Govern a CrewAI crew's native tool calls with Lodestar — the thin native hook that remotes each tool call through the Lodestar Action Kernel over NDJSON-RPC (ADR-0026).
Project description
lodestar-crewai
Govern a CrewAI crew's native tool calls with Lodestar — the open epistemic-governance framework for AI agents.
CrewAI runs role-based agents whose tools are native in-process Python objects and
does not speak MCP, so the MCP proxy cannot wrap it. This package is the thin
native hook (ADR-0026): it spawns the TypeScript governance-gate sidecar
(lodestar runtime gate) and remotes each native tool call through the Lodestar
Action Kernel over newline-delimited JSON-RPC. The same machinery the MCP proxy
and the LangGraph adapter run — two-phase propose → arbitrate → execute, the
signed policy gate, cognitive-core ingestion (external-document content can't
auto-promote), sentinel arbitration, and the signed-approval L4 hold path — now
applies to CrewAI, with no change to the engine. The gate sidecar is shared,
unchanged; only this hook is new.
The tool body runs only inside the gate's execute phase, reached only after the gate (and any approval hold) clears: "tools that do work before approval are bugs" — across the Python↔TS boundary.
Install
pip install "lodestar-crewai[crewai]"
# and the Lodestar CLI (Bun/npm), which provides `lodestar runtime gate`:
npm install -g @qmilab/lodestar-cli # or: bun add -g @qmilab/lodestar-cli
Use
from crewai import Agent, Crew, Task
from lodestar_crewai import GateClient, govern_tools, governed_call
with GateClient("runtime-gate.config.json") as gate:
governed = govern_tools(gate, my_tools) # register + wrap the toolset
agent = Agent(role="researcher", goal="...", backstory="...", tools=governed)
task = Task(description="...", agent=agent, expected_output="...")
crew = Crew(agents=[agent], tasks=[task])
crew.kickoff() # every tool call is governed
# A custom step invokes a governed tool through the helper, never raw:
result = governed_call(gate, "search_web", {"q": "lodestar"})
The gate's config (runtime-gate.config.json) is a RuntimeGateConfig — the
signed policy document, approver keys, sentinel ids, persistence, and durable log
root all live there. The hook never holds credentials or policy.
Scope (honest, ADR-0004 lineage)
This is governance over declared actions, not OS containment of the process.
Raw I/O performed outside the tool abstraction — a custom step that calls
requests.get() directly instead of a registered tool — is outside the governed
surface, exactly as guard.wrap() and the MCP proxy only govern the tools they
are given. A call for an unregistered tool is denied (fail closed). Pair the
adapter with network/filesystem controls for defense in depth.
Holds & denials
An L4 action the trust-ladder floor parks for approval is resolved by
block-polling the gate up to the deadline for a signed approval (hold_wait_ms)
— the headless default. A denied / held-then-timed-out call raises
LodestarDenied by default; CrewAI's ToolUsage catches it and surfaces the
reason to the agent as a re-plannable observation. Pass on_denied to
govern_tools to map a denial to a return value instead.
Apache-2.0. Part of the Lodestar monorepo (runtimes/crewai/).
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file lodestar_crewai-0.4.0.tar.gz.
File metadata
- Download URL: lodestar_crewai-0.4.0.tar.gz
- Upload date:
- Size: 11.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
758f10418f17ddae6a471026c2ff20e290f328b88188883540a6c91c400c7a07
|
|
| MD5 |
0b3dbbbdeca9a4bacd7469aa84b9a2a3
|
|
| BLAKE2b-256 |
489774f6fe4aeb02866429fdbe310c9d9bce91f8f7cf4b9e73ac32f6deef8df5
|
Provenance
The following attestation bundles were made for lodestar_crewai-0.4.0.tar.gz:
Publisher:
publish-pypi.yml on qmilab/lodestar
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
lodestar_crewai-0.4.0.tar.gz -
Subject digest:
758f10418f17ddae6a471026c2ff20e290f328b88188883540a6c91c400c7a07 - Sigstore transparency entry: 1886545559
- Sigstore integration time:
-
Permalink:
qmilab/lodestar@d573d205a6f4544e4d392a82b0bb81420fbce9b3 -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/qmilab
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@d573d205a6f4544e4d392a82b0bb81420fbce9b3 -
Trigger Event:
push
-
Statement type:
File details
Details for the file lodestar_crewai-0.4.0-py3-none-any.whl.
File metadata
- Download URL: lodestar_crewai-0.4.0-py3-none-any.whl
- Upload date:
- Size: 7.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a5afcbeb51b754e897c1dd87bea9f91e3cf8e4f7adc715a756f5036b3644fcd3
|
|
| MD5 |
896ed010cdc012b3775933a4fd498df4
|
|
| BLAKE2b-256 |
9af7cc5718560df0fed504f0eba458ea40e410b8ba9f203a3874dce2a36490ab
|
Provenance
The following attestation bundles were made for lodestar_crewai-0.4.0-py3-none-any.whl:
Publisher:
publish-pypi.yml on qmilab/lodestar
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
lodestar_crewai-0.4.0-py3-none-any.whl -
Subject digest:
a5afcbeb51b754e897c1dd87bea9f91e3cf8e4f7adc715a756f5036b3644fcd3 - Sigstore transparency entry: 1886545611
- Sigstore integration time:
-
Permalink:
qmilab/lodestar@d573d205a6f4544e4d392a82b0bb81420fbce9b3 -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/qmilab
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish-pypi.yml@d573d205a6f4544e4d392a82b0bb81420fbce9b3 -
Trigger Event:
push
-
Statement type: