Open-source alternatives to Cel Spec

Octelium is a zero-trust network access platform and identity-aware proxy designed to secure private HTTP, SSH, and SQL resources. It functions as a secure gateway that validates human and workload identities using OIDC, SAML, and FIDO2 passkeys before granting access to internal applications and SaaS APIs. The system is distinguished by its secretless access broker, which injects credentials—such as API keys, passwords, and AWS Sigv4 signatures—at the gateway level so users can access databases and cloud resources without managing secrets. It further specializes in AI gateway administration,

Expr is a statically typed expression engine and domain-specific language for parsing and evaluating dynamic logic strings within Go applications. It functions as a bytecode expression evaluator that executes compiled logic with guaranteed termination and memory safety. The engine utilizes a specialized compiler and virtual machine to achieve high-performance execution. It employs static type validation during the compilation phase to ensure operand compatibility and prevent runtime crashes. The project provides a data transformation engine capable of mapping, filtering, and aggregating coll

Ory Keto is an open-source authorization server that implements Google Zanzibar’s relationship-based access control model. It stores every access relationship as a tuple in a SQL database and exposes a declarative TypeScript-like namespace language for defining object types, relations, and permissions. The service provides bidirectional permission resolution, configurable consistency levels for checks, and dual gRPC and REST APIs for broad integration. Keto extends the Zanzibar model with edge enforcement of access policies, structured compliance auditing of permission decisions, and infrastr

Flecs is a high-performance entity component system framework and data-oriented programming library. It serves as a simulation engine core and game engine architecture tool, decoupling state from behavior by separating entities, components, and systems. The framework features a runtime reflection layer for dynamic data inspection and a built-in scripting system for defining entity behavior without recompilation. It also includes a network interface and REST API for remote simulation administration and state querying. The library covers a broad surface of simulation capabilities, including ar

The Meson Build System

pycparser is a C99 parser library that converts C source code into an abstract syntax tree consisting of Python objects. It functions as an abstract syntax tree generator, transforming preprocessed C code into a structured hierarchy for programmatic analysis and transformation. The library integrates with a C preprocessor to handle directives before parsing. It also features a stub header parser, which uses minimal mock headers to allow the parsing of C code without requiring a full system C library installation. The project provides tools for static code analysis, C program analysis, and so

Casbin is an authorization library that provides a model-based engine for enforcing access control across diverse application environments. It decouples authorization logic from application code by using a configuration-driven approach, allowing developers to define access rules and evaluation logic independently. The system supports a wide range of access control models, including role-based, attribute-based, and relationship-based patterns, which are evaluated at runtime to determine if a subject is permitted to perform an action on a resource. The project distinguishes itself through a hig

This project is a comprehensive Linux server hardening guide and infrastructure documentation resource. It provides a set of validated security baselines and step-by-step instructions for implementing security controls and configuration best practices to protect production environments. The guide focuses on aligning systems with industry-standard security benchmarks, specifically those provided by the Center for Internet Security and Security Technical Implementation Guides. It includes a framework for using OpenSCAP to scan system configurations, verify compliance against reference profiles,

Zuul is an API gateway service that manages incoming network traffic to backend services. It serves as a routing layer and edge security proxy that provides centralized control over security and monitoring for microservices. The project implements a dynamic request router that maps incoming paths to backend locations using configurable rules that can be updated at runtime. It also includes a circuit breaker implementation to monitor backend failure rates and stop traffic to failing services to prevent cascading outages. The gateway provides a filter-based request pipeline for processing traf

This project is a web application security standard and vulnerability framework. It provides a comprehensive list of the most critical security risks facing web applications, paired with technical guidance and a structured methodology for identifying and mitigating these flaws. The framework functions as a secure coding guide and a risk assessment methodology, offering a standardized approach to prioritizing vulnerabilities based on their potential impact and likelihood of exploitation. It defines architectural patterns and technical recommendations to help developers implement defense in dep

OpenBao is a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys.

Elsa Core is a workflow engine framework designed for defining, executing, and managing long-running business processes. It functions as a distributed workflow orchestrator and event-driven trigger system, capable of operating as a multi-tenant platform with secure data isolation. The project distinguishes itself through a flexible approach to workflow definitions, supporting a visual drag-and-drop designer, programmatic C# definitions, and portable JSON specifications. It provides a highly extensible architecture allowing for the development of custom activities and the use of a dynamic expr

Pundit is an authorization framework for Ruby applications that enforces permissions through plain Ruby policy objects. It maps controller actions to policy methods, automatically inferring which policy class and query method to call based on the action name, and raises a custom exception when access is denied. The framework distinguishes itself by using plain Ruby classes without external DSLs or configuration files, and by providing a development-time verification guard that raises an error if a controller action runs without an authorization call. It also supports namespace-based policy or

PINCE is a dynamic debugger, instruction tracer, and memory scanner designed for the analysis and manipulation of running processes. It functions as a process memory manipulator and editor, allowing for the identification, modification, and monitoring of values within a target application's active memory. The tool distinguishes itself through memory pointer analysis, tracing addresses and offsets to locate static pointers that lead to dynamic data across different sessions. It also enables the execution of internal functions within a running process by manipulating the instruction pointer and

Pundit is a Ruby authorization framework that implements policy-based access control. It maps domain models to dedicated logic classes that determine whether a user is permitted to perform specific actions on data objects. The framework utilizes plain Ruby objects to decouple authorization logic from the model. It includes mechanisms for data query scoping to filter record collections based on user permissions, as well as attribute-level permission control to restrict which specific model fields a user can modify. The system provides tools for authorization coverage verification to ensure se

XNU is a hybrid operating system kernel that combines a microkernel architecture with a monolithic layer for system services. It provides a foundation for operating system development, incorporating standardized system-call interfaces, a modular device driver framework, and mandatory access control security. The architecture features a Mach-based microkernel and a BSD-based monolithic layer. It utilizes a message-passing inter-process communication bus for secure data exchange between isolated kernel components and user-space processes, alongside an object-oriented driver framework that decou

HCL is a configuration language implementation designed for parsing, evaluating, and encoding structured settings through the use of blocks and attributes. It functions as a configuration AST parser and a schema-based decoder that maps attributes and blocks to internal data structures using predefined rules. The project includes an expression evaluation engine that resolves dynamic values and cross-references through multi-phase processing of variables and functions. It also provides a configuration file formatter to standardize the layout and indentation of source code for consistent visual

Next Terminal is an enterprise bastion host platform that brokers and audits remote access to servers and devices. It functions as a centralized gateway unifying access to Windows, Linux, and legacy systems through a single authenticated interface, supporting RDP, SSH, VNC, Telnet, and HTTP protocols. The platform combines certificate management, policy-based access control, reverse tunnel agents, session recording, and web proxy interception into a unified security gateway. It deploys lightweight agents in internal networks that build reverse tunnels to a central site, eliminating per-locati

Goja is a JavaScript engine and ECMAScript compliant interpreter implemented entirely in Go. It serves as an embedded scripting engine that allows Go applications to execute JavaScript code and integrate a programmable scripting layer without relying on Cgo or external native dependencies. The project functions as a bridge between Go and JavaScript, enabling bidirectional data exchange and function invocation. It allows Go hosts to expose native structs, slices, and maps as JavaScript objects and arrays, while providing mechanisms to export script values and functions back into native Go type

This project is a Lisp interpreter implementation guide and framework designed to teach the core principles of programming language design. It provides a structured, step-by-step technical framework for building a functional Lisp language from scratch, featuring a specialized interpreter engine and an S-expression parser that converts syntax into abstract syntax trees. The project emphasizes a code-as-data metaprogramming framework, enabling the implementation of macros, quoting, and quasiquoting to transform expressions during evaluation. It is designed with host language agnosticism, allowi

Consul is a distributed coordination service and service mesh tool used for service discovery, health monitoring, and cluster state management across dynamic networks. It provides a platform for locating network addresses of services and managing traffic across distributed infrastructure using DNS and HTTP interfaces. The project distinguishes itself through multi-datacenter network orchestration, enabling the federation of services across different regions using mesh gateways. It secures communication via a service mesh architecture that employs identity-based authorization and mutual TLS en

PHP-Parser is a tool that converts PHP source code into an abstract syntax tree for static analysis and programmatic manipulation. It functions as a parser, a code generator, and a static analysis framework. The project enables the programmatic construction of abstract syntax tree nodes through a fluent interface and provides the ability to transform these trees back into formatted source code. It includes a serializer that exports abstract syntax trees to JSON format and reconstructs them from strings. The toolset covers several capability areas, including namespace resolution, constant exp

Solid is a protocol and ecosystem for decentralized web applications that separates application logic from data storage. It enables users to store and control their personal information in personal online data stores, known as Pods, ensuring that individuals own their data rather than the applications they use. The project provides a framework for decentralized identity and authentication using WebID and OpenID Connect, decoupling identity from central providers. It implements a resource-level permission system via Web Access Control, allowing users to grant or deny read, write, and append ac

Oils is a Unix shell interpreter and scripting language runtime that combines a modern shell language with POSIX and Bash compatibility. It functions as a structured data shell, integrating JSON and J8 formats to manage complex data without relying on string parsing. The system is distinguished by a C++ transpiled interpreter that converts a subset of Python source code into strongly typed C++ for high-performance execution. It features a garbage-collected typed runtime that supports prototype-based polymorphism, lexical closures, and reference-based variable mutation. To decouple shell logic

Foreman is a lifecycle infrastructure management platform used for automating the provisioning, configuration, and monitoring of physical, virtual, and cloud servers. It serves as a central hub for managing the entire lifespan of a server, from initial deployment and operating system upgrades to decommissioning and auditing. The platform functions as a hybrid cloud manager and bare-metal provisioning tool, providing a unified interface to control virtual machine lifecycles across diverse hypervisors and public cloud providers. It automates hardware discovery and operating system deployment us

Jazz is a local-first relational database and synchronization framework designed for offline-capable applications. It functions as a reactive state management system that treats database records as the primary source of truth, automatically updating user interfaces in real time as underlying data changes. The project distinguishes itself through a collaborative data synchronization model that utilizes row-level versioning to track branching edit histories. It implements a security engine based on identity-claim row security, which enforces granular permissions on individual records, and suppo

Remark is a markdown processor that parses markdown text into a structured JSON abstract syntax tree for programmatic analysis and transformation. It functions as a markdown AST parser and processor, utilizing a plugin framework to manage extensible syntax and transformation rules. The project enables custom markdown syntax extensions and content transformation through a plugin system, allowing for the addition of non-standard markup and metadata. It also includes a markdown linter to identify style inconsistencies and ensure adherence to writing standards. The toolset covers markdown docume