Open-source AI agent security middleware for policy-enforced tool calls, prompt injection defense, and PII masking
Project description
███╗ ███╗███████╗ ██████╗ ███████╗███╗ ██╗████████╗
████╗ ████║██╔════╝██╔════╝ ██╔════╝████╗ ██║╚══██╔══╝
██╔████╔██║█████╗ ██║ ███╗█████╗ ██╔██╗ ██║ ██║
██║╚██╔╝██║██╔══╝ ██║ ██║██╔══╝ ██║╚██╗██║ ██║
██║ ╚═╝ ██║███████╗╚██████╔╝███████╗██║ ╚████║ ██║
╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝
A zero-trust safety layer for AI agents. Wrap tools fast. Ship with confidence.
Open-source AI agent security middleware for policy-enforced tool calls, prompt injection resistance, and PII masking.
Megent: Open-Source AI Agent Security Middleware
Megent helps secure AI agents by enforcing allow/deny tool policies, masking sensitive data, and logging every tool decision.
The Problem
AI agents are calling tools. Most of those calls look harmless. But sequences don't lie.
agent.read_file("/etc/passwd") ← looks fine
agent.web_search("paste.bin upload") ← looks fine
agent.http_post("https://...") ← looks fine
# combined? that's data exfiltration.
Traditional security tools inspect calls one by one. Megent enforces policy at execution time.
Built for teams that want speed without security debt.
How It Works
Megent sits between your agent and its tools, running every call through three primitives:
┌─────────────────────────────────────────────────────┐
│ AGENT RUNTIME │
│ │
│ tool_call() ──► [ INTERCEPT ] ──► [ CONTEXT ] │
│ │ │
│ [ JUDGE ] │
│ │ │
│ allow / deny / modify │
└─────────────────────────────────────────────────────┘
| Primitive | Role |
|---|---|
| Intercept | Hooks into every tool invocation before execution |
| Context | Maintains a behavioral window — the sequence of recent calls |
| Judge | Evaluates the sequence against your policy rules |
Install
pip install megent
Super Simple Setup (3 Steps)
No framework migration. No plugin boilerplate. Just one policy file and one decorator.
- Create a
megent.yamlfile in your project root:
version: "1"
default_action: deny
tools:
send_email:
allow: true
pii_mask: [email, phone]
- Add Megent to your function:
import megent as mg
mg.configure(policy_path="megent.yaml")
@mg.guard
def send_email(to: str, body: str) -> str:
return "sent"
send_email("ops@example.com", "Call me at +1 555 111 2222")
- Run your app. Calls are now policy-checked, and sensitive fields are masked automatically.
Quickstart
Drop-in decorator
import megent as mg
mg.configure(policy_path="policies/agent.yaml")
@mg.guard
def send_email(to: str, subject: str, body: str) -> str:
# your tool implementation
return "sent"
send_email(
to="ops@example.com",
subject="Daily summary",
body="Contact me at jane.doe@example.com",
)
Wrap an existing agent
import megent as mg
runtime = mg.Runtime(policy_path="policies/agent.yaml")
safe_execute = mg.wrap(
third_party_agent.execute,
runtime=runtime,
tool_name="agent_execute",
)
safe_execute(task="Summarize latest reports")
That's it. Megent intercepts every tool call, evaluates it against your policy, and either allows, denies, or modifies it — all without changing your agent code.
Policy Language
Policies are plain YAML. No DSL to learn.
# policies/agent.yaml
version: "1"
default_action: deny
pii_mask: [email]
tools:
read_file:
allow: true
send_email:
allow: true
pii_mask: [email, phone, ssn]
delete_all_data:
allow: false
Agent Identity (JWT)
Megent can attribute calls to an agent identity using a JWT (HS256).
Set MEGENT_JWT_SECRET (or pass secret= to verify_agent_token) and
include agent_id (or sub) in the token claims.
import megent as mg
runtime = mg.Runtime(policy_path="policies/agent.yaml")
token = "<jwt-from-your-auth-system>"
safe_send = mg.wrap(send_email, runtime=runtime, tool_name="send_email", agent_token=token)
safe_send(to="ops@example.com", subject="Ping", body="hello")
Audit Log
Every decision is logged in structured JSON.
{
"event": "allow",
"tool": "http_post",
"agent_id": "reports-agent-v2",
"timestamp": 1767945230.137,
"args": {
"body": "[REDACTED]"
},
"masked_fields": ["email"]
}
Pipe to any SIEM. Query with any log tool.
Framework-agnostic
Megent is not a plugin for LangChain, CrewAI, or any other framework. It is an independent security layer.
You build your agent on whatever platform you want. Megent wraps it.
┌──────────────────────────────────────┐
│ MEGENT │ ← security layer (this is us)
│ ┌────────────────────────────────┐ │
│ │ your agent (LangChain, │ │ ← built on any framework
│ │ CrewAI, OpenAI Agents SDK, │ │
│ │ raw Python, anything) │ │
│ └────────────────────────────────┘ │
└──────────────────────────────────────┘
Megent doesn't know or care what your agent is built on. It intercepts tool calls at the boundary — before execution — regardless of the underlying platform.
import megent as mg
# agent built on LangChain? wrap it.
safe_agent = mg.wrap(langchain_agent.invoke, runtime=mg.Runtime(policy_path="policies/agent.yaml"))
# agent built on CrewAI? wrap it.
safe_agent = mg.wrap(crew.kickoff, runtime=mg.Runtime(policy_path="policies/agent.yaml"))
# raw Python agent? same thing.
safe_agent = mg.wrap(my_agent.run, runtime=mg.Runtime(policy_path="policies/agent.yaml"))
The platforms (LangChain, CrewAI, OpenAI Agents SDK, AutoGen, LlamaIndex) are where agents are built. Megent is where they are secured. These are separate concerns.
External Policy Repo
Megent does not ship policy packs in this repo anymore. Policy packs live in a separate policy repository, and Megent loads them by policy_repo path or MEGENT_POLICY_REPO.
Example:
import megent as mg
runtime = mg.Runtime(
policy_name="access-control/read-only",
policy_repo=r"C:\Users\dell\Downloads\megent-policies\megent-policies",
)
combined = mg.compose_policies(
"access-control/read-only",
"data-protection/pii-strict",
policy_repo=r"C:\Users\dell\Downloads\megent-policies\megent-policies",
)
Policies use direct tool names and simple wildcards such as *.
Threat Coverage
| Attack | Megent Defense |
|---|---|
| Unauthorized tool calls | Per-tool allow/deny policy enforcement |
| Unknown-by-default execution | default_action: deny for explicit allowlists |
| PII leakage in arguments | Configurable regex masking (pii_mask) |
| Unattributed execution | Optional JWT-based agent_id attribution |
| Weak observability | Structured audit events via standard logging |
Contributing
Megent is Apache 2.0 licensed and open to contributions.
git clone https://github.com/Megents/Megent.git
cd megent
pip install -e ".[dev]"
pytest
See CONTRIBUTING.md for guidelines.
License
Apache 2.0 — free to use, modify, and distribute.
Built for production AI. Designed for developers who ship.
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file megent-0.2.0.tar.gz.
File metadata
- Download URL: megent-0.2.0.tar.gz
- Upload date:
- Size: 43.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
59d241de0420b789bb920f2023f1ad4ea81f0c44fd8193e0a5c872499a50fd6b
|
|
| MD5 |
1c50ad6f235b54631d2e46d51a8e5611
|
|
| BLAKE2b-256 |
cad3124963316f6dbc6fe6dd29e7b0e0cc0752a9fc2b2ca6ae2f6daefb9205df
|
File details
Details for the file megent-0.2.0-py3-none-any.whl.
File metadata
- Download URL: megent-0.2.0-py3-none-any.whl
- Upload date:
- Size: 43.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bd3b0426a5d08346539d8d2bddf6792b8c3e4570ce1f55f16b6822d5c6638a6a
|
|
| MD5 |
04c584885255e77fbaa41d470bdd24ea
|
|
| BLAKE2b-256 |
d6aa376c2e9e00a10d354cf4bd34961f79092d71515efceda2e3446243a49a64
|
