Comprehensive security framework for agentic AI applications โ 8-layer defense-in-depth.
Project description
๐ก๏ธ AgentArmor
Comprehensive open-source security framework for agentic AI applications.
AgentArmor provides 8-layer defense-in-depth security for AI agents, covering every point in the data flow where data is at rest, in transit, or in use. Built to address the OWASP Top 10 for Agentic Applications (2026).
What's New in v0.4.0
- ๐ MCP Server Plugin โ AgentArmor now ships as a native MCP server. Claude Code, OpenClaw, Cursor, Windsurf, and any MCP-compatible agent can call AgentArmor's security tools directly โ zero Python code required.
- ๐ ๏ธ 6 MCP Tools โ
armor_register_agent,armor_scan_input,armor_intercept,armor_scan_output,armor_scan_mcp_server,armor_get_status - โก One-command setup โ
setup_claude_code.shauto-configures Claude Code with AgentArmor - ๐ New
agentarmor-mcpCLI entry point for stdio transport
What's New in v0.3.0
- ๐ TLS Certificate Validation โ Validates MCP server TLS certificates: version, cipher suite, expiry, weak cipher detection
- ๐ OAuth 2.1 Compliance Checker โ Verifies OAuth 2.1 compliance with PKCE S256 support, Protected Resource Metadata, and Authorization Server Metadata
- ๐ก๏ธ Full Security Scan โ
MCPGuard.full_security_scan()combines TLS + OAuth + tool analysis in a single call
What's New in v0.2.0
- ๐ OpenClaw Identity Guard โ Encrypts OpenClaw agent identity files with AES-256-GCM + BLAKE3 integrity
- ๐ MCP Server Scanner โ Scans MCP servers for dangerous tools, rug-pulls, and transport security
Why AgentArmor?
Every existing security tool is a point solution โ output validators, prompt injection scanners, or policy engines in isolation. AgentArmor is the first unified framework that secures the entire agentic architecture end-to-end.
The 8 Security Layers
| Layer | Name | What It Protects |
|---|---|---|
| L1 | Ingestion | Input scanning, prompt injection detection, source verification |
| L2 | Storage | Encryption at rest (AES-256-GCM), data classification, integrity (BLAKE3) |
| L3 | Context | Instruction-data separation, canary tokens, prompt hardening |
| L4 | Planning | Action plan validation, risk scoring, chain depth limits |
| L5 | Execution | Rate limiting, network egress control, human approval gates |
| L6 | Output | PII redaction (Presidio), DLP, sensitivity filtering |
| L7 | Inter-Agent | Mutual auth (HMAC), trust scoring, delegation depth control |
| L8 | Identity | Agent identity, JIT permissions, credential rotation |
Quick Start
Install
# Using uv (recommended)
uv add agentarmor-core
# With MCP server support (for Claude Code, OpenClaw, etc.)
uv add "agentarmor-core[mcp]"
# With all optional features
uv add "agentarmor-core[all]"
# Available extras: proxy, pii, otel, mcp, oauth, all, dev
# For development
git clone https://github.com/Agastya910/agentarmor.git
cd agentarmor
uv sync --all-extras --dev
Basic Usage
import asyncio
from agentarmor import AgentArmor, ArmorConfig
async def main():
armor = AgentArmor()
# Register your agent
identity, token = armor.l8_identity.register_agent(
agent_id="my-agent",
permissions={"read.*", "search.*"},
)
# Intercept tool calls
result = await armor.intercept(
action="read.file",
params={"path": "/data/notes.txt"},
agent_id="my-agent",
input_data="Read the file please",
)
print(f"Safe: {result.is_safe}")
print(f"Verdict: {result.final_verdict.value}")
asyncio.run(main())
Use as Decorator
@armor.shield(action="database.query")
async def query_database(sql: str) -> dict:
return db.execute(sql)
Proxy Server Mode
agentarmor serve --config agentarmor.yaml --port 8400
curl -X POST http://localhost:8400/v1/intercept \
-H "Content-Type: application/json" \
-d '{"action": "read.file", "agent_id": "my-agent", "input_data": "Hello"}'
Integrations
MCP Server โ Zero-Code Security for Any Agent (New in v0.4.0)
AgentArmor runs as a native MCP server that any MCP-compatible coding agent can call directly โ no Python code changes needed in your project.
Setup for Claude Code โ add to ~/.claude/claude_desktop_config.json:
{
"mcpServers": {
"agentarmor": {
"command": "uv",
"args": ["run", "agentarmor-mcp"],
"cwd": "/path/to/your/project"
}
}
}
Or run the one-command setup:
bash setup_claude_code.sh
Available MCP Tools:
| Tool | What It Does |
|---|---|
armor_register_agent |
Register an agent with a permission set |
armor_scan_input |
Scan text for prompt injection, jailbreaks, DAN attacks |
armor_intercept |
Run a tool call through all 8 security layers |
armor_scan_output |
Redact PII (emails, SSNs, API keys) from output |
armor_scan_mcp_server |
Full TLS + OAuth 2.1 + rug-pull scan of any MCP server |
armor_get_status |
Health check: version, layers, registered agents |
๐ Full setup guide: docs/claude_code_setup.md
TLS + OAuth 2.1 Verification (New in v0.3.0)
from agentarmor import MCPGuard
guard = MCPGuard()
result = guard.full_security_scan("https://api.example.com/mcp")
print(result["overall_risk"]) # "low" / "medium" / "high" / "critical"
OpenClaw Identity Guard (v0.2.0)
from agentarmor import OpenClawGuard
guard = OpenClawGuard(identity_dir="~/.openclaw")
enc_report = guard.encrypt_identity_files() # AES-256-GCM + BLAKE3
MCP Server Scanner (v0.2.0)
from agentarmor import MCPGuard
guard = MCPGuard()
report = guard.scan_server("http://localhost:8000")
print(report.summary()) # Risk level, dangerous tools, rug-pulls
LangChain / OpenAI
# LangChain
from agentarmor.integrations.langchain import AgentArmorCallback
callback = AgentArmorCallback(armor=armor)
# OpenAI
from agentarmor.integrations.openai import secure_openai_client
client = secure_openai_client(OpenAI(), armor=armor)
๐ Full integration guide: docs/integrations.md
Red Team Testing
from agentarmor.redteam import RedTeamSuite
suite = RedTeamSuite(armor=armor)
results = await suite.run_all()
suite.print_report(results)
CLI Commands
| Command | Description |
|---|---|
agentarmor init |
Generate a config file |
agentarmor validate <config> |
Validate configuration |
agentarmor scan -t "text" |
Scan text for threats |
agentarmor serve |
Start proxy server |
agentarmor keygen |
Generate encryption key |
agentarmor-mcp |
Start MCP server (stdio transport) (v0.4.0) |
Custom Security Policies
# policies/my_agent.yaml
version: "1.0"
name: "database_agent"
agent_type: "database"
risk_level: "high"
global_denied_actions:
- "database.drop"
- "database.truncate"
require_human_approval_for:
- "database.delete"
rules:
- name: "limit_transfer_amount"
action_pattern: "transfer.*"
conditions:
- field: "params.amount"
operator: ">"
value: "1000"
verdict: "escalate"
priority: 100
Architecture
MCP Agents (Claude Code, OpenClaw, Cursor, etc.)
โ
stdio โ (agentarmor-mcp)
โผ
Agent Runtime โโโโโโโโโโโโโโโโโโโ
(LangChain / โ MCP Server โ
CrewAI / โ 6 tools โ
OpenAI SDK / โโโ Python โโโโโบ โ (v0.4.0) โ
MCP) โโโโโโโโโโฌโโโโโโโโโโ
โ โ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AgentArmor Pipeline โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ L8: Identity & IAM โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L1: Data Ingestion โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L2: Memory/Storage โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L3: Context Assembly โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L4: Plan Validation โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L5: Action Execution โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L7: Inter-Agent Sec โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ L6: Output Filter (post) โ
โ Audit Logger (cross-cut) โ
โ Policy Engine (cross-cut) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
External Tools / APIs / LLMs
OWASP ASI Coverage
| OWASP ASI Risk | AgentArmor Layer(s) |
|---|---|
| ASI01: Goal Hijacking | L1 (injection), L3 (prompt hardening) |
| ASI02: Tool Misuse | L4 (planning), L5 (execution), Policy Engine |
| ASI03: Identity Abuse | L8 (identity), L5 (JIT perms), OpenClaw Guard |
| ASI04: Supply Chain | L1 (source verify), MCP Scanner |
| ASI05: Code Execution | L5 (sandbox), L4 (risk scoring) |
| ASI06: Memory Poisoning | L2 (integrity), L3 (canary tokens) |
| ASI07: Inter-Agent | L7 (mutual auth, trust scoring) |
| ASI08: Cascading Failures | L4 (chain depth), L5 (rate limits) |
| ASI09: Human Trust | L6 (output filter), Audit Logger |
| ASI10: Rogue Agents | L8 (credential rotation), L7 (trust decay) |
Documentation
| Doc | Description |
|---|---|
| Quick Start | Installation and first steps |
| Claude Code Setup | MCP server setup for Claude Code, OpenClaw, Cursor |
| Architecture | 8-layer pipeline design and data flow |
| Integrations | MCP Server, OpenClaw, TLS/OAuth, LangChain, OpenAI |
| Policy Language | YAML policy reference and examples |
| Threat Model | OWASP ASI attack vectors and defenses |
| Use Cases | Financial, coding, RAG, multi-agent, MCP examples |
| Publishing | PyPI & GitHub release guide |
Contributing
See CONTRIBUTING.md for guidelines.
License
Apache 2.0. Free for commercial and open-source use.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
agentarmor_core-0.4.0.tar.gz
(261.1 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentarmor_core-0.4.0.tar.gz.
File metadata
- Download URL: agentarmor_core-0.4.0.tar.gz
- Upload date:
- Size: 261.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.11 {"installer":{"name":"uv","version":"0.9.11"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"22.04","id":"jammy","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bd1142d26ef2168523143481247e0f5e98f20092171ef5e7463cc5aee3169500
|
|
| MD5 |
70afe3188571f8878fa73e721e6f40f6
|
|
| BLAKE2b-256 |
84fe09e7a8435e31f20b6230cfd9660a89f79c5fa40ded7301df9bd9bfb0bb1c
|
File details
Details for the file agentarmor_core-0.4.0-py3-none-any.whl.
File metadata
- Download URL: agentarmor_core-0.4.0-py3-none-any.whl
- Upload date:
- Size: 63.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.9.11 {"installer":{"name":"uv","version":"0.9.11"},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"22.04","id":"jammy","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d6f3e56431eccef9dc228e4510d87cda7f2ea2b1ad6b7c672be9fbb515f7db42
|
|
| MD5 |
a9c0325eb918a1d5468be965ca027e8a
|
|
| BLAKE2b-256 |
732bd08ce9e8d7c81be0980c25c2de9e4196f538a7ba8917a4bed12d2e4158fa
|
