Skip to main content

Python SDK for MakerChecker: govern AI-agent tool calls with deny-by-default grants, segregation of duties, and a hash-chained audit trail.

Project description

makerchecker (Python SDK)

A typed HTTP client for a running MakerChecker server, plus the governed_tool wrapper. It opens a proxy session and routes a Python agent's tool calls through the server's deny-by-default grants, segregation of duties, approval gates, and a hash-chained, Ed25519-signed audit. The API mirrors the TypeScript SDK at ../sdk.

Install

pip install "makerchecker @ git+https://github.com/sammysltd/makerchecker#subdirectory=packages/sdk-python"

Plain pip install makerchecker from PyPI works from the next tagged release. Python 3.10+. Runtime dependency: httpx.

Use

from makerchecker import create_client, governed_tool, GovernanceDeniedError

client = create_client("http://localhost:3000", api_key="mk_...")
session = client.proxy.open_session("crew-run")["session"]

ingest = governed_tool(
    client, session["id"], "recon-preparer", "csv-ingest@1",
    lambda i: read_csv(i["path"]),
)

try:
    result = ingest({"path": "statement.csv"})  # checks first; a deny throws before read_csv runs
except GovernanceDeniedError as err:
    print(err.code, err.reason)

client.proxy.close_session(session["id"])

governed_tool calls client.proxy.check, raises GovernanceDeniedError(code, reason) on a deny before fn runs, then runs fn(input), records the output, and returns it. If fn raises, it records {"message": str(err)} and re-raises. skill_ref is a name@version string; a grant for one version does not authorize another.

API

create_client(base_url, api_key=None) -> Client
Client(base_url, api_key=None, *, http=None)   # context manager; close() releases an owned httpx.Client

client.health() -> dict                          # GET  /healthz
client.trigger_flow(name, input=None) -> dict    # POST /api/flows/{name}/runs
client.verify_audit() -> dict                    # GET  /api/audit/verify
client.close() -> None

client.proxy.open_session(label, external_ref=None) -> dict          # {"session": {"id", ...}}
client.proxy.check(session_id, agent_name, skill_ref, input=None) -> CheckResult
client.proxy.record(session_id, check_id, output=..., error=...) -> dict
client.proxy.close_session(session_id) -> dict
client.proxy.get_session(session_id) -> dict

governed_tool(client, session_id, agent_name, skill_ref, fn) -> Callable[[dict], T]

check returns CheckResult(allowed, check_id, code, reason). A deny returns 200 with allowed=False, not an error. record uses sentinel defaults, so output=None records a literal None and differs from omitting output. Any response with status >= 400 raises ApiError(status, body).

CrewAI and LangChain tools are callables: wrap the implementation with governed_tool and call it from the @tool body.

License

Apache-2.0. See LICENSE. The MakerChecker server it talks to is AGPL-3.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

makerchecker-1.1.1.tar.gz (37.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

makerchecker-1.1.1-py3-none-any.whl (10.5 kB view details)

Uploaded Python 3

File details

Details for the file makerchecker-1.1.1.tar.gz.

File metadata

  • Download URL: makerchecker-1.1.1.tar.gz
  • Upload date:
  • Size: 37.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for makerchecker-1.1.1.tar.gz
Algorithm Hash digest
SHA256 60295e773f48691d8795180a2058917023c8c4577f69a8f8e2ddce06cc2ce6c5
MD5 5d96f5f51c29f64f80c20671a96596e2
BLAKE2b-256 967ef9ecbc9fdb4f473caed26fe34c3fea54e3d9f95c2c32501e25366ccfa223

See more details on using hashes here.

Provenance

The following attestation bundles were made for makerchecker-1.1.1.tar.gz:

Publisher: release.yml on sammysltd/MakerChecker

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file makerchecker-1.1.1-py3-none-any.whl.

File metadata

  • Download URL: makerchecker-1.1.1-py3-none-any.whl
  • Upload date:
  • Size: 10.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for makerchecker-1.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 1408544de8a2521714acdb7ae0343e6603d0beca93189f274eb482807ba76672
MD5 78f5e61c5193d48778f3706784f765b5
BLAKE2b-256 8d33dc0fef015454c2b4bcc2c87f6e1ba81286fccdc5bdec211c3274bb5d46e8

See more details on using hashes here.

Provenance

The following attestation bundles were made for makerchecker-1.1.1-py3-none-any.whl:

Publisher: release.yml on sammysltd/MakerChecker

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page