Inter-agent security firewall for multi-agent AI systems
Project description
AgentGuard
Inter-agent security firewall for multi-agent AI systems (LangGraph, CrewAI, AutoGen).
AgentGuard intercepts every message between agents and enforces three runtime controls:
- Message Inspector — Aho-Corasick rule filter + DeBERTa ML scorer + consistency check
- Trust Verifier — Ephemeral Ed25519 signing via PyNaCl
- Capability Enforcer — YAML manifests with JSON Schema validation and monotonic attenuation
Quick start
# Python 3.11 or 3.12
# PyPI distribution name (import package is still agentguard)
pip install "inter-agent-guard[all,otel]"
# from a clone: pip install -e ".[all,otel]"
agentguard status
agentguard check-manifest manifests/comms_agent.yaml
agentguard inspect -m "Summarise public pricing data from filings."
from agentguard import AgentGuard, CapabilityManifest
Download risk_scorer.onnx + model.sha256 from the GitHub Releases page, install into the package models/ directory (or pass model_path=), then set require_ml_model=True for production enforce-mode.
Note: The PyPI project is
inter-agent-guardbecause bareagentguardcollides with existingagent-guardunder PyPI’s name rules. The Python import and CLI remainagentguard.
from agentguard import AgentGuard, CapabilityManifest
guard = AgentGuard(
risk_threshold=0.75,
task_objective="Analyse Q3 competitor pricing",
audit_log_path="./audit.jsonl",
# Set True in production after installing the ONNX model
require_ml_model=False,
)
guard.register_agent(
"research-agent",
CapabilityManifest.from_yaml("manifests/research_agent.yaml"),
)
secured_graph = guard.wrap(my_langgraph_graph)
Without the ONNX model, rule filtering and trust attestation still run; ML scoring is inactive. For production enforce-mode, install the model (next section) and set require_ml_model=True.
Production setup
-
Install the ML model (required for enforce-mode ML scoring):
# Bash — after training or downloading artifacts ./scripts/install_model.sh ./path/to/model/dir python scripts/verify_model.py
# PowerShell .\scripts\install_model.ps1 -SourceDir .\path\to\model\dir py -3.12 scripts\verify_model.py
Sources: local training (
./scripts/run_training.ps1 -Full) or Kaggle download (.\scripts\download_kaggle_model.ps1). -
Confirm health:
agentguard status -
Optional — build benchmark dataset (no API key):
.\scripts\run_public_dataset_build.ps1 .\scripts\run_benchmark_evaluation.ps1 -RequireModel
-
Run secured demo:
poetry run python examples/secured_pipeline/pipeline.py
Anthropic Batch dataset generation (v1.0 novel corpus) is deferred — see scripts/LAUNCH_CHECKLIST.md.
CLI
agentguard version
agentguard status [--json]
agentguard check-manifest manifests/comms_agent.yaml [--json]
agentguard inspect -m "message text" [--json]
agentguard verify ./audit.jsonl [--json]
Docker
Core runtime image (firewall + OTEL; LangGraph/CrewAI/AutoGen installed separately in app images):
docker build -t agentguard .
docker run --rm agentguard
docker run --rm -v "%CD%\audit.jsonl:/data/audit.jsonl" agentguard verify /data/audit.jsonl
For framework adapters in your own Dockerfile: pip install "inter-agent-guard[all,otel]".
Optional OpenTelemetry export (requires pip install "inter-agent-guard[otel]"):
guard = AgentGuard(enable_otel_export=True, audit_log_path="./audit.jsonl")
Set OTEL_EXPORTER_OTLP_ENDPOINT to auto-configure the OTLP exporter.
Capability enforcement
Manifests declare tools, data sources, endpoints, token limits, and delegation. At runtime:
| API | Enforces |
|---|---|
check_tool_call(agent, tool, endpoint=...) |
permitted_tools, forbidden_tools, optional permitted_endpoints |
check_endpoint(agent, url) |
external_contact + permitted_endpoints |
check_data_source(agent, source) |
allowed_data_sources |
check_output_tokens(agent, n) |
max_output_tokens |
register_delegated_agent(...) |
can_spawn_agents, max_delegation_depth, monotonic attenuation |
See example manifests under manifests/ (including comms_agent.yaml with endpoint allowlists).
Examples
# Vulnerable baseline (100% attack success)
poetry run python examples/vulnerable_pipeline/pipeline.py
# AgentGuard-protected version
poetry run python examples/secured_pipeline/pipeline.py
# MCP poisoning, CrewAI, AutoGen
poetry run python examples/mcp_poisoning_demo.py
poetry run python examples/crewai_example.py
poetry run python examples/autogen_example.py
Benchmark
AgentGuard ships with a 6,200-example inter-agent benchmark (1,200 adversarial + 5,000 benign).
Build dataset (zero cost)
.\scripts\run_public_dataset_build.ps1
Sources: InjecAgent (GitHub) + inter-agent framing templates + pipeline-style benign messages.
Run evaluation
.\scripts\run_benchmark_evaluation.ps1 -RequireModel
Results: benchmarks/results/report.md
Latest results (2026-06-30 full run)
| Metric | Value |
|---|---|
| Overall detection rate | 97.1% |
| False positive rate | 0.0% |
| P95 inspection latency | ~1060 ms (CPU ONNX) |
| ML model loaded | Yes |
CPU latency exceeds the 15 ms design target; use GPU ONNX providers or async inspection for high-frequency pipelines.
v1.0 launch
Novel dataset via Anthropic Batch API — see scripts/LAUNCH_CHECKLIST.md.
Training (Kaggle GPU)
.\scripts\push_kaggle_kernel.ps1 # uploads code dataset + pushes notebook
Open kernel on Kaggle → GPU T4 x2 + Internet → Run All. Copy agentguard/models/* from Output tab.
See training/kaggle_notebook.ipynb.
Documentation
License
Apache-2.0 — see LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file inter_agent_guard-0.1.0.tar.gz.
File metadata
- Download URL: inter_agent_guard-0.1.0.tar.gz
- Upload date:
- Size: 1.9 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7f48f6acf6d4508110e5f4f91c9bf70603957e4478140fca7097b84683683e40
|
|
| MD5 |
8e567b2141f70f6b223e47509de4521b
|
|
| BLAKE2b-256 |
363890e15f7643f7f4ca5874122d46bba7d5132c36ad786ba6dcd13f861e69ae
|
File details
Details for the file inter_agent_guard-0.1.0-py3-none-any.whl.
File metadata
- Download URL: inter_agent_guard-0.1.0-py3-none-any.whl
- Upload date:
- Size: 2.0 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
725c67825a04738ef7e7de879cf79b7333a92f6f5fedc183d084c63a4d75ca2a
|
|
| MD5 |
1f3da8b9f8411ea348bfddfc76f84220
|
|
| BLAKE2b-256 |
7a99147201bd97375e4799c0afc116f72702fbd77575ebb5b569b7588254b3b4
|