Runtime safety for AI agents. Stop agents before they break things.
Project description
CallGuard
Runtime contracts for AI agents.
AI agents make tool calls. Tool calls have side effects. Nobody governs what happens between "agent decides" and "tool executes." CallGuard is that governance layer — preconditions, postconditions, session limits, and a full audit trail, enforced at the point where decision becomes action.
Show Me
contracts.yaml
apiVersion: callguard/v1
kind: ContractBundle
metadata:
name: my-policy
defaults:
mode: enforce
contracts:
- id: block-sensitive-reads
type: pre
tool: read_file
when:
args.path:
contains_any: [".env", ".secret", "credentials", ".pem", "id_rsa"]
then:
effect: deny
message: "Sensitive file '{args.path}' blocked."
tags: [secrets, dlp]
Python
import asyncio
from callguard import CallGuard, CallGuardDenied
async def main():
guard = CallGuard.from_yaml("contracts.yaml")
try:
result = await guard.run("read_file", {"path": "/app/config.json"}, read_file_fn)
print(result)
except CallGuardDenied as e:
print(f"Denied: {e}")
asyncio.run(main())
CLI
$ callguard validate contracts.yaml
✓ contracts.yaml — 1 contract (1 pre)
$ callguard check contracts.yaml --tool read_file --args '{"path": ".env"}'
⛔ DENIED by block-sensitive-reads
Message: Sensitive file '.env' blocked.
Tags: secrets, dlp
Rules evaluated: 1
Framework integration (one adapter, same guard)
from callguard.adapters.langchain import CallGuardMiddleware
middleware = CallGuardMiddleware(guard)
# Wraps any LangChain tool — preconditions, audit, and session limits apply automatically
Features
- YAML contracts — Preconditions, postconditions, and session limits declared in version-controlled YAML files
- 6 framework adapters — LangChain, CrewAI, Agno, Semantic Kernel, OpenAI Agents SDK, Claude Agent SDK
- Audit trail — Structured JSON events with automatic redaction of secrets (OpenAI keys, AWS creds, JWTs, GitHub tokens)
- Observe mode — Shadow-deploy contracts without blocking; review
CALL_WOULD_DENYevents before enforcing - CLI tooling —
validate,check,diff, andreplaycommands for CI/CD integration - Principal context — Role, ticket ref, and claims propagated through every decision and audit event
- Session limits — Cap total calls, attempts, and per-tool executions to catch runaway agents
- Zero runtime deps — Pure Python 3.11+. OTel, sinks, and adapters are optional extras
How It Compares
| Approach | Scope | Runtime enforcement | Audit trail |
|---|---|---|---|
| Prompt/output guardrails | Input/output text | No — advisory only | No |
| API gateways / MCP proxies | Network transport | Yes — at the proxy | Partial |
| Security scanners | Post-hoc analysis | No — detection only | Yes |
| Manual if-statements | Per-tool, ad hoc | Yes — scattered logic | No |
| CallGuard | Tool call contracts | Yes — deterministic pipeline | Yes — structured + redacted |
Install
pip install callguard # core (zero deps)
pip install callguard[yaml] # + YAML contract engine
pip install callguard[sinks] # + webhook, Splunk, Datadog sinks
pip install callguard[cli] # + validate/check/diff/replay CLI
pip install callguard[all] # everything
Built-in Templates
guard = CallGuard.from_template("file-agent") # secret file protection, destructive cmd blocking
guard = CallGuard.from_template("research-agent") # output PII detection, session limits
guard = CallGuard.from_template("devops-agent") # role gates, ticket requirements, bash safety
Links
- Documentation
- GitHub
- PyPI
- Changelog
- License (MIT)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
callguard-0.3.0.tar.gz
(146.3 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
callguard-0.3.0-py3-none-any.whl
(57.9 kB
view details)
File details
Details for the file callguard-0.3.0.tar.gz.
File metadata
- Download URL: callguard-0.3.0.tar.gz
- Upload date:
- Size: 146.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f17baf91e20891c6b443bdcf21b2a879a6967030185a60d5245c0bca08bdbd5f
|
|
| MD5 |
a6f6740cc08b0b5b7948f5c87e64aaae
|
|
| BLAKE2b-256 |
b99656faf49bb65319396c62c3d243b6d759676d62272b83931df64853231b03
|
File details
Details for the file callguard-0.3.0-py3-none-any.whl.
File metadata
- Download URL: callguard-0.3.0-py3-none-any.whl
- Upload date:
- Size: 57.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: uv/0.10.0 {"installer":{"name":"uv","version":"0.10.0","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5d560e6437a68074c6f15b2855aaec7156cecacb5deb40bec27d270f2c8c512c
|
|
| MD5 |
b5d312b37e0ea4d563cfbc45883ef424
|
|
| BLAKE2b-256 |
c7c4d73307f062913e53d3e486ad6608ad1a2e4cefdcb6746170c1565e663bd1
|
