Python SDK for ICEBOX — runtime governance for autonomous offensive security.
Project description
ICEBOX
Runtime governance for autonomous offensive security.
ICEBOX is a runtime governance framework for autonomous offensive security tooling. It gives every human operator, REST client, and autonomous agent a single, auditable choke point — the governance seam — that must be passed before any action is taken against an authorized target.
Human / CLI / REST Client / LLM Agent / Multi-Agent
│
┌──────────▼─────────┐
│ ModuleExecutor │ ← the seam
│ ::execute() │
└────────────────────┘
│
┌──────────▼─────────┐
│ Policy Engine │ CVSS / EPSS / KEV aware
└────────────────────┘
│
┌──────────▼─────────┐
│ Approval Queue │ charter · scope · risk · sign-off
└────────────────────┘
│
┌──────────▼─────────┐
│ Audit Engine │ JSON + CSV
└────────────────────┘
By centralizing policy enforcement, approval workflow, and audit capture in one place, ICEBOX makes it possible to prove what an agent was permitted to do, why, and whether the controls held. The bundled offensive modules are reference implementations that exercise the seam — the framework itself is built to govern arbitrary tools and agents, not just the ones shipped here.
Table of contents
- Features
- Installation
- Quickstart
- SDK and language support
- Architecture
- Repository layout
- Policy rule reference
- Self-governance
- Documentation
- Security
- Contributing
- License
Features
| Area | What it does |
|---|---|
| Policy engine | Six rule types (DenyCapability, AllowCapability, MaxRisk, RequireApproval, DenyIfCvssAbove, RequireApprovalIf), CVSS 4.0 / EPSS / CISA KEV aware |
| Approval workflow | Charter acceptance, scope allowlist, max-risk ceiling, and explicit sign-off for destructive actions |
| RBAC | viewer, operator, admin roles with least-privilege enforcement |
| Audit trail | Every decision recorded with rationale; exportable as JSON or CSV |
| Reasoning traces | Per-phase explainability for autonomous agents |
| Evidence intelligence | Module output normalized, confidence-scored, and provenance-tagged |
| Continuous validation | Monotonic policy versioning, drift detection, diff reporting |
| Multi-agent orchestration | Concurrent agents sharing one governed audit trail |
| Interfaces | Interactive CLI (REPL) and a REST API with identical governance semantics |
| SDKs | Rust, a C ABI (libicebox), and a Python Governance class |
Installation
ICEBOX ships as a single static binary plus a Python SDK.
Binary
# One-liner
curl -sSfL https://raw.githubusercontent.com/Devaretanmay/icebox/main/dist/install.sh | sh
# From source
cargo install icebox
# Docker (GHCR)
docker pull ghcr.io/devaretanmay/icebox:latest
docker run --rm -p 8443:8443 ghcr.io/devaretanmay/icebox
macOS note: the release binary isn't Apple-signed. If Gatekeeper blocks it on first run, clear the quarantine attribute:
xattr -dr com.apple.quarantine "$(command -v icebox)"
Homebrew packaging is planned but not yet available.
Python SDK
pip install icebox-sdk
The Python SDK wraps the compiled libicebox C ABI via ctypes. If the
native library isn't found, build it with cargo build or point
ICEBOX_CAPI at its path.
Quickstart
1. Build from source
git clone https://github.com/Devaretanmay/icebox.git
cd icebox
cargo build --release
2. Run the CLI and REST API
cargo run # interactive REPL + REST API on :8443
cargo run -- --api # REST API only
icebox> charter accept "pentest-2026-07"
icebox> scope add 10.0.0.0/8
icebox> list
icebox> use vuln_scanner
icebox> set project_dir /path/to/your/project
icebox> run --approve /path/to/your/project
3. Or drive it over REST
The API is served at http://127.0.0.1:8443/api/v1:
curl -X POST http://127.0.0.1:8443/api/v1/modules/vuln_scanner/run \
-H 'Content-Type: application/json' \
-d '{"target": "/path/to/project", "approved": true}'
4. Or govern an agent with the Python SDK
from icebox import Governance
gov = Governance({
"charter": {"accepted": True, "engagement": "demo", "rules_of_engagement": []},
"scope": {"allow": ["10.0.0.0/8"]},
"max_risk": "critical",
"role": "admin",
})
verdict = gov.run({
"name": "scan",
"target": "10.0.0.5",
"capabilities": ["network_scan"],
"impact": "low",
"destructive": False,
})
print(verdict)
5. Layer in CVSS-aware policy
icebox> policy rule add deny-cvss 7.0
icebox> policy rule add require-approval-if --cvss 5.0 --epss 0.1 --kev
SDK and language support
| SDK | Status | Usage |
|---|---|---|
| Rust (native) | Available | icebox crate |
| C ABI | Available | libicebox (icebox_govern, icebox_check, ...) |
| Python | Available | icebox.Governance via ctypes |
| TypeScript / Java / Go | Planned | Community contributions welcome |
Architecture
ICEBOX enforces governance at exactly one point: ModuleExecutor::execute().
Every operator action, REST call, and agent step passes through it — that
single choke point is what makes the whole system auditable.
- Interfaces — REPL CLI and an Axum REST API on
127.0.0.1:8443/api/v1, both calling the same executor. - Module executor — resolves a module, runs the policy preflight, executes, and records the outcome.
- Policy engine — six rule types, CVSS 4.0 / EPSS / KEV aware.
- Approval engine — a queue plus four safety gates (charter, scope, max-risk, approval).
- Audit engine — every decision normalized, scored, and provenance-tagged as JSON and CSV.
Modules register through the #[module(...)] proc macro (in
icebox-macro) and are collected at compile time via linkme into
MODULE_REGISTRY. That same registry feeds the CLI, the REST API, and the
C ABI, so every surface governs identically — there's no code path that
bypasses the seam.
Repository layout
icebox/
├── Cargo.toml # Single package: lib (SDK) + cdylib (libicebox) + bin (CLI)
├── src/
│ ├── lib.rs # Module declarations + MODULE_REGISTRY
│ ├── main.rs # CLI / REST API binary
│ ├── capi.rs # C ABI surface over the runtime
│ ├── core/ # The seam: executor, policy, audit, evidence
│ ├── modules/ # Example modules: vuln_scanner, recon, network
│ ├── ai/ # Autonomous agent + multi-agent orchestrator
│ └── interfaces/ # REST API (Axum)
├── crates/
│ └── icebox-macro/ # #[module(...)] attribute macro
├── python/
│ ├── icebox/ # Python SDK (ctypes)
│ └── examples/
│ └── governed_agent.py
├── dist/install.sh # curl | sh installer
├── Dockerfile # GHCR image
└── docs/ # mdBook site
Policy rule reference
| Rule | CLI command | Effect |
|---|---|---|
DenyCapability |
policy rule add deny network_scan |
Blocks a specific capability |
AllowCapability |
policy rule add allow network_scan |
Pre-approves a capability |
MaxRisk |
policy rule add maxrisk high |
Caps the risk ceiling |
RequireApproval |
(via SDK builder) | Gates on capability + target pattern |
DenyIfCvssAbove |
policy rule add deny-cvss 7.0 |
Blocks if CVSS exceeds threshold |
RequireApprovalIf |
policy rule add require-approval-if --cvss 5.0 --epss 0.1 --kev |
Gates on CVSS / EPSS / KEV conditions |
Self-governance
ICEBOX governs itself. The governed_vuln_scan_blocks_high_cvss_exploit test
runs the vuln_scanner module against ICEBOX's own source tree through the
governance seam, resolves real CVSS scores from OSV.dev, and verifies that
DenyIfCvssAbove(7.0) blocks hypothetical exploitation of high-CVSS
findings.
Documentation
Full docs — SDK references, deployment guidance, policy authoring — are published at devaretanmay.github.io/icebox.
Security
Please report vulnerabilities privately rather than through public issues. See SECURITY.md for the disclosure process.
Contributing
Contributions are welcome — see CONTRIBUTING.md for guidelines.
License
ICEBOX is released under the MIT License.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file icebox_sdk-0.1.1.tar.gz.
File metadata
- Download URL: icebox_sdk-0.1.1.tar.gz
- Upload date:
- Size: 2.2 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
921487c69e21454d3891836282ac75f539de36ad6d3e4066f5dc70fe41d142da
|
|
| MD5 |
13a07ff693c9b6bf7eb72842bc5f27e8
|
|
| BLAKE2b-256 |
e4797ff98e0768e3d48ff9c627a530395ab08befa1cd572b6254debd30993e3d
|
File details
Details for the file icebox_sdk-0.1.1-py3-none-any.whl.
File metadata
- Download URL: icebox_sdk-0.1.1-py3-none-any.whl
- Upload date:
- Size: 2.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fadd168d585501a7a8d6e6cb8a353b74e10c736546f625e412b164303761b801
|
|
| MD5 |
29001cca94006a19cf59cbe3aa57a35b
|
|
| BLAKE2b-256 |
74add667218a048c3ba3c5df5be38e5864af411e7d9de32c96f4d438eba7e8aa
|