py-toolguard 6.0.0

Cloudflare for AI Agents. 7-layer security interceptor and observability dashboard.

🛡️ ToolGuard

The "Cloudflare for AI Agents". 7-layer security interceptor, real-time observability dashboard, and automated reliability testing for MCP and AI tool chains.

---

Operations vs. Engineering

📻 Use the Dashboard (toolguard dashboard) when:

• Live Monitoring: You are running an agent and want to watch it work in real-time.
• Visualizing Crashes: You see a BLOCKED event and want to inspect the JSON Payload or the DAG Timeline to see exactly why the semantic layer fired.
• Demos & Presentations: It’s the best way to show someone (or a client) how the security mesh actually protects the system.
• Post-Mortem: Reviewing the history of traces to identify "hallucination drifts" over time. 🦇

⌨️ Use the Terminal (toolguard run / test) when:

• CI/CD Pipelines: You want the build to fail automatically if the reliability score drops below 95%.
• Rapid Iteration: You just changed one line of code and want a 1-second "Fuzz Check" without leaving your IDE.
• Headless Servers: You’re deploying to a Docker container or AWS/GCP where you don't have a web browser.
• Local Replay: Using toolguard replay to step through a specific failure payload you found earlier. ⚡
• Schema Drift Enforcement: Using toolguard drift check --fail-on-drift in your CI/CD to ensure the LLM hasn't silently mutated its JSON payload structure since your last commit.

Catch cascading failures before production. Make agent tool calling as predictable as unit tests made software reliable.

---

🧠 What ToolGuard Actually Solves

Right now, developers don't deploy AI agents because they are fundamentally unstable. They crash.

There are two layers to AI:

1. Layer 1: Intelligence (evals, reasoning, accurate answers)
2. Layer 2: Execution (tool calls, chaining, JSON payloads, APIs)

ToolGuard does not test Layer 1. We do not care if your AI is "smart" or makes good decisions. That is what eval frameworks are for.

ToolGuard mathematically proves Layer 2. We solve the problem of agents crashing at 3 AM because the LLM hallucinated a JSON key, passed a string instead of an int, or an external API timed out.

"We don't make AI smarter. We make AI systems not break."

---

🚀 Zero Config — Try It in 60 Seconds

pip install py-toolguard
toolguard run my_agent.py

That's it. ToolGuard auto-discovers your tools, fuzzes them with hallucination attacks (nulls, type mismatches, missing fields), and prints a reliability report. Zero config needed.

🚀 Auto-discovered 3 tools from my_agent.py
   • fetch_price (2 params)
   • calculate_position (3 params)
   • generate_alert (2 params)

🧪 Running 42 fuzz tests...

╔══════════════════════════════════════════════════════════════╗
║  Reliability Score: my_agent                                 ║
╠══════════════════════════════════════════════════════════════╣
║  Score:       64.3%                                          ║
║  Risk Level: 🟠 HIGH                                         ║
║  Deploy:     🚫 BLOCK                                        ║
╠══════════════════════════════════════════════════════════════╣
║  ⚠️  Top Risk: Null values propagating through chain         ║
║  ⚠️  Bottleneck Tools:                                       ║
║    → fetch_price       (50% success)                         ║
║    → generate_alert    (42% success)                         ║
╚══════════════════════════════════════════════════════════════╝

💡 fetch_price: Add null check for 'ticker' — LLM hallucinated None
💡 generate_alert: Field 'severity' expects int, got str from upstream tool

Or with Python:

from toolguard import create_tool, test_chain, score_chain

@create_tool(schema="auto")
def parse_csv(raw_csv: str) -> dict:
    lines = raw_csv.strip().split("\n")
    headers = lines[0].split(",")
    records = [dict(zip(headers, line.split(","))) for line in lines[1:]]
    return {"headers": headers, "records": records, "row_count": len(records)}

report = test_chain(
    [parse_csv],
    base_input={"raw_csv": "name,age\nAlice,30\nBob,35"},
    test_cases=["happy_path", "null_handling", "malformed_data", "type_mismatch", "missing_fields"],
)

score = score_chain(report)
print(score.summary())

---

🤖 How ToolGuard is Different

Most testing tools (LangSmith, Promptfoo) test your agent by sending prompts to a live LLM. It is slow, expensive, and non-deterministic.

ToolGuard does NOT use an LLM to run its tests.

When you decorate a function with @create_tool(schema="auto"), ToolGuard reads your Python type hints and automatically generates a Pydantic schema. It then uses that schema to know exactly which fields to break, which types to swap, and which values to null — no manual configuration needed.

It acts like a deterministic fuzzer for AI tool execution, programmatically injecting the exact types of bad data that an LLM would accidentally generate in production:

1. Missing dictionary keys
2. Null values propagating down the chain
3. str instead of int
4. Massive 10MB payloads to stress your server
5. Extra/unexpected fields in JSON

ToolGuard doesn't test if your AI is smart. It tests if your Python code is bulletproof enough to survive when your AI does something stupid — running in 1 second and costing $0 in API fees.

---

Features

🛡️ Layer-2 Security Firewall (V3.0)

ToolGuard features an impenetrable execution-layer security framework protecting production servers from critical LLM exploits.

• Human-in-the-Loop Risk Tiers: Mark destructive tools with @create_tool(risk_tier=2). ToolGuard mathematically intercepts these calls and natively streams terminal approval prompts before execution, gracefully protecting asyncio event loops and headless daemon environments.
• Recursive Prompt Injection Fuzzing: The test_chain fuzzer automatically injects [SYSTEM OVERRIDE] execution payloads into your pipelines. A bespoke recursive depth-first memory parser scans internal custom object serialization, byte arrays, and .casefold() string mutations to eliminate zero-day blind spots.
• Golden Traces (DAG Instrumentation): With two lines of code (with TraceTracker() as trace:), ToolGuard natively intercepts Python contextvars to construct a chronologically perfect Directed Acyclic Graph of all tools orchestrated by LangChain, CrewAI, Swarm, and AutoGen.
• Non-Deterministic Verification: Punishing an AI for self-correcting is an anti-pattern. Developers use trace.assert_sequence(["auth", "refund"]) to mathematically enforce mandatory compliance checkpoints while permitting the LLM complete freedom to autonomously select supplementary network tools.

🛡️ 7-Layer Security Interceptor Waterfall (v6.0.0)

With the v6.0.0 Update, we are moving beyond simple validation. We are introducing a 7-Layer Security Interceptor Waterfall for the Model Context Protocol (MCP):

1. L1 — Policy: An immutable “Allow/Deny” list with absolute casing normalization. Stop dangerous tools from ever being contacted.
2. L2 — Risk-Tier (Human-in-the-Loop Safe): Upgraded to a 4-Tier production-grade risk architecture.
   • Tier 1: Standard tools (auto-approve).
   • Tier 2: Restricted tools (requires human Y/N approval). Features a configurable auto-deny timeout mapping to prevent hanging unattended terminals, and TTL Approval Caching for high-volume looping LLM executions.
   • Tier 3: Critical tools (requires the human to type the exact tool name to double-confirm).
   • Tier 4: Forbidden tools (always denied without override). If deployed to a headless Docker/AWS environment without a terminal, it automatically detects the state via sub-tty validation and Fail-Closes instantly to prevent infinite thread deadlocks.
3. L3 — Deep-Memory Injection Defense: Our most advanced scanner yet. A recursive DFS parser that natively decodes binary streams (bytes/bytearray) to detect hidden prompt injections that bypass surface-level text filters, and utilizes strict depth limits to prevent Stack-Buster DoS attacks.
4. L4 — Rate-Limit: A sliding-window cap to prevent LLM loops from burning your API budget. Now built with strictly thread-safe, atomic JSON disk-persistence to survive server "Restart Amnesia."
5. L5 — Semantic Validation: catches DROP TABLE or path traversal before execution. Now structurally powered by an Obfuscation Unroller that automatically intercepts URL-encoded and Base64-masked payloads (L2V0Yy9wYXNzd2Q=) prior to canonical evaluation.
6. L6 — Strict Schema Drift Enforcement: Our most rigorous layer. Compares live LLM tool payloads against frozen structural baselines. Unlike other tools that just log changes, ToolGuard blocks any unauthorized field additions (Major Severity) to prevent data exfiltration and "shadow" agent behavior. Powered by a pristine SQLite backend configured with PRAGMA WAL and 30-Second Thread Queuing to elegantly survive 200+ concurrent LangGraph connections.
7. L7 — Real-Time Trace: Full DAG instrumentation of every execution via Python contextvars, with per-tool latency metrics on every TraceNode. Asynchronous JSON dump files are continuously pushed locally to power live SSE observability dashboards without blocking proxy execution.

📉 Schema Drift Detection Engine (L6)

LLM providers silently update their models. A payload that historically returned integers might suddenly return strings, instantly crashing your type-strict backend. ToolGuard's structural diffing engine infers JSON Schema constraints from live data, freezes them into cryptographic SQLite fingerprints, and violently rejects structural deviations (like renaming temperature to temp) before they reach your network edge.

⚡ Performance as a Security Feature (0ms Latency)

High security usually means high overhead. Not here. We’ve mathematically proven that ToolGuard v5.1.2 adds 0ms of net latency to the agent’s transaction. All alerting (Slack, Discord, Datadog) is offloaded to background worker pools. Your agent stays fast; your security stays tight.

🔍 Schema Validation

Automatic Pydantic input/output validation from type hints. No manual schemas needed.

@create_tool(schema="auto")
def fetch_price(ticker: str) -> dict:
    ...

📉 Schema Drift Management

When using models like GPT-5.4 or Gemini 3.1 Flash, they can silently change field names (e.g., temperature to temp), field types, or drop required fields. ToolGuard v6.0.0 allows you to take cryptographic "snapshots" of what the payload should look like, and then block live traffic or fail CI/CD builds if the model drifts from that baseline.

Step 1: Freeze Your Baseline (Run this locally when you build your agent)

# Take a snapshot from a known-good JSON payload saved to a file
# Note: The -m flag accepts ANY string! (e.g., 'gpt-5.4', 'claude-4.6-sonnet', 'gemini-3.1-flash')
toolguard drift snapshot -o output.json -t update_metrics -m claude-4.6-sonnet

# OR extract the baseline directly from your Pydantic schemas
toolguard drift snapshot-pydantic src/agent_schema.py

# View your active baseline repository
toolguard drift list

Step 2: Enforce the Baseline (Run this in your GitHub Actions / CI pipeline)

# Automatically scans all recent execution traces. 
# If the LLM has started hallucinating different JSON structures, the build fails.
toolguard drift check --fail-on-drift

🔗 Chain Testing

Test multi-tool chains against 9 edge-case categories: null handling, type mismatches, missing fields, malformed data, large payloads, and more.

report = test_chain(
    [fetch_price, calculate_position, generate_alert],
    base_input={"ticker": "AAPL"},
    test_cases=["happy_path", "null_handling", "type_mismatch"],
)

⚡ Async Support

Works with both def and async def tools transparently. No special flags needed.

@create_tool(schema="auto")
async def fetch_from_api(url: str) -> dict:
    async with httpx.AsyncClient() as client:
        resp = await client.get(url)
        return resp.json()

# Same API — ToolGuard handles the async automatically
report = test_chain([fetch_from_api, process_data], assert_reliability=0.95)

📻 The "Obsidian" Live Web Dashboard (v5.0.0)

ToolGuard includes a stunning, high-contrast, dark-mode web dashboard for monitoring live agent execution and security traces.

# Launch the live proxy monitor
toolguard dashboard

It streams live concurrent security interventions via SSE (Server-Sent Events) and tracks precisely which functions get blocked under payload injection. Built with a dedicated hacker-style "Terminal Elite" aesthetic, featuring a real-time Sentinel HUD (L1-L7) and structural DAG timeline analysis.

🛡️ Anthropic MCP Security Proxy (v5.1.0)

ToolGuard now includes a language-agnostic Secure Proxy for the Model Context Protocol. It sits between your MCP client (Claude Desktop, etc.) and your MCP server, enforcing the 7-layer security mesh at the transport level.

# Secure any MCP server with the ToolGuard firewall
toolguard proxy --upstream "python mcp_server.py" --verbose
# Apply a specific security policy (Golden Traces, Risk Tiers)
toolguard proxy --upstream "npx dev-server" --policy policy.yaml

This is the only version of ToolGuard that allows you to secure agents built in JavaScript, Go, or Rust by intercepting the raw JSON-RPC tool-calling payloads.

📊 Reliability Scoring

Quantified trust with risk levels and deployment gates.

score = score_chain(report)
if score.deploy_recommendation.value == "BLOCK":
    sys.exit(1)  # CI/CD gate

⏪ Local Crash Replay

When a remote tool crashes in production or tests, ToolGuard automatically dumps the structured JSON payload. You can instantly replay the exact crashing state locally to view the stack trace.

toolguard run my_agent.py --dump-failures
toolguard replay .toolguard/failures/fail_1774068587_0.json

🎯 Edge-Case Test Coverage

ToolGuard gives you PyTest-style coverage metrics. Instead of arbitrary line-coverage, it calculates exactly what percentage of the 9 known LLM hallucination categories (nulls, missing fields, type mismatches, etc.) your tests successfully covered, and lists what is untested.

⚡ The Minimal API

For rapid Jupyter Notebook testing and quick demos, use the highly portable 1-line Python wrapper.

from toolguard import quick_check

quick_check(my_agent_function, test_cases=["happy_path", "null_handling"])

🔄 Retry & Circuit Breaker

Production-grade resilience patterns built-in.

from toolguard import with_retry, RetryPolicy, CircuitBreaker, with_circuit_breaker

@with_retry(RetryPolicy(max_retries=3, backoff_base=0.5))
def call_api(data: dict) -> dict: ...

breaker = CircuitBreaker(failure_threshold=5, reset_timeout=60)

@with_circuit_breaker(breaker)
def call_flaky_service(data: dict) -> dict: ...

🖥️ CLI Commands

toolguard proxy --upstream "mcp-server.py"         # 🛡️ Run the language-agnostic 7-layer MCP proxy
toolguard dashboard                                # 🦇 Launch the Obsidian live web dashboard
toolguard run my_agent.py                          # 🚀 Zero-config auto-fuzz/test
toolguard test --chain my_chain.yaml               # 🧪 YAML-based chain test
toolguard replay fail_17740.json                   # ⏪ Local crash replay for debugging
toolguard badge                <div class="cmd-line">
                    <span class="cmd-prefix">$</span><span class="cmd-text">toolguard monitor --live --v6.0.0-Hardened --obsidian</span>
                </div># 🔍 Check Python tool compatibility
toolguard observe --tools my_tools.py              # 📈 View tool performance stats
toolguard init --name my_project                   # 🏗️ Scaffold a new project

# Schema Drift Commands
toolguard drift snapshot                           # 📸 Freeze a payload baseline
toolguard drift snapshot-pydantic my_models.py     # 📸 Freeze Pydantic classes natively
toolguard drift check --fail-on-drift              # 🔒 Test logs against frozen baselines (CI/CD)
toolguard drift list                               # 📜 List all frozen Schema baselines

---

🔌 Native Framework Integrations

ToolGuard is fully drop-in ready for the following 10 native frameworks and protocols:

• 🦜🔗 LangChain: Native BaseTool wrapping with guard_langchain_tool.
• 🚀 CrewAI: Native crewai.tools.BaseTool interception.
• 🦙 LlamaIndex: Complete support for FunctionTool.
• 🤖 Microsoft AutoGen: Native autogen_core tool-calling wrapping.
• 🐝 OpenAI Swarm: 1-line agent tool-guarding with guard_swarm_agent.
• 🧪 OpenAI Assistants: Native SDK support for function-calling threads.
• ♊ Google Gemini (ADK): Native Google AI SDK tool-calling security.
• ⚡ FastAPI: Automatic security middleware for Tool/Action endpoints.
• 🛠️ OpenAI Function Calling: Clean, standard tools dictionary export.
• 🌐 Anthropic MCP (Protocol): Language-agnostic transport-level proxy (JS/Go/Rust).

ToolGuard works with your existing tools. No rewrites needed — just wrap and fuzz.

# 🦜🔗 LangChain
from langchain_core.tools import tool
from toolguard import test_chain
from toolguard.integrations.langchain import guard_langchain_tool

@tool
def search(query: str) -> str:
    """Search the web."""
    return f"Results for {query}"

guarded = guard_langchain_tool(search)
report = test_chain([guarded], base_input={"query": "hello"})

# 🚀 CrewAI
from crewai.tools import BaseTool
from toolguard.integrations.crewai import guard_crewai_tool

guarded = guard_crewai_tool(my_crew_tool)

# 🦙 LlamaIndex
from llama_index.core.tools import FunctionTool
from toolguard.integrations.llamaindex import guard_llamaindex_tool

llama_tool = FunctionTool.from_defaults(fn=my_function)
guarded = guard_llamaindex_tool(llama_tool)

# 🤖 Microsoft AutoGen
from autogen_core.tools import FunctionTool
from toolguard.integrations.autogen import guard_autogen_tool

autogen_tool = FunctionTool(my_function, name="my_tool", description="...")
guarded = guard_autogen_tool(autogen_tool)

# 🐝 OpenAI Swarm
from swarm import Agent
from toolguard.integrations.swarm import guard_swarm_agent

agent = Agent(name="My Agent", functions=[func_a, func_b])
guarded_tools = guard_swarm_agent(agent)  # Returns list of GuardedTools

# ⚡ FastAPI
from toolguard.integrations.fastapi import as_fastapi_tool

guarded = as_fastapi_tool(my_endpoint_function)

All 10 integrations tested with real pip-installed libraries — not mocks, not duck-types.

🧹 100% Authentic Testing (Zero-Mock Swarm Testing)

ToolGuard's integration suite runs exclusively against the actual PyPI codebase implementations of LangChain, AutoGen, and Gemini. We have mathematically verified the 7-Layer Firewall against live agentic LangGraph Swarms over the internet using the real Google GenAI SDK. There is absolutely no faked compatibility—it is production-hardened for real-world execution.

In our live_langgraph_swarm.py tests, 3 separate Google Gemini Flash models are launched concurrently across the network to attack ToolGuard simultaneously. ToolGuard natively intercepts the live async network streams, instantly detects malicious Base64 executions, and securely halts them locally before they ever touch your operating system.

---

🏗️ CI/CD Integration

GitHub Action

Add to any repo — auto-comments on PRs with reliability scores:

# .github/workflows/toolguard.yml
name: ToolGuard Reliability Check
on: [pull_request]

jobs:
  reliability:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: Harshit-J004/toolguard@main
        with:
          script_path: src/agent.py
          github_token: ${{ secrets.GITHUB_TOKEN }}
          reliability_threshold: "0.95"

PR Comment Example:

🚨 ToolGuard Reliability Check (BLOCKED)

Chain: my_agent Reliability Score: 64.3% (Threshold: 95%)

Warning: The PR introduces agent fragility. 3 tools will crash if the LLM hallucinates null.

JUnit XML (Jenkins / GitLab CI)

toolguard test --chain config.yaml --junit-xml results.xml

Generates standard <testsuites> XML that Jenkins, GitLab CI, and CircleCI parse natively.

Reliability Badges

toolguard badge

Generates shields.io badge markdown for your README:

---

📡 Observability & Production Alerts

1. Zero-Latency Hallucination Alerts

Catch "LLM drift" in production. When an LLM hallucinates a bad JSON payload, ToolGuard instantly fires a background alert to your team without slowing down the agent:

import toolguard

toolguard.configure_alerts(
    slack_webhook_url="https://hooks.slack.com/...",
    discord_webhook_url="https://discord.com/api/webhooks/...",
    datadog_api_key="my-api-key",
    generic_webhook_url="https://my-dashboard.com/api/ingest"
)

Built with background thread pools so network requests never block the LLM runtime.

2. OpenTelemetry Tracing

Tracing works out of the box with Jaeger, Zipkin, Datadog, and more.

from toolguard.core.tracer import init_tracing, trace_tool

init_tracing(service_name="my-agent")

@trace_tool
def my_tool(data: dict) -> dict: ...

---

Architecture

toolguard/
├── core/
│   ├── validator.py      # @create_tool decorator + GuardedTool (sync + async)
│   ├── chain.py          # Chain testing engine (8 test types, async-aware)
│   ├── schema.py         # Auto Pydantic model generation
│   ├── scoring.py        # Reliability scoring + deploy gates
│   ├── report.py         # Failure analysis + suggestions
│   ├── errors.py         # Exception hierarchy + correlation IDs
│   ├── drift.py          # Schema Drift Detection Engine
│   ├── drift_store.py    # SQLite fingerprint persistence (WAL mode)
│   ├── retry.py          # RetryPolicy + CircuitBreaker
│   ├── tracer.py         # OpenTelemetry integration
│   └── compatibility.py  # Schema conflict detection
├── alerts/
│   ├── manager.py        # Abstract ThreadPool dispatcher
│   ├── slack.py          # Block Kit formatting
│   ├── discord.py        # Embed formatting
│   └── datadog.py        # HTTP Metrics + Events sink
├── cli/
│   └── commands/         # run, test, check, observe, badge, init
├── reporters/
│   ├── console.py        # Rich terminal output
│   ├── html.py           # Standalone HTML reports
│   ├── junit.py          # JUnit XML for Jenkins/GitLab CI
│   └── github.py         # GitHub PR auto-commenter
├── integrations/
│   ├── langchain.py      # LangChain adapter
│   ├── crewai.py         # CrewAI adapter
│   ├── llamaindex.py     # LlamaIndex adapter
│   ├── autogen.py        # Microsoft AutoGen adapter
│   ├── swarm.py          # OpenAI Swarm adapter
│   ├── fastapi.py        # FastAPI middleware
│   └── openai_func.py    # OpenAI function calling export
├── tests/                # 50 tests (sync + async + integration)
├── integration_tests/    # Real-library integration tests
└── examples/
    ├── test_alerts.py              # Phase 4 webhook crash simulation
    ├── weather_chain/              # Working 3-tool example
    └── demo_failing_chain/         # Intentionally buggy (aha moment)

---

Why ToolGuard?

	Without ToolGuard	With ToolGuard
Failure detection	Stack trace at 3 AM	Caught before deploy
Root cause	"TypeError in line 47"	"Tool A returned null for 'price'"
Fix guidance	None	"Add default value OR validate response"
Confidence	"It works on my machine"	"92% reliability, LOW risk"
CI/CD	Manual testing	toolguard run in your pipeline
Cost	$0.10/test (LLM calls)	$0 (deterministic fuzzing)
Speed	30s (API roundtrips)	<1s (local execution)

---

Tech Stack

Component	Technology	Why
Core Language	Python 3.11 - 3.13	Agent ecosystem standard
Schema Validation	Pydantic v2	3.5× faster than JSON Schema
Async	Native asyncio	Enterprise-grade concurrency
Testing	pytest (50 tests)	CI/CD native
Observability	OpenTelemetry	Vendor-neutral
CLI	Click + Rich	Beautiful terminal UX
CI/CD	GitHub Actions + JUnit	First-class pipeline support
Distribution	PyPI	pip install py-toolguard

---

License

MIT — use it, fork it, ship it.

---

Built to make AI agents actually work in production.

GitHub · PyPI