Skip to main content

Python SDK for MakerChecker: govern AI-agent tool calls with deny-by-default grants, segregation of duties, and a hash-chained audit trail.

Project description

makerchecker (Python SDK)

A typed HTTP client for a running MakerChecker server, plus the governed_tool wrapper. It opens a proxy session and routes a Python agent's tool calls through the server's deny-by-default grants, segregation of duties, approval gates, and a hash-chained, Ed25519-signed audit. The API mirrors the TypeScript SDK at ../sdk.

Install

pip install "makerchecker @ git+https://github.com/sammysltd/makerchecker#subdirectory=packages/sdk-python"

Plain pip install makerchecker from PyPI works from the next tagged release. Python 3.10+. Runtime dependency: httpx.

Use

from makerchecker import create_client, governed_tool, GovernanceDeniedError

client = create_client("http://localhost:3000", api_key="mk_...")
session = client.proxy.open_session("crew-run")["session"]

ingest = governed_tool(
    client, session["id"], "recon-preparer", "csv-ingest@1",
    lambda i: read_csv(i["path"]),
)

try:
    result = ingest({"path": "statement.csv"})  # checks first; a deny throws before read_csv runs
except GovernanceDeniedError as err:
    print(err.code, err.reason)

client.proxy.close_session(session["id"])

governed_tool calls client.proxy.check, raises GovernanceDeniedError(code, reason) on a deny before fn runs, then runs fn(input), records the output, and returns it. If fn raises, it records {"message": str(err)} and re-raises. skill_ref is a name@version string; a grant for one version does not authorize another.

API

create_client(base_url, api_key=None) -> Client
Client(base_url, api_key=None, *, http=None)   # context manager; close() releases an owned httpx.Client

client.health() -> dict                          # GET  /healthz
client.trigger_flow(name, input=None) -> dict    # POST /api/flows/{name}/runs
client.verify_audit() -> dict                    # GET  /api/audit/verify
client.close() -> None

client.proxy.open_session(label, external_ref=None) -> dict          # {"session": {"id", ...}}
client.proxy.check(session_id, agent_name, skill_ref, input=None) -> CheckResult
client.proxy.record(session_id, check_id, output=..., error=...) -> dict
client.proxy.close_session(session_id) -> dict
client.proxy.get_session(session_id) -> dict

governed_tool(client, session_id, agent_name, skill_ref, fn) -> Callable[[dict], T]

check returns CheckResult(allowed, check_id, code, reason). A deny returns 200 with allowed=False, not an error. record uses sentinel defaults, so output=None records a literal None and differs from omitting output. Any response with status >= 400 raises ApiError(status, body).

CrewAI and LangChain tools are callables: wrap the implementation with governed_tool and call it from the @tool body.

License

Apache-2.0. See LICENSE. The MakerChecker server it talks to is AGPL-3.0.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

makerchecker-1.1.tar.gz (37.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

makerchecker-1.1-py3-none-any.whl (10.4 kB view details)

Uploaded Python 3

File details

Details for the file makerchecker-1.1.tar.gz.

File metadata

  • Download URL: makerchecker-1.1.tar.gz
  • Upload date:
  • Size: 37.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for makerchecker-1.1.tar.gz
Algorithm Hash digest
SHA256 b2f6d1f9187efa7f29aafa7179d68644536e1475fc99b952d5d602eb00cdc733
MD5 b856ec5cb7d1a9fc4cbecac022bf9dad
BLAKE2b-256 cc4d5a8de0095fc40978db52e7314fc600d6702d6b2deffdb2715a5f6b9f6aee

See more details on using hashes here.

Provenance

The following attestation bundles were made for makerchecker-1.1.tar.gz:

Publisher: release.yml on sammysltd/MakerChecker

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file makerchecker-1.1-py3-none-any.whl.

File metadata

  • Download URL: makerchecker-1.1-py3-none-any.whl
  • Upload date:
  • Size: 10.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for makerchecker-1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 6ec222f89f36140e4a2dee61ef30583d26097e83b4fe5d7e6bb00820164cd173
MD5 22de3c333620d3f085a565a599ab5d84
BLAKE2b-256 8b0443b7672c97068c59d1e818938588668eede7f336657f145974e1b741e2f2

See more details on using hashes here.

Provenance

The following attestation bundles were made for makerchecker-1.1-py3-none-any.whl:

Publisher: release.yml on sammysltd/MakerChecker

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page