to any agent (via MCP or SDK) and immediately get access to 70+ integrations (Slack, GitHub, Gmail, Google Drive, Notion, Stripe, etc.) without ever exposing credentials to the agent. The agent calls typed tool methods; Corsair handles credential resolution via envelope encryption, evaluates permissions (open/cautious/strict/readonly modes per integration), intercepts destructive actions for human approval, and supports full multi-tenancy. At 759 GitHub stars (Apache-2.0 / custom license), it is the most comprehensive agent integration framework in this batch — but its focus is entirely on external integrations and permissioned actions, not planning, memory, or knowledge capture.

differs_from_seeds: No direct seed equivalent. Corsair is closest in spirit to a cloud-hosted version of claude-flow's MCP bundling (Archetype 3), but where claude-flow bundles agent capabilities as MCP tools, Corsair bundles third-party integrations as permissioned typed APIs. It has zero memory, zero planning, zero spec workflow — it is purely an integration/permission layer. The closest conceptual match is taskmaster-ai's tool-server pattern, but Corsair's domain is external services rather than task management.

01

Overview

Corsair — Overview

Origin

Created by corsairdev. TypeScript monorepo (Turborepo/pnpm). Custom license (NOASSERTION in gh api — likely source-available or custom terms). Active as of May 2026.

Philosophy

"Agents are now capable of anything. It feels silly to do a routine task manually. But you do it anyways, because giving agents the keys to all your apps feels reckless. One misunderstood instruction and they're sending an email you'd never send."

The core problem Corsair solves: agents need access to external services, but those services contain sensitive credentials and can take irreversible actions. Corsair inserts itself as the integration layer: the agent sees methods, not credentials, and every destructive action can require human approval.

"The agent never sees the credentials, and you control exactly what it can do."

Permission Mode Philosophy

Four permission modes per integration:

  • open: everything runs immediately
  • cautious (recommended): reads+writes immediate; destructive actions require approval
  • strict: reads immediate; writes require approval; destructive blocked
  • readonly: reads only; all writes/destructive blocked

Individual endpoints can be overridden within any mode.

Multi-Tenancy Philosophy

"Corsair is built for production. Set multiTenancy: true and every tenant gets isolated credentials, isolated data storage, and isolated permissions handling."

This is enterprise-grade SaaS infrastructure, not a personal AI harness.

02

Architecture

Corsair — Architecture

Distribution

TypeScript library (packages/corsair via npm) + MCP server (packages/mcp). Monorepo with 70+ integration packages.

Packages

packages/
├── corsair/           # Core library (createCorsair, permissions, key management)
├── mcp/               # MCP server exposing all integrations as MCP tools
├── app/               # Approval request web UI
├── explorer/          # Integration catalog browser
├── cursor/            # Cursor IDE plugin
├── studio/            # Studio UI
├── ui/                # Shared UI components
├── [service]/         # One package per integration:
│   slack/ github/ gmail/ googledrive/ googlesheets/
│   notion/ stripe/ linear/ jira/ hubspot/ discord/
│   telegram/ twitter/ youtube/ zoom/ ... (70+ total)

MCP Integration

The MCP package exposes all Corsair integrations as MCP tools. Any MCP-compatible client (Claude Code, Cursor, Codex) can connect to Corsair via MCP.

Security Architecture

  • Envelope encryption: KEK (key encryption key) → per-tenant data keys → actual secrets
  • No credential exposure: agent never sees API keys; credentials resolved internally at call time
  • Permission evaluation: happens in Corsair before executing the tool call
  • Approval requests: stored in a database the agent cannot access; only user approval changes status

Required Runtime

  • Node.js
  • pnpm
  • Various API keys per integration

Adapters

The MCP package ships adapters for:

  • Anthropic API (AnthropicProvider)
  • Claude (ClaudeProvider)
  • Mastra (MastraProvider)
  • Ollama (OllamaProvider)
  • OpenAI (OpenAIMcpConfig)
  • OpenAI Agents (OpenAIAgentsProvider)
  • Vercel AI (createVercelAiMcpClient)
03

Components

Corsair — Components

Core Library API

Function/Class Purpose
createCorsair({plugins, multiTenancy}) Initialize Corsair instance with plugins
corsair.withTenant(id) Get tenant-scoped client
createMcpRouter(corsair) Create HTTP MCP router
runStdioMcpServer(corsair) Run MCP via stdio
createBaseMcpServer(corsair) Create base MCP server
buildCorsairToolDefs(corsair) Build MCP tool definitions

Integration Packages (70+)

Slack, GitHub, GitLab, Gmail, GoogleCalendar, GoogleDrive, GoogleSheets, OneDrive, SharePoint, Outlook, Notion, HubSpot, Salesforce, Jira, Asana, Linear, Monday, Trello, Stripe, Razorpay, DodoPayments, Discord, Telegram, Twitter/X, YouTube, Zoom, Teams, Slack, Intercom, Zendesk, PagerDuty, Sentry, Grafana, CloudFlare, PostHog, Amplitude, Airtable, Box, Dropbox, Exa, Firecrawl, Tavily, Vapi, Resend, Cal, Calendly, Figma, Tally, Typeform, Spotify, Strava, Oura, HackerNews, Reddit, ArXiv (via Packs), and more.

Permission Modes

Mode Reads Writes Destructive
open immediate immediate immediate
cautious immediate immediate approval required
strict immediate approval required blocked
readonly immediate blocked blocked

Webhook System

All integrations ship typed, signature-verified webhook handlers routed to a single endpoint.

Approval System

When a destructive action is intercepted:

  1. Corsair creates a permission request in a database (inaccessible to agent)
  2. Generates a public review link (expires in 10 minutes)
  3. Agent presents link to user
  4. User reviews and approves/denies via web UI
  5. Action executes only on approval
05

Prompts

Corsair — Prompts

Note

Corsair is a TypeScript integration library, not a prompt framework. It contains no SKILL.md files, no LLM prompts, and no behavioral instructions. The following excerpts are from README examples and source code interfaces.

Excerpt 1: Agent-Facing API Design (from README)

Prompting technique: None — this is TypeScript SDK, not a prompt. Shown as representative of the agent integration pattern.

// Agent calls:
const corsair = createCorsair({
  plugins: [gmail(), googledrive()],
});

// Agent calls googledrive then gmail:
// "Send Sarah the Q1 numbers from the Financials folder in Drive."
await corsair.googledrive.files.list({ query: "Financials" });
await corsair.gmail.messages.post({ to: "sarah@...", subject: "Q1 Numbers", ... });
// ^ This triggers approval request if Gmail is in cautious mode

Excerpt 2: Permission Approval Message (from README)

Prompting technique: Human-in-the-loop structured approval presentation

Agent: I've drafted the email. This action requires your approval before it sends.

  ⚠️ gmail: messages.post
     To: sarah@corsair.dev
     Subject: "Q1 Numbers"
     
     Hi Sarah, attached is the breakdown we discussed on the call.

     <file>
     
     Best,
     Claude

  Review and approve: https://somepubliclink.com/review/a8f2c1
  Link expires in 10 minutes.

Excerpt 3: MCP Tool Export (from packages/mcp/src/index.ts)

Prompting technique: None — SDK export pattern

export { AnthropicProvider } from './adapters/anthropic-api.js';
export { ClaudeProvider } from './adapters/claude.js';
export { MastraProvider } from './adapters/mastra.js';
export { createBaseMcpServer } from './core/base.js';
export { createMcpRouter } from './core/http.js';
export { BaseProvider } from './core/provider.js';
export { buildCorsairToolDefs } from './core/tools.js';
09

Uniqueness

Corsair — Uniqueness

differs_from_seeds

No direct seed equivalent. The closest architectural match is claude-flow (Archetype 3 — MCP-anchored toolserver) but Corsair's domain is external third-party service integrations rather than agent capabilities. Unlike any seed, Corsair's primary value is credential isolation (the agent never sees API keys), permissioned access modes per integration, and human-approval gates for destructive actions. It has zero planning, zero memory, and zero spec workflow — it sits one layer below the other frameworks, providing the integration substrate that planning/memory frameworks might call into.

Positioning

Corsair occupies the "integration layer" niche: a single controlled gateway to 70+ external services with permission management. This is the kind of infrastructure that would underpin an agentic coding framework — e.g., a planning-with-files session that needs to send a Slack notification when a phase completes would ideally call through Corsair rather than directly calling the Slack API.

Key Innovations

  1. 70+ typed integrations in a single unified API — the broadest integration surface in this corpus
  2. Permission modes per integration (open/cautious/strict/readonly) — granular control without code changes
  3. Human-approval gate for destructive actions — async web review link with 10-minute expiry
  4. Envelope encryption — credentials never exposed to agents even if they try to read config files
  5. Multi-tenancy — full credential and data isolation per tenant ID in a single instance

Observable Failure Modes

  1. Scope creep — "integration layer" is a broad category; Corsair must maintain 70+ integrations as third-party APIs change
  2. Approval latency — destructive actions block until user reviews; user must be available within 10 minutes
  3. Not a memory/planning tool — misplaced in a "memory secondary" batch; Corsair is infrastructure, not an AI workflow tool
  4. License ambiguity — NOASSERTION in GitHub API; actual license terms unclear for production use
04

Workflow

Corsair — Workflow

Phases

Phase Actor Artifact
1. Setup Developer Corsair instance configured with plugins + permission modes
2. Agent Request Agent Agent calls Corsair tool (e.g., gmail.messages.post(...))
3. Permission Evaluation Corsair Check mode (open/cautious/strict/readonly) for this endpoint
4a. Immediate Action Corsair Execute if permitted; return result to agent
4b. Approval Request Corsair Create DB record + review link; agent presents to user
5. User Review Human Approve or deny via web UI
6. Action Execution Corsair Execute approved action; discard denied action

Approval Gate Example

From README:

Agent: I've drafted the email. This action requires your approval before it sends.

  ⚠️ gmail: messages.post
     To: sarah@corsair.dev
     Subject: "Q1 Numbers"
     ...
     
  Review and approve: https://somepubliclink.com/review/a8f2c1
  Link expires in 10 minutes.

Multi-Tenancy Workflow

const corsair = createCorsair({
  multiTenancy: true,
  plugins: [slack(), github()],
});

const client = corsair.withTenant('org-456');
await client.slack.api.messages.post({ channel: '#alerts', text: 'Deploy complete.' });

Webhook Handling

app.post('/webhooks', async (req, res) => {
  const webhook = processWebhook(corsair, req.headers, req.body)
  return res.json(webhook.response)
});
06

Memory Context

Corsair — Memory & Context

Memory Model

None. Corsair is not a memory framework. It maintains:

  • Credential store (encrypted secrets per integration per tenant)
  • Pending approval requests (database records, temporary)
  • Webhook event logs (integration-specific)

None of these constitute AI conversation memory or context persistence.

Persistence Scope

Credentials and approval requests persist globally per tenant, but this is operational data (secrets management), not AI reasoning memory.

Context Injection

None. Corsair does not inject any context into AI sessions. It passively responds to agent API calls.

Cross-Session Handoff

None in terms of AI memory. Credentials and permission modes persist across sessions, but no conversation context or reasoning is captured.

What Corsair Does Instead

Corsair provides permissioned access to external state — the current state of Slack channels, GitHub repos, Gmail threads, etc. The agent can read this state through Corsair's typed tools, but Corsair does not synthesize or summarize it.

07

Orchestration

Corsair — Orchestration

Multi-Agent: No

Corsair is an integration library, not an orchestration framework. Multiple agents can use the same Corsair instance (multi-tenancy), but this is not agent coordination.

Orchestration Pattern: none

Execution Mode: event-driven

Each tool call is an independent event. No sessions, no loops, no daemons.

Multi-Model: No

Corsair is model-agnostic. It provides adapters for multiple AI platforms (Anthropic, OpenAI, Vercel AI, Mastra) but does not route to different models for different roles.

Isolation: sandbox-api

The permission system and credential vault provide isolation — agents cannot bypass permissions or access credentials directly.

Approval Gate as Human-in-the-Loop

The destructive action approval flow is the closest thing to orchestration: an external human (not AI) must approve before the agent can proceed. This is a synchronous human-in-the-loop gate.

Cross-Tool Portability: high

Adapters exist for Claude Code (MCP), Cursor (MCP), Anthropic SDK, OpenAI SDK, Vercel AI SDK, Mastra. The MCP adapter works with any MCP-compatible client.

08

Ui Cli Surface

Corsair — UI & CLI Surface

CLI Binary: No standalone CLI

Corsair is a TypeScript library. Setup is via npm install and TypeScript code, or via the Cursor IDE plugin (packages/cursor).

Approval Review Web UI

The packages/app package provides a minimal web UI for reviewing and approving pending destructive actions. Users receive a time-limited link (10 minutes) to review the proposed action before it executes.

Explorer UI

The packages/explorer package is an integration catalog browser, showing available integrations and their supported operations.

Studio UI

The packages/studio package provides a management interface (exact feature set not documented in public README).

Cursor Integration

The packages/cursor package provides a Cursor IDE plugin for setting up Corsair integrations directly from the IDE.

Website

  • corsair.dev — marketing site
  • docs.corsair.dev/guides/plugins — full integration list

SDK Usage Pattern

import { createCorsair } from '@corsair/core';
import { slack } from '@corsair/slack';
import { gmail } from '@corsair/gmail';

const corsair = createCorsair({
  plugins: [slack(), gmail()],
});

Related frameworks

same archetype · same primary tool · same memory type

Taskmaster AI ★ 27k
A3 MCP-anchored

Converts a PRD into a dependency-ordered JSON task graph that AI coding agents execute one task at a time, eliminating context…

ccmemory ★ 1
A3 MCP-anchored

Accumulates decisions, corrections, and failed approaches from Claude Code sessions into a queryable Neo4j graph so each new…

Pimzino spec-workflow-mcp ★ 4.2k
A3 MCP-anchored

MCP server providing spec-driven development workflow with dashboard-backed approval gates, implementation logging, and VSCode…

MCP Shrimp Task Manager ★ 2.1k
A3 MCP-anchored

Convert natural language requests into structured AI development tasks with chain-of-thought enforcement, reflection gates, and…

Bernstein ★ 460
A3 MCP-anchored

Govern parallel CLI coding agents with a deterministic Python scheduler, HMAC-chained audit trail, and compliance-ready signed…

LeanSpec ★ 252
A3 MCP-anchored

Provides a unified spec CLI and MCP server over any existing spec backend (markdown, GitHub Issues, ADO), making spec-driven…