kevros-code 0.3.14

Governance MCP proxy for coding agents -- interposes Kevros verify/attest on every tool call.

kevros-code

Governance MCP proxy for coding agents. Interposes Kevros verify and attest calls on every tool invocation, so every action a coding agent takes is cryptographically authorized before it executes and cryptographically recorded after.

Why

Coding agents have root-equivalent blast radius on their target machine — they write files, run shell commands, install packages, push commits. A single untrusted action can exfiltrate secrets, corrupt source, or open a backdoor. Permission-before-power requires that every tool call be gated by a policy evaluation and recorded in an independently-verifiable audit chain. kevros-code is the thin proxy that sits between the agent and its tool layer to enforce that contract without changing the agent's code.

Installation

pip install kevros-code

Quick Start

from kevros_code import GovernedMCPProxy

# Zero config — uses KEVROS_API_KEY env var or auto-signs up for the
# free tier (1,000 calls/month) on first use
proxy = GovernedMCPProxy(agent_id="coding-agent-001")

# Wrap a tool-call function. The proxy intercepts, verifies, and attests.
@proxy.governed_tool
def edit_file(path: str, content: str) -> dict:
    # Original tool implementation unchanged
    with open(path, "w") as f:
        f.write(content)
    return {"status": "ok", "path": path}

# Under the hood, every call to edit_file() now:
#   1. Calls verify() with {action: "edit_file", payload: {path, content}}
#   2. If the decision is ALLOW → executes the real tool, records attest()
#   3. If the decision is CONSTRAIN → clamps the payload and records attest()
#   4. If the decision is DENY → raises ToolBlockedByGovernance

How it interposes

kevros-code is a passthrough proxy, not a replacement. The agent's tool code is unchanged; only the wrapper around it changes. The proxy:

1. Normalizes the tool call into a canonical request shape (action_type, payload, agent_id, context)
2. Calls Kevros verify to get a signed ALLOW / CONSTRAIN / DENY verdict
3. On ALLOW, forwards the call to the real tool and captures the result
4. On CONSTRAIN, clamps the payload (bounded fields only) and forwards
5. On DENY, raises ToolBlockedByGovernance — the agent sees a structured refusal, not a silent failure
6. Records attest() with the full context + decision + result for every call, producing a hash-chained provenance entry

The resulting audit trail can be verified independently by any auditor with the Kevros public key — no trust in the agent operator is required.

MCP-native mode

If you're running the agent through an MCP (Model Context Protocol) transport, kevros-code can inject as an MCP middleware layer:

from kevros_code.mcp_proxy import install_mcp_proxy

# Wraps every MCP tool call that passes through this server
install_mcp_proxy(
    server_name="my-coding-server",
    agent_id="coding-agent-001",
    policy_id="coding-agents-prod",
)

See examples/mcp_proxy_example.py in the source repo for a full working example.

What you get

• Cryptographic authorization on every action — no action executes without a signed release token
• Hash-chained provenance — every action is recorded in an append-only, tamper-evident ledger
• Dual post-quantum signatures on attestation records (ML-DSA-87 FIPS 204 + SLH-DSA FIPS 205) so the audit trail remains verifiable against quantum-capable adversaries
• Fail-closed — if the governance layer is unreachable, the agent is blocked from acting; it never "defaults to allow"
• Zero code change in the agent itself beyond wrapping the tool calls

Pricing

• Free: 1,000 governance calls per month, no credit card, auto-signup on first use
• Starter ($29/mo): 5,000 calls/month for individual developers
• Professional ($149/mo): 50,000 calls/month with priority support
• Enterprise ($499/mo): 500,000 calls/month with SLA and dedicated support

Higher-tier plans and Azure/AWS Marketplace Managed Application deployments are available at https://marketplace.microsoft.com/en-us/marketplace/apps/taskhawk.kevros-ai-governance-gateway.

Documentation

• API reference: https://governance.taskhawktech.com/api
• Protocol spec: docs/specs/ in the source repo
• Platform: https://www.taskhawktech.com/platform

License

BSL-1.1 (Business Source License 1.1). Commercial use requires a license agreement with TaskHawk Systems, LLC. Contact sales@taskhawktech.com.

Support

• GitHub Issues: https://github.com/taskhawk-systems/kevros/issues (private; request access)
• Email: support@taskhawktech.com