Comprehensive security framework for agentic AI applications โ 8-layer defense-in-depth.
Project description
๐ก๏ธ AgentArmor
Comprehensive open-source security framework for agentic AI applications.
AgentArmor provides 8-layer defense-in-depth security for AI agents, covering every point in the data flow where data is at rest, in transit, or in use. Built to address the OWASP Top 10 for Agentic Applications (2026).
๐ What's New in v0.5.0 โ Hardened Security Layers
This is a major security release that upgrades four layers from basic implementations to production-grade, adversarially-tested enforcement engines:
-
๐ง L3: Hardened Context Assembly โ GoalLock anchor prevents goal hijacking mid-conversation. CanaryVault injects multiple unique canary tokens per session. Tiered context assembly strips template injection before it reaches the LLM. Validated against 48 adversarial test cases.
-
๐ฏ L4: Hardened Planning & Reasoning โ ActionChainTracker detects multi-step attack chains (reconnaissance โ escalation โ exfiltration). Semantic risk scoring evaluates action intent, not just verbs. Validated against 40 adversarial test cases.
-
๐ L5: Hardened Execution Control โ Five enforcement domains: Network Policy (DNS rebinding + SSRF protection), Rate Limiting (token bucket + circuit breaker), Resource Budget (timeout + size limits), Output Sanitizer (UTF-8 + binary strip), and Side-Effect Auditor (immutable execution records). Validated against 39 adversarial test cases.
-
๐ก๏ธ L6: Hardened Output Security โ Five-scanner pipeline: Credential Scanner (13+ patterns, zero false positives), PII Scanner (confidence-gated Presidio), Harmful Content Detector (jailbreak + system prompt leak detection), Semantic Exfiltration Detector (cross-response tracking), and Schema Validation. Supports both streaming and non-streaming responses. Validated against 12 adversarial test cases.
-
๐ L2: Encrypted Storage โ All data stored in Studio's SQLite database is now AES-256-GCM encrypted with HMAC-based MAC signatures for tamper detection.
127+ adversarial test cases validate the hardened layers end-to-end.
Why AgentArmor?
Every existing security tool is a point solution โ output validators, prompt injection scanners, or policy engines in isolation. AgentArmor is the first unified framework that secures the entire agentic architecture end-to-end.
The 8 Security Layers
| Layer | Name | What It Protects |
|---|---|---|
| L1 | Ingestion | Input scanning, prompt injection detection, source verification |
| L2 | Storage | AES-256-GCM encryption at rest, HMAC integrity, tamper detection |
| L3 | Context | GoalLock anchoring, multi-canary injection, template injection stripping |
| L4 | Planning | Action chain tracking, semantic risk scoring, multi-step attack detection |
| L5 | Execution | DNS rebinding protection, rate limiting, circuit breakers, resource budgets |
| L6 | Output | Credential redaction, PII scanning, harmful content blocking, exfiltration detection |
| L7 | Inter-Agent | Mutual auth (HMAC), trust scoring with time decay, delegation depth control |
| L8 | Identity | Agent identity, JIT permissions, credential rotation |
Quick Start
Install
# Using uv (recommended)
uv add agentarmor-core
# With MCP server support (for Claude Code, OpenClaw, etc.)
uv add "agentarmor-core[mcp]"
# With PII detection
uv add "agentarmor-core[pii]"
# With all optional features
uv add "agentarmor-core[all]"
# Available extras: proxy, pii, otel, mcp, oauth, all, dev
# For development
git clone https://github.com/Agastya910/agentarmor.git
cd agentarmor
uv sync --all-extras --dev
Basic Usage
import asyncio
from agentarmor import AgentArmor, ArmorConfig
async def main():
armor = AgentArmor()
# Register your agent
identity, token = armor.l8_identity.register_agent(
agent_id="my-agent",
permissions={"read.*", "search.*"},
)
# Intercept tool calls
result = await armor.intercept(
action="read.file",
params={"path": "/data/notes.txt"},
agent_id="my-agent",
input_data="Read the file please",
)
print(f"Safe: {result.is_safe}")
print(f"Verdict: {result.final_verdict.value}")
asyncio.run(main())
Use as Decorator
@armor.shield(action="database.query")
async def query_database(sql: str) -> dict:
return db.execute(sql)
Proxy Server Mode
agentarmor serve --config agentarmor.yaml --port 8400
curl -X POST http://localhost:8400/v1/intercept \
-H "Content-Type: application/json" \
-d '{"action": "read.file", "agent_id": "my-agent", "input_data": "Hello"}'
Hardened Layer Examples
L3 Context Hardening โ GoalLock
AgentArmor's L3 layer prevents goal hijacking by anchoring the agent's purpose at the start of every conversation. Template injection attempts are stripped before reaching the LLM.
from agentarmor.layers.context.assembler import L3ContextLayer
l3 = L3ContextLayer(
agent_id="my-agent",
agent_config={
"system_prompt": "You are a helpful assistant.",
"tools": ["web_search", "file_read"],
},
)
# Build a hardened system prompt with canary tokens and GoalLock
hardened_prompt = l3.build_secure_system_prompt(
base_system_prompt="You are a helpful assistant.",
conversation_id="session-123",
)
# After LLM responds, check for canary leaks and goal drift
safe_response, events = await l3.check_output(
conversation_id="session-123",
response=llm_response,
tool_calls=[],
turn_number=1,
user_message=user_input,
)
L5 Execution Hardening โ Network Policy
The L5 layer enforces DNS rebinding protection, protocol restrictions, and domain allowlists/blocklists on every outbound request.
from agentarmor.layers.execution.l5_execution import L5ExecutionLayer, NetworkPolicy
l5 = L5ExecutionLayer(
agent_id="my-agent",
network_policy=NetworkPolicy(
allow_http=False, # HTTPS only
domain_allowlist=["api.github.com", "*.openai.com"],
domain_blocklist=["metadata.google.internal", "*.local"],
dns_rebinding_protection=True,
max_outbound_payload_bytes=50_000,
),
)
# Execute a tool with full L5 enforcement
result, event = await l5.execute(
tool_name="web_search",
tool_args={"query": "latest AI news"},
tool_func=my_search_function,
session_id="session-123",
outbound_url="https://api.tavily.com/search",
)
L6 Output Hardening โ 5-Scanner Pipeline
The L6 layer scans every output for credentials, PII, harmful content, and semantic exfiltration patterns.
from agentarmor.layers.output.filter import L6OutputLayer
l6 = L6OutputLayer(
agent_id="my-agent",
enable_pii_scan=True,
enable_harmful_scan=True,
)
# Scan a response
safe_text, result = l6.process(llm_response, session_id="session-123")
if result["verdict"] == "block":
print("Response contained critical security violation!")
else:
print(f"Cleaned: {result['findings_count']} findings redacted")
Integrations
MCP Server โ Zero-Code Security for Any Agent (v0.4.0)
AgentArmor runs as a native MCP server that any MCP-compatible coding agent can call directly โ no Python code changes needed in your project.
Setup for Claude Code โ add to ~/.claude/claude_desktop_config.json:
{
"mcpServers": {
"agentarmor": {
"command": "uv",
"args": ["run", "agentarmor-mcp"],
"cwd": "/path/to/your/project"
}
}
}
Available MCP Tools:
| Tool | What It Does |
|---|---|
armor_register_agent |
Register an agent with a permission set |
armor_scan_input |
Scan text for prompt injection, jailbreaks, DAN attacks |
armor_intercept |
Run a tool call through all 8 security layers |
armor_scan_output |
Redact PII (emails, SSNs, API keys) from output |
armor_scan_mcp_server |
Full TLS + OAuth 2.1 + rug-pull scan of any MCP server |
armor_get_status |
Health check: version, layers, registered agents |
๐ Full setup guide: docs/claude_code_setup.md
TLS + OAuth 2.1 Verification (v0.3.0)
from agentarmor import MCPGuard
guard = MCPGuard()
result = guard.full_security_scan("https://api.example.com/mcp")
print(result["overall_risk"]) # "low" / "medium" / "high" / "critical"
OpenClaw Identity Guard (v0.2.0)
from agentarmor import OpenClawGuard
guard = OpenClawGuard(identity_dir="~/.openclaw")
enc_report = guard.encrypt_identity_files() # AES-256-GCM + BLAKE3
LangChain / OpenAI
# LangChain
from agentarmor.integrations.langchain import AgentArmorCallback
callback = AgentArmorCallback(armor=armor)
# OpenAI
from agentarmor.integrations.openai import secure_openai_client
client = secure_openai_client(OpenAI(), armor=armor)
๐ Full integration guide: docs/integrations.md
CLI Commands
| Command | Description |
|---|---|
agentarmor init |
Generate a config file |
agentarmor validate <config> |
Validate configuration |
agentarmor scan -t "text" |
Scan text for threats |
agentarmor serve |
Start proxy server |
agentarmor keygen |
Generate encryption key |
agentarmor-mcp |
Start MCP server (stdio transport) |
Custom Security Policies
# policies/my_agent.yaml
version: "1.0"
name: "database_agent"
agent_type: "database"
risk_level: "high"
global_denied_actions:
- "database.drop"
- "database.truncate"
require_human_approval_for:
- "database.delete"
rules:
- name: "limit_transfer_amount"
action_pattern: "transfer.*"
conditions:
- field: "params.amount"
operator: ">"
value: "1000"
verdict: "escalate"
priority: 100
Architecture
MCP Agents (Claude Code, OpenClaw, Cursor, etc.)
โ
stdio โ (agentarmor-mcp)
โผ
Agent Runtime โโโโโโโโโโโโโโโโโโโ
(LangChain / โ MCP Server โ
CrewAI / โ 6 tools โ
OpenAI SDK / โโโ Python โโโโโบ โ (v0.4.0) โ
MCP) โโโโโโโโโโฌโโโโโโโโโโ
โ โ
โโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโ
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AgentArmor Pipeline โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ โ L8: Identity & IAM โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L1: Data Ingestion โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L2: Memory/Storage โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L3: Context Assembly โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L4: Plan Validation โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L5: Action Execution โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโค โ
โ โ L7: Inter-Agent Sec โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ L6: Output Filter (post) โ
โ Audit Logger (cross-cut) โ
โ Policy Engine (cross-cut) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โผ
External Tools / APIs / LLMs
OWASP ASI Coverage
| OWASP ASI Risk | AgentArmor Layer(s) |
|---|---|
| ASI01: Goal Hijacking | L1 (injection), L3 (GoalLock + canary tokens) |
| ASI02: Tool Misuse | L4 (chain tracking), L5 (execution gates), Policy Engine |
| ASI03: Identity Abuse | L8 (identity), L5 (JIT perms), OpenClaw Guard |
| ASI04: Supply Chain | L1 (source verify), MCP Scanner |
| ASI05: Code Execution | L5 (5-domain enforcement), L4 (risk scoring) |
| ASI06: Memory Poisoning | L2 (AES-256-GCM + MAC integrity), L3 (canary tokens) |
| ASI07: Inter-Agent | L7 (mutual auth, trust scoring with decay) |
| ASI08: Cascading Failures | L4 (chain depth + circuit breaker), L5 (rate limits) |
| ASI09: Human Trust | L6 (5-scanner pipeline), Audit Logger |
| ASI10: Rogue Agents | L8 (credential rotation), L7 (trust decay) |
Documentation
| Doc | Description |
|---|---|
| Quick Start | Installation and first steps |
| Hardened Layers | Deep dive into the v0.5.0 hardened security layers |
| Claude Code Setup | MCP server setup for Claude Code, OpenClaw, Cursor |
| Architecture | 8-layer pipeline design and data flow |
| Integrations | MCP Server, OpenClaw, TLS/OAuth, LangChain, OpenAI |
| Policy Language | YAML policy reference and examples |
| Threat Model | OWASP ASI attack vectors and defenses |
| Use Cases | Financial, coding, RAG, multi-agent, MCP examples |
| Publishing | PyPI & GitHub release guide |
Contributing
See CONTRIBUTING.md for guidelines.
License
Apache 2.0. Free for commercial and open-source use.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentarmor_core-0.6.0.tar.gz.
File metadata
- Download URL: agentarmor_core-0.6.0.tar.gz
- Upload date:
- Size: 318.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.3 {"installer":{"name":"uv","version":"0.11.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
24ac9d1c5ed9545008a3c0b1c8f9ee884704595c8b23423f4768718a88227132
|
|
| MD5 |
d65e7af51c60d0660a9fc73682edc525
|
|
| BLAKE2b-256 |
89864a32cbc7e6e263fd73026a0d2634d792b325810fd88690bedfd2c41f4f8e
|
File details
Details for the file agentarmor_core-0.6.0-py3-none-any.whl.
File metadata
- Download URL: agentarmor_core-0.6.0-py3-none-any.whl
- Upload date:
- Size: 109.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.3 {"installer":{"name":"uv","version":"0.11.3","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":null,"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1775929b0c02c0fdb29c07eca29868716e6eb726633aa0c0df1eed92c03efbf7
|
|
| MD5 |
cd4f8074bc6f3c8558d9c1747097845e
|
|
| BLAKE2b-256 |
76a15bc73b8a41693b1912dfd87c67c45ff68c1f55335a527a7009f614521f34
|
