Skip to main content

Inter-agent security firewall for multi-agent AI systems

Project description

AgentGuard

Inter-agent security firewall for multi-agent AI systems (LangGraph, CrewAI, AutoGen).

AgentGuard intercepts every message between agents and enforces three runtime controls:

  1. Message Inspector — Aho-Corasick rule filter + DeBERTa ML scorer + consistency check
  2. Trust Verifier — Ephemeral Ed25519 signing via PyNaCl
  3. Capability Enforcer — YAML manifests with JSON Schema validation and monotonic attenuation

Quick start

# Python 3.11 or 3.12
# PyPI distribution name (import package is still agentguard)
pip install "inter-agent-guard[all,otel]"
# from a clone: pip install -e ".[all,otel]"

agentguard status
agentguard check-manifest manifests/comms_agent.yaml
agentguard inspect -m "Summarise public pricing data from filings."
from agentguard import AgentGuard, CapabilityManifest

Download risk_scorer.onnx + model.sha256 from the GitHub Releases page, install into the package models/ directory (or pass model_path=), then set require_ml_model=True for production enforce-mode.

Note: The PyPI project is inter-agent-guard because bare agentguard collides with existing agent-guard under PyPI’s name rules. The Python import and CLI remain agentguard.

from agentguard import AgentGuard, CapabilityManifest

guard = AgentGuard(
    risk_threshold=0.75,
    task_objective="Analyse Q3 competitor pricing",
    audit_log_path="./audit.jsonl",
    # Set True in production after installing the ONNX model
    require_ml_model=False,
)
guard.register_agent(
    "research-agent",
    CapabilityManifest.from_yaml("manifests/research_agent.yaml"),
)
secured_graph = guard.wrap(my_langgraph_graph)

Without the ONNX model, rule filtering and trust attestation still run; ML scoring is inactive. For production enforce-mode, install the model (next section) and set require_ml_model=True.

Production setup

  1. Install the ML model (required for enforce-mode ML scoring):

    # Bash — after training or downloading artifacts
    ./scripts/install_model.sh ./path/to/model/dir
    python scripts/verify_model.py
    
    # PowerShell
    .\scripts\install_model.ps1 -SourceDir .\path\to\model\dir
    py -3.12 scripts\verify_model.py
    

    Sources: local training (./scripts/run_training.ps1 -Full) or Kaggle download (.\scripts\download_kaggle_model.ps1).

  2. Confirm health:

    agentguard status
    
  3. Optional — build benchmark dataset (no API key):

    .\scripts\run_public_dataset_build.ps1
    .\scripts\run_benchmark_evaluation.ps1 -RequireModel
    
  4. Run secured demo:

    poetry run python examples/secured_pipeline/pipeline.py
    

Anthropic Batch dataset generation (v1.0 novel corpus) is deferred — see scripts/LAUNCH_CHECKLIST.md.

CLI

agentguard version
agentguard status [--json]
agentguard check-manifest manifests/comms_agent.yaml [--json]
agentguard inspect -m "message text" [--json]
agentguard verify ./audit.jsonl [--json]

Docker

Core runtime image (firewall + OTEL; LangGraph/CrewAI/AutoGen installed separately in app images):

docker build -t agentguard .
docker run --rm agentguard
docker run --rm -v "%CD%\audit.jsonl:/data/audit.jsonl" agentguard verify /data/audit.jsonl

For framework adapters in your own Dockerfile: pip install "inter-agent-guard[all,otel]".

Optional OpenTelemetry export (requires pip install "inter-agent-guard[otel]"):

guard = AgentGuard(enable_otel_export=True, audit_log_path="./audit.jsonl")

Set OTEL_EXPORTER_OTLP_ENDPOINT to auto-configure the OTLP exporter.

Capability enforcement

Manifests declare tools, data sources, endpoints, token limits, and delegation. At runtime:

API Enforces
check_tool_call(agent, tool, endpoint=...) permitted_tools, forbidden_tools, optional permitted_endpoints
check_endpoint(agent, url) external_contact + permitted_endpoints
check_data_source(agent, source) allowed_data_sources
check_output_tokens(agent, n) max_output_tokens
register_delegated_agent(...) can_spawn_agents, max_delegation_depth, monotonic attenuation

See example manifests under manifests/ (including comms_agent.yaml with endpoint allowlists).

Examples

# Vulnerable baseline (100% attack success)
poetry run python examples/vulnerable_pipeline/pipeline.py

# AgentGuard-protected version
poetry run python examples/secured_pipeline/pipeline.py

# MCP poisoning, CrewAI, AutoGen
poetry run python examples/mcp_poisoning_demo.py
poetry run python examples/crewai_example.py
poetry run python examples/autogen_example.py

Benchmark

AgentGuard ships with a 6,200-example inter-agent benchmark (1,200 adversarial + 5,000 benign).

Build dataset (zero cost)

.\scripts\run_public_dataset_build.ps1

Sources: InjecAgent (GitHub) + inter-agent framing templates + pipeline-style benign messages.

Run evaluation

.\scripts\run_benchmark_evaluation.ps1 -RequireModel

Results: benchmarks/results/report.md

Latest results (2026-06-30 full run)

Metric Value
Overall detection rate 97.1%
False positive rate 0.0%
P95 inspection latency ~1060 ms (CPU ONNX)
ML model loaded Yes

CPU latency exceeds the 15 ms design target; use GPU ONNX providers or async inspection for high-frequency pipelines.

v1.0 launch

Novel dataset via Anthropic Batch API — see scripts/LAUNCH_CHECKLIST.md.

Training (Kaggle GPU)

.\scripts\push_kaggle_kernel.ps1   # uploads code dataset + pushes notebook

Open kernel on Kaggle → GPU T4 x2 + Internet → Run All. Copy agentguard/models/* from Output tab.

See training/kaggle_notebook.ipynb.

Documentation

License

Apache-2.0 — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

inter_agent_guard-0.1.0.tar.gz (1.9 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

inter_agent_guard-0.1.0-py3-none-any.whl (2.0 MB view details)

Uploaded Python 3

File details

Details for the file inter_agent_guard-0.1.0.tar.gz.

File metadata

  • Download URL: inter_agent_guard-0.1.0.tar.gz
  • Upload date:
  • Size: 1.9 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.0

File hashes

Hashes for inter_agent_guard-0.1.0.tar.gz
Algorithm Hash digest
SHA256 7f48f6acf6d4508110e5f4f91c9bf70603957e4478140fca7097b84683683e40
MD5 8e567b2141f70f6b223e47509de4521b
BLAKE2b-256 363890e15f7643f7f4ca5874122d46bba7d5132c36ad786ba6dcd13f861e69ae

See more details on using hashes here.

File details

Details for the file inter_agent_guard-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for inter_agent_guard-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 725c67825a04738ef7e7de879cf79b7333a92f6f5fedc183d084c63a4d75ca2a
MD5 1f3da8b9f8411ea348bfddfc76f84220
BLAKE2b-256 7a99147201bd97375e4799c0afc116f72702fbd77575ebb5b569b7588254b3b4

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page