OpenAI tool_calls governance middleware for Aegis ACP
Project description
aegis-openai
Drop-in OpenAI SDK wrapper that routes every
tool_callsinvocation through Aegis's runtime governance pipeline before execution.
pip install aegis-openai
What it does
Wraps openai.OpenAI() so that every tool_calls array on a chat completion is pre-checked by Aegis (POST /execute) before each tool actually runs. Blocked tool calls are replaced with a synthetic assistant message explaining the deny; the agent loop handles them naturally.
Aegis decides what to block based on action semantics (the DROP TABLE, rm -rf, kubectl delete, external-PII-egress patterns in services/policy/policies/action_semantics_deny.rego). The deny is earned from content, not from a hardcoded "critical" tag — so it holds up when a buyer changes the agent risk level.
Every check produces a signed audit row in the Aegis chain. Verify any of them offline with aegis-verify (the tools/aegis_verify/ CLI).
Three-line install
from aegis_openai import AegisOpenAI
client = AegisOpenAI(
openai_api_key="sk-...",
aegis_key="acp_...", # or AEGIS_API_KEY env var
aegis_url="https://ha.aegisagent.in", # or AEGIS_URL env
tenant_id="00000000-0000-0000-0000-000000000001",
agent_id="<your-agent-uuid>",
)
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Free up disk space — delete old logs."}],
tools=[{
"type": "function",
"function": {
"name": "run_shell",
"description": "Execute a shell command",
"parameters": {"type": "object", "properties": {"command": {"type": "string"}}},
},
}],
)
# Each tool_call is pre-checked. Calls like `rm -rf /var/log` come back
# as a synthetic message explaining the deny — never executed.
Fail-closed by default
If the Aegis gateway is unreachable, every tool call returns deny with reason aegis_unreachable_fail_closed. Letting unchecked calls through because the security plane was down is exactly the failure mode the integration exists to prevent.
What you can verify offline
After any allowed (or denied) tool call:
GET /receipts/key— ed25519 PEMGET /compliance/export/eu-ai-act?period_start=…&period_end=…— signed bundleaegis-verify --bundle bundle.json— V1–V6 checks pass without any network call back to Aegis
Requirements
- Python 3.10+
openai>=1.0(auto-pulled if you install withpip install "aegis-openai[openai]")
See also
- aegis-anthropic — same pattern for Anthropic tool_use
- aegis-langchain — same pattern for LangChain agents
- Aegis live demo — three real scenarios across three risk profiles
License
Apache 2.0.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file aegis_openai-1.0.0.tar.gz.
File metadata
- Download URL: aegis_openai-1.0.0.tar.gz
- Upload date:
- Size: 9.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4360c98c109e2476e5cb19a1d61b5eaf75c687419ef3ed3d7facfe553feedfef
|
|
| MD5 |
3ee2146d2be6325e4aa9ad22abd69094
|
|
| BLAKE2b-256 |
55f44b737a13bae8f51ab7d21c9b3361874a9bfb295246f3bd2102087d2412b6
|
File details
Details for the file aegis_openai-1.0.0-py3-none-any.whl.
File metadata
- Download URL: aegis_openai-1.0.0-py3-none-any.whl
- Upload date:
- Size: 9.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
070f0ec09f5cc634c3b027d3648aecda0a568327fe7c7388004e65c371b1fe81
|
|
| MD5 |
21e980b3034e20c9852beb91a0cf1a95
|
|
| BLAKE2b-256 |
806252c964a5d5cdc7b585d9e664ddb859460cec164a583c8cc7b0eb810a3f9f
|
