Community写作与编辑github.com

alex-jb/shadow-mentor

Shadow — on-device AI council and audit chain for regulated banking workflows. One engine, 4 device clients, 5 persona packs.

shadow-mentor 是什么?

shadow-mentor is a Claude Code agent skill that shadow — on-device AI council and audit chain for regulated banking workflows. One engine, 4 device clients, 5 persona packs.

兼容平台Claude Code~Codex CLICursorAntigravityOpenCode
npx skills add alex-jb/shadow-mentor

Installed? Explore more 写作与编辑 skills: steipete/notion, affaan-m/seo, affaan-m/brand-voice · View all 6 →

在你喜欢的 AI 中提问

打开一个已预加载此 Agent Skill 的新对话。

文档

shadow-mentor 是做什么的?

5-voice AI compliance council for regulated lending. Drop into Claude Desktop / Cursor / Zed / OpenCode / OpenClaw via MCP. Mid-tier US bank pitch: $1,800 / compliance-officer seat / year. Open source MIT.

What it does

Six MCP tools that turn an LLM chat into a procurement-defensible loan-origination compliance surface:

  • shadow_loan_council — Deterministic 5-voice verdict (block / escalate / approve) + per-voice rationale + risk packet + thresholds applied. FICO < 700 is a hardcoded if with a pinned test.
  • shadow_risk_tools — Institutional risk primitives: VaR (historical / parametric / MC), Expected Shortfall, concentration (HHI / Gini), sector exposure, correlation (Pearson / Spearman / EWMA), factor exposures, beta decomposition
  • shadow_recall — Cross-session memory recall keyed by persona + scenario
  • shadow_calibration — Per-persona Brier calibration stats (for SR 26-2 model risk monitoring)
  • shadow_scenarios — Surface enumeration (5 personas × 4 scenarios × 4 device clients × 2 providers)
  • shadow_traceability — Source attribution for any threshold (BRD vs Addendum vs Risk Appetite Note) per CFPB / ECOA / SR 26-2

All tools run in-process. No network call from inside the tool body. AA01–AA05 adverse-action codes match CFPB Bulletin 2024-09.

Why a bank's procurement team can grep it in 10 minutes

Three source files + four test files:

  1. lib/audit-guardrail.js — 12-pattern regex output gate (Schema-Layer Safety)
  2. lib/run-loan-council.jsif (loan.fico < CREDIT_THRESHOLDS.FICO_FLOOR) return { verdict: "block", ... } (Determinism Floor)
  3. installer/tools.json — frozen install-target × scope catalog (EMA-ready)

Test surface:

  • test/mcptox-canary.test.js — 28 contract tests covering MCPTox §3 attack categories + MosaicLeaks coverage
  • test/oauth-scaffold.test.js + test/oauth-loan-council-wiring.test.js — Enterprise Managed Auth scope catalog + live wiring
  • test/glm-call.test.js — Multi-provider contract (Anthropic + GLM-5.2)
  • test/tools-catalog.test.js — Catalog drift gate

308/308 tests passing. Shadow Agentic Score 87 ± 3 (n=6).

Quick install

git clone https://github.com/alex-jb/shadow-mentor
cd shadow-mentor
npm install
node bin/install.mjs                          # see which MCP hosts are detected
node bin/install.mjs --host cursor --dry-run  # preview the merged config
node bin/install.mjs --host cursor            # write it

Defends against named 2026 MCP threats

  • OX Security MCP STDIO supply-chain advisory (May 2026) — Shadow's tool bodies call only frozen lib/ modules; no untrusted shell input reaches a tool body
  • MCPTox benchmark (arXiv 2508.14925) — Shadow returns strict-JSON enum verdicts, not narrative; poisoned descriptions cannot widen the response surface beyond schema
  • MosaicLeaks multi-turn information leakage — canary-token contract tests pin the invariant that an attacker cannot exfiltrate a canary across the tool boundary
  • MCP Enterprise OAuth (EMA) — opt-in SHADOW_REQUIRE_BEARER=1 enforces shadow:council scope on /api/loan-council; works with OAuth2 / Azure AD claim shapes

Links

相关技能

steipete/notion

Notion CLI/API for pages, Markdown content, data sources, files, comments, search, Workers, and raw API calls.

community

affaan-m/seo

Audit, plan, and implement SEO improvements across technical SEO, on-page optimization, structured data, Core Web Vitals, and content strategy. Use when the user wants better search visibility, SEO remediation, schema markup, sitemap/robots work, or keyword mapping.

community

affaan-m/brand-voice

Build a source-derived writing style profile from real posts, essays, launch notes, docs, or site copy, then reuse that profile across content, outreach, and social workflows. Use when the user wants voice consistency without generic AI writing tropes.

community

affaan-m/crosspost

Multi-platform content distribution across X, LinkedIn, Threads, and Bluesky. Adapts content per platform using content-engine patterns. Never posts identical content cross-platform. Use when the user wants to distribute content across social platforms.

community

affaan-m/x-api

X/Twitter API integration for posting tweets, threads, reading timelines, search, and analytics. Covers OAuth auth patterns, rate limits, and platform-native content posting. Use when the user wants to interact with X programmatically.

community

affaan-m/content-engine

Create platform-native content systems for X, LinkedIn, TikTok, YouTube, newsletters, and repurposed multi-platform campaigns. Use when the user wants social posts, threads, scripts, content calendars, or one source asset adapted cleanly across platforms.

community