Skip to main content

Runtime firewall for AI agents - blocks catastrophic tool calls and self-heals the run.

Project description

๐Ÿ›ก๏ธ AgentX: The Action Firewall for AI Agents

Python 3.9+ License: Proprietary

LLM Agents are brilliant, but they are incredibly brittle. They will drop your production database, leak AWS keys, and fall victim to prompt injections. Traditional firewalls just crash the agent by returning a hard 403 Forbidden exception, killing the run completely and wasting compute tokens.

AgentX is different, and it starts protecting you with zero keys. Its hero is a deterministic security floor (the Shield): a local, sub-millisecond, zero-LLM layer that hard-blocks the catastrophic call (DROP TABLE, SSRF, secret reads, supply-chain RCE, destructive shell/cloud teardown) and escalates to a human the consequential-but-legitimate ones (large transfers, external publishes, runaway spend, bulk deletes). No API key, no signup, no LLM round-trip (the lone outbound call is the dependency-reputation check against the public npm/PyPI registries).

Add a Gemini key and the optional reasoning layer turns each block into a recoverable challenge instead of a fatal 403: the agent rethinks its strategy, fixes its parameters, and finishes the task without crashing your application or draining tokens on a wiped run, plus Discovery for novel-intent classification.

๐Ÿ›ก๏ธ Block the catastrophic deterministically. ๐Ÿง  Coach the recoverable when you add a key.


๐Ÿ—๏ธ Split-Plane Architecture

AgentX relies on a decoupled, split-plane hybrid architecture to balance latency with deep cognitive reasoning:

  • The Edge SDK (agentx_sdk): A low-config Python package instrumenting sensitive tool calls via reflective code signatures.
  • The Data Plane (Neuro-Symbolic Reasoning Engine): A high-performance Python FastAPI service (the "Wedge"). Handles Abstract Syntax Tree (AST) evaluation, zero-day threat trapping, and the local immunity signature lookup via a strict Layer 0 -> Layer 1 -> Layer 2 funnel (the cross-node Shared Immunity Network is a roadmap capability, see Pillar 3).
  • The Control Plane (Dashboard): A Next.js application listening on port 3000. Provides an executive command console for tracking corporate ROI metrics, analyzing agent Chain of Thought (CoT) loops, and promoting newly discovered policy vectors. Reads through a mode-aware edge layer: the gateway's local SQLite store in local/linked mode, a Supabase-backed real-time ledger in cloud mode.

โšก 1. Quickstart

AgentX requires zero changes to your underlying agentic logic, custom tools, or payload schemas. The SDK dynamically inspects function signatures at runtime using an auto-reflective ingestion engine.

Step 1: Install the SDK

pip install agentx-security-sdk

Step 1b: See it work in 10 seconds (no key, no gateway)

agentx demo

Runs a canned agent that tries a DROP TABLE and watches the in-process shield block it offline, the fastest way to confirm the install works before you wire it into your own agent.

Hit a block you're proud of? Turn it into a postable card:

agentx share

Renders your most recent catch as a clean, screenshot-able receipt + a ready-to-post draft and link. Privacy-safe by construction: it uses the policy class and your own tool name only, never the query or payload (the local ledger never stores one).

Step 2: Decorate Sensitive Tool Operations

Attach the @agentx_protect decorator over any high-risk system tool. The SDK automatically serializes parameters and enforces the evaluation wedge:

# โœ… MODERN REFLECTIVE IMPORTS (No boilerplate functions required)
from agentx_sdk.decorators import agentx_protect

@agentx_protect(agent_id="demo_frictionless_agent")
def dispatch_crm_update(client_id: str, profile_notes: str, db_session=None):
    """
    AgentX automatically inspects string elements, ignores connection objects
    like 'db_session', and evaluates intents out-of-prompt natively in RAM.
    """
    print(f"Updating records for {client_id}")

Step 2b: Handle the Block

Decorating is half the job. Your code also has to react when AgentX blocks a call. You never parse the message text. Use is_block() and read the structured fields:

from agentx_sdk import agentx_protect, is_block

result = dispatch_crm_update(client_id="CLI-99401", profile_notes=untrusted)

if is_block(result):
    print(f"Blocked by policy: {result.policy}")
    llm.send(result.challenge)        # feed the safe-path challenge back to your agent to self-correct
else:
    use(result)                        # not blocked โ€” the real return value

For strictly-typed tools (e.g. LangChain / Pydantic tools that validate a -> dict return), AgentX raises instead of returning, so the framework doesn't crash. Catch it and feed the same challenge back:

from agentx_sdk import AgentXSecurityBlock

try:
    data = fetch_user(uid)             # -> dict
except AgentXSecurityBlock as block:
    llm.send(block.challenge)

A circuit-breaker trip (runaway loop) is not a policy block. It raises AgentXCircuitBreakerTripped and is_block() returns False for it. Catch it separately to abort the run.


Step 2c: Or protect an MCP server with zero code

Don't own the tool's Python? Running a non-Python agent? Wrap any MCP server with agentx-mcp and every tools/call is screened by the same keyless Shield before it runs. No decorator, no key, no code change. Just one line in your mcp.json (Claude Code, Cursor, or any MCP client):

{
  "mcpServers": {
    "filesystem": {
      "command": "agentx-mcp",
      "args": ["npx", "-y", "@modelcontextprotocol/server-filesystem", "/data"]
    }
  }
}

agentx-mcp <real server command> spawns the real server and relays the protocol untouched, intercepting only tool calls. A blocked call comes back to the agent as a coaching tool error it can self-correct on, so the run keeps going and the dangerous call never reaches the server.

Beyond the calls your agent makes, agentx-mcp also watches the server's advertised tools for a bait-and-switch: a malicious or compromised server can advertise a benign tool at install (you approve it once), then silently rewrite that tool's description or schema on a later run to steer your agent. The proxy fingerprints each tool the first time it sees it and warns you when an already-approved tool's definition later changes (the NSA's 2026 MCP guidance names this exact attack). It runs in advisory mode by default (a loud warning, never breaks a run); set AGENTX_MCP_TOOL_PINNING=block to also gate calls to a changed tool until you re-verify it, or off to disable.

No Python in your stack? You don't need a persistent install. Run it on demand with uvx (or pipx run), which fetches the package into a throwaway environment, so your mcp.json stays one line:

{
  "mcpServers": {
    "filesystem": {
      "command": "uvx",
      "args": ["agentx-mcp", "npx", "-y", "@modelcontextprotocol/server-filesystem", "/data"]
    }
  }
}

(pipx run agentx-mcp <real server command> works the same way.)


Step 3: See your first block: no key, no gateway, no signup

This is the point of AgentX: the deterministic Shield runs inside the SDK. The catastrophic call is blocked offline, in-process, with zero keys and nothing else running, sub-millisecond, no LLM, no gateway. Just run:

python examples/08_frictionless_agent_protection.py

The script wraps an ordinary CRM function, then feeds it a prompt-injected DROP TABLE users;. The Layer-0 keyword shield intercepts it before it executes, no .env, no API key, no gateway required. You'll see the block and a clean session summary:


๐Ÿ•น๏ธ Console Session Output Logs:

========================================================================
๐Ÿค– AGENTX DEMO 08: ZERO-CONFIGURATION ENTERPRISE TOOL PROTECTION
========================================================================
Scenario: An engineer wraps an existing corporate function with AgentX.
The SDK automatically parses inputs via Python signature reflection.

๐Ÿ”„ --- Agent Execution Step ---
Agent Attempting Call: dispatch_crm_update(client_id='CLI-99401', profile_notes='...')
Injected Input Payload: 'Customer requested normal update. Retain account historical state; DROP TABLE users;'

๐Ÿ›ก๏ธ [AgentX SDK] Intercepting tool call to 'dispatch_crm_update' and active_stats = 0...
โšก [LOCAL KEYWORD SHIELD] Fast-path intercept engaged on policy 'Mass Destructive Intent' (offline, no LLM judge).
๐Ÿ›‘ [LOCAL BLOCK] Policy 'Mass Destructive Intent' matched a blocked intent locally.

๐Ÿ›‘ [AGENTX SHIELD] Request Intercepted & Blocked (deterministic floor โ€” no key, no LLM)!
-> The reflection engine successfully captured the nested SQL payload.
-> The SQLAlchemy session context object was safely ignored.

๐Ÿ”’ Enterprise data assets protected via zero-configuration injection monitoring.
========================================================================

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 ๐Ÿ›ก๏ธ  AgentX Session Summary (Trace: bbfda7a1-8e1b-41dd-8c59-b784a3bbdf6d)
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 โฑ๏ธ  Uptime:                0.27 seconds
 ๐Ÿ› ๏ธ  Tools Monitored:       1
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
 ๐Ÿ›‘ Intercepts:            1   |  Cumulative: 1
 ๐Ÿ’ฅ Critical Blocks:       1   |  Cumulative: 1
 ๐Ÿšจ Human Escalations:     0   |  Cumulative: 0
 ๐Ÿ”„ Self-Corrections:      0   |  Cumulative: 0
 ๐Ÿ“ˆ Recovery Rate:         0.0%   (keyless block โ€” add a key for recovery, Step 4)
 ๐Ÿ’ฐ Tokens Saved:          ~1500
 โณ Time Saved:            ~5 min
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

Step 4: (Upgrade) Recover: turn hard blocks into recoverable challenges

Everything above is keyless Shield: it blocks the blatant calls and coaches your agent to self-correct. The reasoning axis (orthogonal to AGENTX_MODE) is Recover: the gateway judge catches what the keyword floor can't see, writes the task-fitting challenge when your policy carries none, and runs the coach-and-retry for you, plus Discovery for novel-intent classification. The tier no 403-style firewall has. It takes two things, and they go together:

1. A GEMINI_API_KEY, the cheap part. Copy .env.example to .env and set it:

# Reasoning axis โ€” OPTIONAL. Unset = Shield (floor-only, zero LLM, zero keys).
GEMINI_API_KEY=your_gemini_key_here       # from aistudio.google.com
# AGENTX_REASONING=off                     # force Shield even when a key is present

2. The gateway running with that key (Step 5), because the judge that writes the task-fitting challenge lives in the gateway, not the SDK. The gateway is closed-source, so you run a prebuilt private image after a one-time access grant. Request access at agentx-core.com, this is the wedge worth the two minutes.

The recovery demo needs the key (it makes a real LLM call to re-plan after a block; run it keyless and it points you to example 08 instead):

python examples/01_self_healing_agent.py

Run it with the key but without the gateway and it still completes, but fail-open: the Layer-0 shield applies a static challenge and the deep semantic checks are skipped. The demo says so itself (โš ๏ธ RECOVERED, DEGRADED โ€ฆ start the gateway to verify). The verified, judge-written recovery, the actual Recover tier, is the gateway path in Step 5.


Step 5: (Upgrade) Run the gateway: the reasoning judge (Recover), telemetry, control plane, HITL

The SDK protects you on its own (keyless Shield). The gateway is what unlocks Recover from Step 4: with a GEMINI_API_KEY set, the judge here writes the verified, task-fitting challenge (the keyless path only ever gets a static one). Run the gateway and the Next.js console to add the data plane (the reasoning judge, deep AST evaluation, the policy lifecycle) and the control plane (the ROI dashboard, Chain-of-Thought review, human-in-the-loop approvals). This is the AGENTX_MODE data axis, where data lives and whether it syncs:

#   local   isolated; local SQLite store; no sync; no keys required
#   linked  local-authoritative; explicit pull/push; no auto-sync
#   cloud   control plane authoritative; continuous sync + upload + HITL/SOC
AGENTX_MODE=local
NEXT_PUBLIC_AGENTX_MODE=local   # the UI's build-time copy; keep it equal
# AGENTX_API_KEY=agentx_sk_your_key_here   # required for `cloud` (and remote `linked`)

Connecting to the cloud is one variable. You don't need to set all three. An AGENTX_API_KEY is only ever meaningful for cloud upload, so just setting it (with no AGENTX_MODE/CONTROL_PLANE_URL) puts the gateway in cloud mode against the public plane, and it says so loudly at boot (๐Ÿ”‘ AGENTX_API_KEY detected โ†’ CLOUD mode โ€ฆ). Set AGENTX_MODE=local to override and stay isolated, or linked (with a CONTROL_PLANE_URL) for explicit pull/push without auto-upload.

Boot the data-plane wedge and the dashboard:

docker compose up -d

OR

cd backend
uvicorn gateway:app --host "0.0.0.0" --port=8000

Both commands above build the gateway from source (internal / source-access). The gateway is closed-source, so design partners run a prebuilt private image instead, pip install agentx-security-sdk does not ship it. Request access at agentx-core.com; once granted, the starter kit in deploy/partner/ pulls and runs the image (no source needed).

The reasoning engine then listens on http://localhost:8000 and the dashboard on http://localhost:3000. In local/linked mode the gateway owns the policy lifecycle from a local SQLite store (seeded on first boot, editable via the Policy & Discovery tabs); in cloud mode it mirrors policies from your Supabase-backed Control Plane.

Safety posture (optional). By default AgentX fails open, if the gateway is unreachable, tool calls still execute (with a loud warning and an audit tally in the session summary), and the in-process keyword shield still blocks deterministic threats like DROP TABLE. For high-stakes or irreversible actions, set AGENTX_FAIL_MODE=closed to instead block any call the engine can't verify until it recovers.


๐Ÿ“Š Executive Control Plane Telemetry When your agent script finishes or exits, local telemetry logs (.agentx.db) sync securely back to the central database layout. Open your browser workspace to http://localhost:3000/dashboard to inspect your real-time performance summary matrix:

+-----------------------------------------------------------------------------------+
|                        EXECUTIVE COMMAND CONSOLE                                   |
+-----------------------------------------------------------------------------------+
|  [Catastrophic Actions]   [Autonomous Recovery]  [Runs Protected]  [Time Saved]   |
|         92                      36.3%                  37             12.3 hrs     |
|  ๐Ÿ›‘ Irreversible/exfil   ๐Ÿ“ˆ Self-corrected รท    ๐Ÿ›ก๏ธ Runs that     โฑ๏ธ ~20 min/run  |
|     stopped pre-exec        challenged loops       self-corrected     reclaimed    |
+-----------------------------------------------------------------------------------+

Executive ROI Mappings (all computed per session, grouped by trace_id):

  • Catastrophic Actions Blocked (hero): A pure count of distinct sessions whose intercepted action fell in an irreversible / exfiltrative class, failure_mode โˆˆ {DESTRUCTIVE_ACTION, PII_EXFILTRATION, NETWORK_TRAVERSAL, SECRETS_LEAK}, with a policy-name keyword fallback. Every incident in the ledger is a pre-execution interception, so this is harm averted, not harm survived.
  • Autonomous Recovery Rate: Of the sessions that entered the challenge loop, the share whose terminal status is COMPLIED (the agent self-corrected). Counted per session so recovered โІ challenged, bounded โ‰ค100% by construction. HITL-approved sessions are excluded; only autonomous self-correction counts.
  • Agent Runs Protected: Sessions the agent self-corrected after a block (terminal COMPLIED).
  • Engineering Time Saved: ~20 min of manual triage credited per protected run, valued at $75/hr.

Operator dashboard metrics are scoped to production agents only, demo, simulation, blind-eval, and test/probe traffic are excluded so benchmarks never inflate an operator's numbers (they showcase the engine on the public landing page instead).


๐Ÿง  The 5 Pillars of Agentic Security

AgentX is built on a "Reasoning Engine" architecture that treats AI agents as autonomous employees rather than static scripts:

  1. Cognitive Interception: We intercept tool calls to compare the agent's stated intent (Chain of Thought) against its actual deterministic action.
  2. Socratic Nudging: Instead of crashing the agent, we issue a Socratic Challenge to guide them to a safe, desired end-goal.
  3. Shared Immunity Network (roadmap): Novel zero-day signatures discovered on one node are designed to graduate into the deterministic floor and propagate to other Edge nodes for O(1) interception. The local Discovery โ†’ Promote โ†’ live-in-3s loop works today; cross-node global distribution is a Day-100 capability and is not yet active, we don't claim it until it is.
  4. Circuit Breakers: If an agent enters an infinite hallucination loop, AgentX hard-locks the runtime after 3 strikes to prevent massive LLM token billing overages.
  5. Human-in-the-Loop (HITL): If an agent pulls the "Andon Cord" (requests help), the system suspends the execution thread (202 Accepted) and parks it in the SOC Sandbox for human approval.

๐Ÿš€ The 4 Shields (Defense-in-Depth)

  1. The Inbound Shield (Prompt Injection): Sanitizes inbound user text to prevent cognitive hijacking ("Ignore previous instructions") before the agent reads it.

  2. The Logic Shield (Database Guard): Uses AST parsing and Gemini to catch destructive queries (DROP, DELETE) and nudges the agent to write safer SQL.

  3. The Network Shield (SSRF Guard): Prevents agents from acting as confused deputies to hit cloud metadata IPs (e.g., 169.254.169.254).

  4. The Egress Shield (DLP/PII Scrubber): Dynamically masks PII and API keys on the wire, maintaining clean audit logs without triggering SOC alert fatigue.


๐Ÿ“Š Local Telemetry & Agent Health

AgentX ships with a built-in, privacy-first SQLite time-series event log (.agentx.db). It tracks every interception locally. When your agent script finishes or crashes, AgentX automatically prints a comprehensive Session Summary and Lifetime ROI dashboard:

โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 ๐Ÿ›ก๏ธ  AgentX Session Summary
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 โฑ๏ธ  Uptime:                9.17 seconds
 ๐Ÿ› ๏ธ  Tools Monitored:       2
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
 ๐Ÿ›‘ Intercepts:            1   |  Cumulative: 5
 ๐Ÿ’ฅ Critical Blocks:       1   |  Cumulative: 5
 ๐Ÿ’ฐ Tokens Saved:      ~1500   |  Cumulative: ~7500
 โณ Time Saved:        ~5m     |  Cumulative: ~25m
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•
 ๐Ÿฉบ AGENT HEALTH INSIGHT
โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€
 โš ๏ธ Top Offender: 'Database Isolation'
 ๐Ÿ› ๏ธ  Tip: Consider refining your agent's system prompt to avoid this.
โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•โ•

๐Ÿ“ฆ Try the other Developer Demos Inside the examples/ folder, you will find a few standalone scripts proving the AgentX Reasoning Layer:

  • 01_self_healing_agent.py: Watch AgentX catch a hallucination and coach the agent to self-correct (Saving tokens and uptime).
  • 02_cognitive_intent_block.py: Watch AgentX catch malicious intent even when the raw syntax is perfectly safe.
  • 04_circuit_breaker_demo.py: AgentX catches and prevents an infinite apology loop, saving time and tokens.
  • 06_hitl_escalation.py: See how an agent safely pauses execution and pings a SOC analyst for approval using a 202 Accepted queue.
  • 09_budget_ceiling_demo.py: Watch AgentX meter a runaway agent's cumulative spend and halt the session the moment it crosses your budget ceiling, a deterministic, gateway-side escalation (no LLM judge). Needs the gateway running + a key.
  • 10_self_correction_coaching.py: The Recover tier, where the gateway judge does the coaching for you. AgentX blocks a dangerous action and returns a task-fitting challenge that names a safe path, so your agent finishes the job instead of dead-ending. Puts the AgentX challenge side by side with a plain guardrail's, then watches the agent recover on it. Needs the gateway running + your Gemini key (the keyless Shield already coaches in-band; Recover's judge catches more and runs the retry for you).
  • And many more...

๐Ÿ•น๏ธ Human-in-the-Loop (HITL) & Control Plane

Sometimes, an agent needs to drop a table for a valid business reason.

AgentX features a Next.js Control Plane Dashboard. If an agent requests an escalation, the SDK securely pauses local execution and polls the Edge Reasoning Engine. A human SOC analyst can click "Approve" or "Deny" in the UI, and the Python execution loop will automatically resume.

cd ui
npm install
npm run dev

๐Ÿ—๏ธ The Architecture (Split-Plane)

AgentX relies on a decoupled, hybrid-cloud architecture to ensure maximum performance and security for AI-driven enterprise systems.

  • The Edge SDK (AgentX): The lightweight Python package that instruments agent tools and triggers local Socratic self-healing.
  • The Data Plane (Reasoning Engine): A Python FastAPI middleware (the "Wedge") that intercepts raw HTTP/SQL payloads before they hit the database.
  • The Control Plane (Dashboard): A Next.js application (deployed via Vercel) that allows human reviewers to monitor intercepted agent traffic, review chains of thought, and approve or deny parked requests.
  • The Shared Brain: Mode-dependent. In cloud, Supabase is the central state manager and both planes synchronize through it. In local/linked, the gateway's own SQLite stores (.agentx/incidents.db, .agentx/policies.db) are authoritative and your payloads and agent CoT never leave the machine unless you explicitly push them, the only things that leave are both narrow and named: the dependency-reputation gate, which sends package names to the public npm/PyPI registries to catch slopsquats, and an anonymous daily usage pulse of version/OS/block counts (never your code, queries, CoT, or identity), which is on by default and opts out with AGENTX_TELEMETRY=off, a one-time notice prints before the first pulse; see .env.example.
  • The Evaluator: Google's Gemini 2.5 Flash, Pro, or higher (configurable via an environment variable) is used to translate an agent's Chain of Thought (CoT) into a zero-knowledge taxonomy to evaluate intent against YAML-defined enterprise policies.

โœจ Key Features & Built-in Policies

  • Automated Socratic Self-Healing: Intercepts dangerous tool calls and challenges the agent to revise its strategy.
  • Fast Pass Heuristic Traps: Instantly intercepts structurally dangerous queries (e.g., DROP TABLE, or an unscoped / WHERE 1=1 mass DELETE/UPDATE) with minimal latency.
  • Zero-Knowledge Intent Extraction: Prevents malicious prompt injection by translating raw agent logic into a strict schema before policy evaluation.
  • Dynamic Policies: In cloud, enforces isolation rules via a Supabase-backed Control Plane that syncs to edge caches in ~3 seconds. In local/linked, the gateway owns the policy lifecycle locally, create/edit/toggle/delete and AI-drafted promotions from the Policy & Discovery tabs are armed live (re-embedded into the in-RAM vector index) with no restart.

๐Ÿ”’ Security Posture

  • Secret Management: API keys are never checked into version control. Production variables are managed securely via the Vercel Dashboard.
  • History Scrubbing: This repository has been scrubbed of legacy keys using git-filter-repo.
  • Private IP: Repository is private to protect proprietary evaluation prompts and architecture.
  • License: Dual-licensed. The repository default is proprietary, all rights reserved (LICENSE): the Reasoning Engine (gateway) and Control Plane are closed source; no public open-source or source-available license is granted, and source access for evaluation is available to qualified enterprise customers and partners under written agreement. The lightweight agentx_sdk/ edge client (published to PyPI as agentx-security-sdk) is licensed separately under the MIT License (agentx_sdk/LICENSE).

๐Ÿš€ Future Roadmap & Milestones โœ… Trust Boundary Shift: Moved neuro-symbolic evaluation entirely into the Data Plane container to eliminate agent runtime bypasses. (Completed)

โœ… Zero-Knowledge Hard Split-Plane: Mathematically enforced VPC telemetry isolation via localized metric stripping. (Completed)

โœ… Zero-Config Reflection Engine: Eliminated manual query and CoT boilerplate writing using dynamic signature parameters compilation hooks. (Completed)

โœ… Local Keyword Shield (Layer 0): Deterministic, dependency-free keyword/intent pre-filter in the SDK that intercepts obvious threats offline in sub-milliseconds, zero gateway/LLM calls. Scans the action payload only; chain-of-thought intent is deferred to the gateway's LLM judge. (Completed)

โœ… Judge Verdict Memoization: Bounded in-memory cache on the Data Plane that reuses prior LLM verdicts for identical (payload + reasoning + policy set), eliminating repeat Gemini calls during agent retry loops. (Completed)

โœ… Catastrophic-Action Hero Metric: Reframed the Executive ROI strip to lead with severity-filtered "Catastrophic Actions Blocked" (irreversible / exfiltration intents stopped pre-execution), with per-session metric accounting that bounds Recovery Rate โ‰ค100% by construction across the dashboard, the Supabase summary view, and the SDK. (Completed)

โœ… Detection-vs-Recovery Eval Harness (eval/): Independent instruments that measure the engine honestly, blind_agent_eval.py (end-to-end detection recall via a blind LLM agent + independent oracle), probe_judge.py (isolates the reasoning layer's marginal recall over the deterministic floor), and recovery_eval.py (A/B marginal-recovery lift of the Socratic challenge vs a bare 403). (Completed)

โœ… Incident-Persistence Hardening & Fail-Mode Switch: Restored the CHALLENGEDโ†’COMPLIED persistence pipeline (gateway-pinned UUID receipts, /v1/incident Layer-0 registration, COMPLIED PATCH gated on a real 200) and added AGENTX_FAIL_MODE=open|closed. (Completed)

โœ… Deterministic Floor, Hard-Block + HITL-Escalation + Loop-Abort Tiers: The zero-LLM core that runs before (and without) the judge, so the engine fully protects keyless. Hard-block tier DENIES never-legitimate actions (destructive DDL/DML incl. ALTER โ€ฆ DROP COLUMN, cluster/cloud teardown, SSRF, secret reads + egress exfiltration, filesystem whole-scope deletes + path-boundary escapes, remote-pipe-to-shell installs, and bidi-override / Unicode-Tags carrier payloads, AFDB #56, Trojan-Source / invisible-instruction smuggling). HITL-escalation tier returns 202 ESCALATED โ†’ human SOC for consequence-gated actions that can be legitimate: High-Value Transfer Approval (AFDB #41, AGENTX_TRANSFER_ESCALATION_THRESHOLD), External Publication Approval (AFDB #36), Comms Bulk-Deletion Approval (AFDB #35), and Budget Ceiling Approval (AFDB #17/#23, cumulative session token/$ spend vs AGENTX_SESSION_TOKEN_CEILING / AGENTX_SESSION_COST_CEILING_USD; report real usage with agentx.record_spend(...) or rely on the built-in volume estimate). Loop-abort tier terminates runaway loops (strike-count breaker + the detect_no_progress_loop no-progress repeat breaker, AFDB #10, AGENTX_LOOP_REPEAT_CEILING). Every detector has a fires-in-anger test asserting attribution + zero LLM calls. See AGENT_FAILURE_CATALOG.md for the per-incident coverage state. (Completed)

โฌœ Downloadable Vector Seeds (agentx compile): Real pre-compiled fastembed vectors for offline semantic matching, scoped to air-gapped deployments. (Future)

โฌœ Containerized Multi-Region Edge Cluster: Standardize container blueprints for automated high-availability deployments onto AWS ECS and Render clusters. (Future)

๐Ÿค Contributing & Support We are actively partnering with engineering groups building production-grade autonomous agent systems. If you are tracking high-concurrency tool execution lines and are terrified of what your agent loops might drop or execute, open an issue card or reach out directly to join our design partner circle!

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentx_security_sdk-0.4.14.tar.gz (222.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentx_security_sdk-0.4.14-py3-none-any.whl (216.7 kB view details)

Uploaded Python 3

File details

Details for the file agentx_security_sdk-0.4.14.tar.gz.

File metadata

  • Download URL: agentx_security_sdk-0.4.14.tar.gz
  • Upload date:
  • Size: 222.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.1

File hashes

Hashes for agentx_security_sdk-0.4.14.tar.gz
Algorithm Hash digest
SHA256 f90983ed08d71065400276cc72211fa281a4b70cbafcf58846c0e5bacc7e601a
MD5 52d3693f450f3e9c7b4eb43ec66e974c
BLAKE2b-256 a79296a97261dec481afcfa02bf1bd406f8fe11102193f6f548bb77eda9a065a

See more details on using hashes here.

File details

Details for the file agentx_security_sdk-0.4.14-py3-none-any.whl.

File metadata

File hashes

Hashes for agentx_security_sdk-0.4.14-py3-none-any.whl
Algorithm Hash digest
SHA256 06c63dfc705a0b7c340b9cbfdc218267c9ed10fc307f27cd7d8e32f576b3b465
MD5 2bbf64971a1e009aa84e4b82439aa010
BLAKE2b-256 d04d812e3ef5910bf1fae1dd64f18863294492453f4cc160179e935970695da4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page