Production-grade action middleware for agentic AI โ by Plyra
Project description
๐ก๏ธ plyra-guard
Part of the Plyra agentic infrastructure suite.
Production-grade middleware for securing, observing, and controlling actions taken by AI agents.
pip install plyra-guard
Built by Plyra โ Infrastructure for Agentic AI.
Why plyra-guard?
- ๐ Every action passes through a security pipeline โ Intercept โ Evaluate โ Execute โ Observe โ Rollback. No unguarded tool calls.
- ๐ค Works with any AI framework โ LangChain, LlamaIndex, CrewAI, AutoGen, OpenAI, Anthropic, or plain Python callables.
- ๐ Multi-agent native โ Trust ledgers, delegation tracking, cascade control, and cross-agent rollback built in from day one.
Quick Install
pip install plyra-guard
With optional features:
pip install plyra-guard[sidecar] # HTTP sidecar server
pip install plyra-guard[otel] # OpenTelemetry export
pip install plyra-guard[all] # Everything
Quickstart
1. Basic Decorator
from plyra_guard import ActionGuard, RiskLevel
guard = ActionGuard.default()
@guard.protect("file.delete", risk_level=RiskLevel.HIGH)
def delete_file(path: str) -> bool:
import os
os.remove(path)
return True
# Every call is intercepted, evaluated, and audited
delete_file("/tmp/test.txt")
2. Namespace Import
# Both import styles work:
from plyra_guard import ActionGuard # direct
from plyra.guard import ActionGuard # namespace
3. Multi-Agent Orchestration
from plyra_guard import ActionGuard, TrustLevel
guard = ActionGuard.default()
# Register agents with trust levels
guard.register_agent("orchestrator", TrustLevel.ORCHESTRATOR)
guard.register_agent("email-agent", TrustLevel.SUB_AGENT)
guard.register_agent("code-agent", TrustLevel.PEER)
# Context manager sets active agent
with guard.set_task_context("task-001", "email-agent"):
send_email("boss@company.com", "Report", "...")
# Roll back all actions in a task across all agents
guard.rollback_task("task-001")
4. Policy Configuration (YAML)
# guard_config.yaml
version: "1.0"
policies:
- name: "block_system_paths"
action_types: ["file.delete", "file.write"]
condition: "parameters.path.startswith('/etc')"
verdict: BLOCK
message: "System path access is forbidden"
- name: "escalate_high_cost"
action_types: ["*"]
condition: "estimated_cost > 0.50"
verdict: ESCALATE
message: "Requires human approval"
agents:
- id: "orchestrator"
trust_level: 0.8
can_delegate_to: ["worker-1", "worker-2"]
guard = ActionGuard.from_config("guard_config.yaml")
CLI
plyra-guard serve --config guard.yaml # HTTP sidecar
plyra-guard inspect --config guard.yaml # Pipeline visualization
plyra-guard explain --action file.delete # Dry-run explanation
plyra-guard test-policy --condition "..." # Interactive policy testing
plyra-guard version # Version info
Supported Frameworks
plyra-guard natively configures transparent adapters handling tool executions across the most popular multi-agent frameworks. Depending on your framework's internal architecture, the recommended integration pattern differs:
| Framework | Recommended approach |
|---|---|
| LangChain | guard.wrap(tools) |
| LangGraph | Custom GuardedToolNode (see examples/langgraph_integration.py) |
| AutoGen | guard.wrap([func]) + register_function |
| CrewAI | guard.wrap(tools) |
| OpenAI / Anthropic | guard.wrap(tool_defs) |
| Generic Python | @guard.protect() decorator |
Architecture
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ AI Agent / Framework โ
โ (LangChain, LlamaIndex, CrewAI, AutoGen, OpenAI, Anthropic) โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ tool call
โผ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ๐ก๏ธ plyra-guard โ
โ โ
โ โโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโ โ
โ โ Adapter โโโ Evaluation Pipeline โโโ Execution Gate โ โ
โ โ Registry โ โ โ โ โ โ
โ โ โ โ 1. Schema Validator โ โ โข Pre/post hooksโ โ
โ โ โข Lang- โ โ 2. Policy Engine (YAML) โ โ โข Timeout mgmt โ โ
โ โ Chain โ โ 3. Risk Scorer (0.0-1.0) โ โ โข Error capture โ โ
โ โ โข OpenAI โ โ 4. Rate Limiter โ โ โ โ
โ โ โข Custom โ โ 5. Cost Estimator โ โโโโโโโโโโฌโโโโโโโโโ โ
โ โโโโโโโโโโโ โ 6. Human Gate (optional) โ โ โ
โ โ 7. Custom evaluators... โ โ โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ โ
โ โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโผโโโโโโโโโ โ
โ โ Multi-Agent โ โ Rollback โ โ Observability โ โ
โ โ โ โ โ โ โ โ
โ โ โข Trust Ledger โ โ โข Snapshots โ โ โข Audit Log โ โ
โ โ โข Instr. Chain โ โ โข File handlerโ โ โข OpenTelemetry โ โ
โ โ โข Cascade Ctrl โ โ โข DB handler โ โ โข Datadog โ โ
โ โ โข Global Budget โ โ โข HTTP comp. โ โ โข Webhooks โ โ
โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโ โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Features
Evaluation Pipeline
Six built-in evaluators, fully pluggable:
| Evaluator | Purpose |
|---|---|
SchemaValidator |
Validates ActionIntent structure |
PolicyEngine |
YAML policies with AST-compiled conditions |
RiskScorer |
Dynamic risk score (0.0-1.0) from 5 signals |
RateLimiter |
Per-agent, per-tool sliding window limits |
CostEstimator |
Token + API cost budget enforcement |
HumanGate |
Human-in-the-loop approval gate |
Add your own:
from plyra_guard import BaseEvaluator, ActionIntent, EvaluatorResult, Verdict
class MyEvaluator(BaseEvaluator):
@property
def name(self) -> str:
return "my_evaluator"
def evaluate(self, intent: ActionIntent) -> EvaluatorResult:
if "dangerous" in intent.parameters:
return EvaluatorResult(verdict=Verdict.BLOCK, reason="Dangerous parameter")
return EvaluatorResult(verdict=Verdict.ALLOW, reason="OK")
guard.pipeline.add(MyEvaluator(), position="after_risk_scorer")
Multi-Agent Support
- Trust Ledger โ Register agents with trust levels (HUMAN, ORCHESTRATOR, PEER, SUB_AGENT)
- Instruction Chain โ Immutable provenance tracking across delegation hops
- Cascade Controller โ Loop detection, depth limits, concurrent delegation caps
- Global Budget โ Cross-agent cost aggregation with gaming detection
Rollback System
- Automatic pre-execution state snapshots
- Built-in handlers for files, databases, and HTTP (compensation endpoints)
- Cross-agent
rollback_task()undoes actions in reverse order
HTTP Sidecar
Language-agnostic access via HTTP:
plyra-guard serve --config guard_config.yaml --port 8080
curl -X POST http://localhost:8080/evaluate \
-H "Content-Type: application/json" \
-d '{"action_type": "file.read", "parameters": {"path": "/tmp/test"}, "agent_id": "my-agent"}'
Important Defaults for Production
When moving from local development to production, please note the following default behaviors:
StdoutExporteris enabled by default inDEFAULT_CONFIG. This means every action evaluated will print a JSON audit line to stdout. If this is too noisy for your production logs, override it in your YAML config by settingobservability.exporters: []or switching to awebhookorotelexporter.- The
SnapshotManagerpersists state to~/.plyra/snapshots.db(or your platform's default app data directory) via SQLite. This is designed to preserve rollback states dynamically, but ensures you are aware of local disk writes occurring automatically upon first initialization. - The Sidecar HTTP
CORSMiddlewareusesallow_origins=["*"]. This caters natively to seamless local dashboard development. In production deployments exposing the sidecar externally, ensure you mount it behind a strict API gateway or manually configure CORS constraints.
Documentation
| Guide | Description |
|---|---|
| Quickstart | Get started in 5 minutes |
| Architecture | How plyra-guard works internally |
| Policy Reference | YAML policy syntax and built-in functions |
| Multi-Agent Guide | Trust, delegation, and cascading |
| Rollback Guide | Snapshot and rollback system |
| Adapters | Framework integration details |
| API Reference | Full public API documentation |
Contributing
We welcome contributions! See CONTRIBUTING.md for detailed guidelines.
git clone https://github.com/plyra/plyra-guard.git
cd plyra-guard
pip install -e ".[dev,sidecar]"
pytest tests/ -v
License
Apache-2.0 License โ see LICENSE for details.
plyra-guard is part of the Plyra suite. Explore the full stack at plyra.dev.
| Library | Purpose | Status |
|---|---|---|
| plyra-guard | Action safety middleware | โ stable |
| plyra-memory | Tiered agent memory | ๐ soon |
| plyra-trace | Observability & debugging | ๐ soon |
| plyra-budget | Cost optimization | ๐ soon |
| plyra-mesh | Multi-agent communication | ๐ soon |
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
plyra_guard-0.1.8.tar.gz
(99.9 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
plyra_guard-0.1.8-py3-none-any.whl
(105.3 kB
view details)
File details
Details for the file plyra_guard-0.1.8.tar.gz.
File metadata
- Download URL: plyra_guard-0.1.8.tar.gz
- Upload date:
- Size: 99.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
272a3bb36b448eb5705e0104f5ae0390f5ace20f1c82c20301513f6001c5d397
|
|
| MD5 |
064c8a4f4fe9a0af2d1ac5a087e3f111
|
|
| BLAKE2b-256 |
e79d61e8dc852aca073dd24967f31327aa498cf2023732a1f019298a45b74ebf
|
Provenance
The following attestation bundles were made for plyra_guard-0.1.8.tar.gz:
Publisher:
publish.yml on plyraAI/plyra-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
plyra_guard-0.1.8.tar.gz -
Subject digest:
272a3bb36b448eb5705e0104f5ae0390f5ace20f1c82c20301513f6001c5d397 - Sigstore transparency entry: 976476124
- Sigstore integration time:
-
Permalink:
plyraAI/plyra-guard@5e679f90a1d6bafb3edd5d59ac6d09db942b0f49 -
Branch / Tag:
refs/tags/v0.1.8 - Owner: https://github.com/plyraAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@5e679f90a1d6bafb3edd5d59ac6d09db942b0f49 -
Trigger Event:
push
-
Statement type:
File details
Details for the file plyra_guard-0.1.8-py3-none-any.whl.
File metadata
- Download URL: plyra_guard-0.1.8-py3-none-any.whl
- Upload date:
- Size: 105.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b0077dcb6fc501c6c9b0f6a8c193db996cd3daa5d7ab5a507196280c3307b55b
|
|
| MD5 |
32df4255d0748933350fdf0dc91bf198
|
|
| BLAKE2b-256 |
cf16a5baf528c1611edf8a045e1b27db39695b196b5bc4463c2f55f91f636444
|
Provenance
The following attestation bundles were made for plyra_guard-0.1.8-py3-none-any.whl:
Publisher:
publish.yml on plyraAI/plyra-guard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
plyra_guard-0.1.8-py3-none-any.whl -
Subject digest:
b0077dcb6fc501c6c9b0f6a8c193db996cd3daa5d7ab5a507196280c3307b55b - Sigstore transparency entry: 976476125
- Sigstore integration time:
-
Permalink:
plyraAI/plyra-guard@5e679f90a1d6bafb3edd5d59ac6d09db942b0f49 -
Branch / Tag:
refs/tags/v0.1.8 - Owner: https://github.com/plyraAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@5e679f90a1d6bafb3edd5d59ac6d09db942b0f49 -
Trigger Event:
push
-
Statement type:
