LangChain adapter for Sentinel AI agent governance — wrap any LangChain tool so every call is authorized (and audited) by the Sentinel gateway before it runs. Private beta: cosimo@plannest.net
Project description
sentinel-agent-trust-langchain
LangChain adapter for Sentinel AI — the identity & governance layer for AI agents. Wrap any LangChain tool so that every call is authorized (and audited) by the Sentinel gateway before it runs: your tool code and your agent code stay untouched.
Sentinel is in private beta. For source access, a hosted sandbox organization key, or to collaborate: cosimo@plannest.net
Install
pip install sentinel-agent-trust-langchain
Depends only on the public SDK (sentinel-agent-trust) and langchain-core
— no heavyweight extras.
Quickstart
import os
from langchain_core.tools import tool
from sentinel_langchain import SentinelGuard
@tool
def create_refund(customer: str, amount: float) -> str:
"""Issue a refund to a customer."""
return billing.refund(customer, amount)
guard = SentinelGuard(
agent_id="agt_...",
private_key=os.environ["SENTINEL_AGENT_PRIVATE_KEY"], # base64 Ed25519 seed
gateway_url="https://your-gateway.example.com",
)
tools = guard.wrap_all([create_refund]) # ← the only change to your agent
# then use the governed tools anywhere LangChain tools go:
# from langchain.agents import create_agent
# agent = create_agent(model, tools)
Every tool call is signed with the agent's Ed25519 key and checked against your policies in real time. The wrapped tool keeps the same name, description, and argument schema — the LLM sees no difference.
What the model sees
Sentinel's decision is translated into an observation the model can act on (the underlying tool is never executed unless the gateway approves):
| Gateway outcome | Tool behavior |
|---|---|
200 approved |
the wrapped tool runs, result returned as usual |
403 denied (policy, constraint, budget) |
not executed; observation says the denial is final for these arguments — don't retry, branch |
202 approval required |
not executed; observation carries the approval_id and says to inform the user and retry the identical call after a human approves |
| gateway unreachable | not executed (fail-closed); observation says it's transient and safe to retry |
This mapping is what keeps agents out of retry loops: a policy denial reads as a hard "no", an approval-pending reads as "park it", an outage reads as "try again shortly".
Mapping tools to your policy taxonomy
By default a tool named create_refund is authorized as action
tool.create_refund on resource tool://create_refund, so a single policy
with action_pattern: "tool.*" governs every wrapped tool. For business-level
policies, map tools explicitly:
tools = guard.wrap_all(
[create_refund, read_contact],
overrides={
"create_refund": {"action": "crm.refund.create", "resource": "crm://refunds"},
"read_contact": {"action": "crm.contact.read", "resource": "crm://contacts/*"},
},
)
…and the policy on the Sentinel side:
{
"action_pattern": "crm.refund.create",
"constraints": {"max_amount": 5000, "max_total_amount_per_day": 20000},
"approval_thresholds": {"amount": 500}
}
Each refund ≤ 5000, at most 20 000/day in total, and a human approves anything from 500 up — enforced outside the model, no prompt engineering.
The tool's parsed arguments are sent as the action payload, so constraints
like max_amount apply to the actual amount argument the model chose.
Async
Both paths are supported: tool.invoke(...) and await tool.ainvoke(...).
The authorization call runs in a worker thread in the async path, so it never
blocks the event loop.
CrewAI and other frameworks
CrewAI (and most agent frameworks) can consume LangChain tools directly, so
wrapping with SentinelGuard before handing tools to your crew works today.
A native CrewAI adapter is on the roadmap.
Demo
With the repo's demo gateway running (cd gateway && go run .):
pip install -e sdk/python -e sdk/adapters/langchain
python examples/langchain_crm_agent.py
License
Apache 2.0 (the adapter and SDKs). The Sentinel platform is licensed separately under BSL 1.1 — see the repository root.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sentinel_agent_trust_langchain-0.1.1.tar.gz.
File metadata
- Download URL: sentinel_agent_trust_langchain-0.1.1.tar.gz
- Upload date:
- Size: 13.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9be31ecb0ca0d2221b6e8f346bde22a3386dc84d92ec440f0e0acacaab0454ca
|
|
| MD5 |
7d53ff96f731a13398e2bd937bd6c5c5
|
|
| BLAKE2b-256 |
92a1031a1bbef7d687bb3ebf7c8da906d602ddc72be9ee204a8a968df8cec94f
|
Provenance
The following attestation bundles were made for sentinel_agent_trust_langchain-0.1.1.tar.gz:
Publisher:
release.yml on viperformanz/sentinel-ai
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sentinel_agent_trust_langchain-0.1.1.tar.gz -
Subject digest:
9be31ecb0ca0d2221b6e8f346bde22a3386dc84d92ec440f0e0acacaab0454ca - Sigstore transparency entry: 2175787012
- Sigstore integration time:
-
Permalink:
viperformanz/sentinel-ai@902b69af78d5c662d5885a6e2a57e25456ed3805 -
Branch / Tag:
refs/tags/adapter-langchain-v0.1.1 - Owner: https://github.com/viperformanz
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@902b69af78d5c662d5885a6e2a57e25456ed3805 -
Trigger Event:
push
-
Statement type:
File details
Details for the file sentinel_agent_trust_langchain-0.1.1-py3-none-any.whl.
File metadata
- Download URL: sentinel_agent_trust_langchain-0.1.1-py3-none-any.whl
- Upload date:
- Size: 12.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d382ef10344b968fdd64ae54ed4a7d211d3c127b723ae60f4e8b79bc043b94f2
|
|
| MD5 |
113d0696924e306a9e0d9dbc6460030e
|
|
| BLAKE2b-256 |
6bde864f63a4c52437d1f8b8a1777815b0d9490c0fd40e5877878cc86fb8b08f
|
Provenance
The following attestation bundles were made for sentinel_agent_trust_langchain-0.1.1-py3-none-any.whl:
Publisher:
release.yml on viperformanz/sentinel-ai
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sentinel_agent_trust_langchain-0.1.1-py3-none-any.whl -
Subject digest:
d382ef10344b968fdd64ae54ed4a7d211d3c127b723ae60f4e8b79bc043b94f2 - Sigstore transparency entry: 2175787073
- Sigstore integration time:
-
Permalink:
viperformanz/sentinel-ai@902b69af78d5c662d5885a6e2a57e25456ed3805 -
Branch / Tag:
refs/tags/adapter-langchain-v0.1.1 - Owner: https://github.com/viperformanz
-
Access:
private
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@902b69af78d5c662d5885a6e2a57e25456ed3805 -
Trigger Event:
push
-
Statement type: