Policy engine for governing AI agent tool execution.
Project description
Guardian Angel
A lightweight Python SDK for governing AI agent tool execution.
Guardian Angel intercepts agent actions, evaluates policy, and returns allow, deny, or require_approval — before the tool runs.
Install
pip install guardian-angel
# optional CLI
pip install guardian-angel[cli]
Quickstart
# policy.yaml
rules:
- name: block_risky_delete
tool: resource.delete
decision: deny
all:
- key: resource.environment
op: eq
value: prod
- key: context.risk_level
op: eq
value: high
from guardian_angel import ActionRequest, DecisionStatus, GuardConfig, GuardianAngel
guard = GuardianAngel.from_yaml(
"policy.yaml",
config=GuardConfig(
default_decision=DecisionStatus.ALLOW,
on_evaluation_error=DecisionStatus.DENY,
on_approval_error=DecisionStatus.DENY,
),
)
decision = guard.authorize(
ActionRequest(
tool="resource.delete",
attributes={
"resource.environment": "prod",
"context.risk_level": "high",
},
)
)
print(decision.status) # "deny"
First matching rule wins. No match uses default_decision, which defaults to allow.
CLI
guardian-angel evaluate policy.yaml request.json
guardian-angel evaluate policy.yaml request.json --explain
guardian-angel --verbose evaluate policy.yaml request.json
guardian-angel --version
--explain prints the matched rule and reason. --verbose adds input context.
Features
- Predicate rules —
when,all,any,notwith operators (eq,ne,in,not_in,contains,gt,gte,lt,lte, …) - Explicit failure semantics — configurable default/no-match behavior, evaluation-error behavior, approval-error behavior, protected tools, and required request fields
- Cross-field comparison —
value_fromto compare one attribute against another - Approval workflow — pluggable
ApprovalHandlerandAsyncApprovalHandlerprotocols for human-in-the-loop approval (Slack, email, GitHub issues, etc.) - Tool invocation —
guard.invoke()(sync) andguard.ainvoke()(async) for policy enforcement on any function without decorators - YAML or Python — define rules in files or construct
Ruleobjects in code - CLI — evaluate policies from the command line with colored output
See examples/ for more.
If you want one end-to-end reference that wires everything together, start with examples/complete_pipeline_example.py.
How It Works
Agent tool call → ActionRequest → GuardianAngel.authorize() → Decision
├─ allow → execute
├─ deny → block
└─ require_approval → ApprovalHandler
Safety Modes
Guardian Angel now separates:
- no rule matched
- policy evaluation failed
- approval backend failed
from guardian_angel import DecisionStatus, GuardConfig, GuardianAngel
# Global allow, but protected tools require approval when no rule matches.
guard = GuardianAngel(
rules=rules,
config=GuardConfig(
default_decision=DecisionStatus.ALLOW,
on_evaluation_error=DecisionStatus.DENY,
on_approval_error=DecisionStatus.DENY,
protected_tool_prefixes=("github.", "filesystem."),
protected_no_match_decision=DecisionStatus.REQUIRE_APPROVAL,
),
)
# Full fail-closed mode.
fail_closed_guard = GuardianAngel(
rules=rules,
config=GuardConfig(default_decision=DecisionStatus.DENY),
)
# Approval-fallback mode.
approval_fallback_guard = GuardianAngel(
rules=rules,
config=GuardConfig(on_approval_error=DecisionStatus.REQUIRE_APPROVAL),
)
Operator Semantics
- Missing keys do not match ordinary comparisons such as
eq,gt,in, orcontains. - Use
existsandnot_existswhen presence itself matters. - Type mismatches are converted into deterministic evaluation errors.
- Critical request fields can be required globally with
GuardConfig(required_fields=(...)).
Approval Workflow
When a rule returns require_approval, Guardian Angel can delegate to a pluggable approval backend. Both synchronous and asynchronous handlers are supported.
Sync handler
Any class with a submit(request: ApprovalRequest) -> ApprovalResponse method satisfies the ApprovalHandler protocol:
from guardian_angel import (
ApprovalHandler, ApprovalRequest, ApprovalResponse, ApprovalStatus,
)
class SlackApprovalHandler:
def submit(self, request: ApprovalRequest) -> ApprovalResponse:
# send a Slack message, wait for reaction, return outcome
...
return ApprovalResponse(
approval_id=request.approval_id,
status=ApprovalStatus.APPROVED, # or REJECTED / EXPIRED
approved_by="alice",
)
Async handler
For non-blocking I/O, implement AsyncApprovalHandler with an async def submit():
from guardian_angel import (
AsyncApprovalHandler, ApprovalRequest, ApprovalResponse, ApprovalStatus,
)
class AsyncSlackApprovalHandler:
async def submit(self, request: ApprovalRequest) -> ApprovalResponse:
# await Slack API call, return outcome
...
return ApprovalResponse(
approval_id=request.approval_id,
status=ApprovalStatus.APPROVED,
approved_by="alice",
)
Wiring it up
Pass either handler type when creating a GuardianAngel instance:
# sync
guard = GuardianAngel(rules=rules, approval_handler=SlackApprovalHandler())
# async
guard = GuardianAngel(rules=rules, approval_handler=AsyncSlackApprovalHandler())
# from YAML (works with either)
guard = GuardianAngel.from_yaml("policy.yaml", approval_handler=handler)
Using request_approval() / request_approval_async()
from guardian_angel import ActionRequest
# Sync — requires a sync handler
response = guard.request_approval(
ActionRequest(tool="resource.update", request_id="req-1", attributes={...})
)
# Async — works with both sync and async handlers
response = await guard.request_approval_async(
ActionRequest(tool="resource.update", request_id="req-1", attributes={...})
)
print(response.approval_id)
print(response.status) # "approved", "rejected", or "expired"
ActionRequest.request_id identifies the original tool call. ApprovalRequest.approval_id and ApprovalResponse.approval_id identify the approval workflow instance. Guardian Angel generates approval_id by default, but handlers or advanced integrations can override it when constructing an ApprovalRequest manually.
Behavior:
- require_approval + sync handler →
request_approval()callshandler.submit(), returnsApprovalResponse - require_approval + async handler →
request_approval_async()awaitshandler.submit(), returnsApprovalResponse - require_approval + async handler + sync call →
request_approval()raisesTypeError(use the async variant) - require_approval + no handler → raises
ApprovalRequiredError - allow → raises
ValueError(no approval needed) - deny → raises
PolicyDeniedError - approval backend failure → maps through
on_approval_error; async code runs sync handlers inasyncio.to_thread(...)
With guard.invoke() / guard.ainvoke()
invoke and ainvoke call any function under policy enforcement without decorating it.
Policy context is passed via guard_ctx; the function itself stays completely clean:
from guardian_angel import GuardContext
def update_resource(resource_id):
return {"updated": True, "resource_id": resource_id}
# Sync
result = guard.invoke(
update_resource,
"doc-1",
guard_ctx=GuardContext(
tool="resource.update",
attributes={"resource.environment": "prod", "subject.role": "developer"},
request_id="req-1",
),
)
# Async — works with both sync and async functions
async def update_resource_async(resource_id):
return {"updated": True, "resource_id": resource_id}
result = await guard.ainvoke(
update_resource_async,
"doc-1",
guard_ctx=GuardContext(
tool="resource.update",
attributes={"resource.environment": "prod"},
),
)
If guard_ctx.tool is not set, the function's __name__ is used as the policy tool name.
Without a handler, ApprovalRequiredError is raised as before.
See examples/approval_example.py (sync) and examples/async_approval_example.py (async) for full working examples.
CLI Validation
The CLI now validates request payloads before evaluation.
- Exit code
2: invalid request input - Exit code
3: invalid policy input
Roadmap
- v0.1 — Local policy evaluation, YAML rules, decorator
- v0.2 — Stronger validation, policy linting
- v0.3 — CLI with
evaluate,--explain,--verbose - v0.4 — Approval workflow with pluggable handlers (current)
- v0.5 — Framework adapters (LangGraph, OpenAI, CrewAI)
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file guardian_angel-0.4.3.tar.gz.
File metadata
- Download URL: guardian_angel-0.4.3.tar.gz
- Upload date:
- Size: 84.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.7 {"installer":{"name":"uv","version":"0.10.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0fbd76e247284a077544a7d0ca445b4b435f81facc913d2025fa7cd5ffad134f
|
|
| MD5 |
05b20051501cfc9b76d0b56969f7b02c
|
|
| BLAKE2b-256 |
0e21b7fb9dd7e743fe78898695ad9a818125a951b4d26f92e6c46c000fb98725
|
File details
Details for the file guardian_angel-0.4.3-py3-none-any.whl.
File metadata
- Download URL: guardian_angel-0.4.3-py3-none-any.whl
- Upload date:
- Size: 22.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.7 {"installer":{"name":"uv","version":"0.10.7","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d7abbfc7b14c704b42f8badcf2fa5238b8f371fb1889b507726b2689587e9b06
|
|
| MD5 |
55a889340f5170ddcbfcc834ee016079
|
|
| BLAKE2b-256 |
23291bd2c3e9ce692f7b74c509ae3d7ab7e8ce20e0bf92cb0c08c26f36c20714
|
