The action layer for AI agents — control, record, compound.
Project description
Suvra
Suvra — the action layer for AI agents. Control what they do, remember everything they did, and get smarter every time they do it.
Suvra intercepts every dangerous action your AI agent takes — rm -rf, DROP TABLE,
force-pushes, prod deploys, secret-file access — blocks the catastrophic ones by default,
routes the risky ones to a human for approval in Slack, and keeps a deterministic audit
trail. One line to install. No YAML required to get value.
Why
Suvra stops your agents from destroying things. Autonomous coding and ops agents are now routinely given real shell, database, and cloud access — and they occasionally use it to catastrophic effect, including a widely-reported incident where a coding agent wiped a production database during a code freeze, agents that have deleted files and entire inboxes while "cleaning up," and runaway tool-call loops that fire the same destructive command hundreds of times before anyone notices. Suvra sits between your agent and the real world so the first time it tries something like that, it gets blocked instead of executed.
Quickstart (under 5 minutes)
pip install suvra
Watch it block catastrophic actions in a scripted demo:
suvra demo # watch it block catastrophic actions
Protect Claude Code with a PreToolUse hook:
suvra init claude-code # protect Claude Code with a PreToolUse hook
Put a firewall in front of any MCP server:
suvra mcp wrap -- npx -y @modelcontextprotocol/server-filesystem . # firewall any MCP server
That's it — no Docker, no Postgres, no bootstrap tokens, no policy file required to get value on day one.
What it catches
Suvra ships a deterministic, zero-config classifier that runs before any policy engine. It is a regex/parser-based classifier — not an LLM, not a network call — so decisions are sub-millisecond and reproducible.
| Class of action | Examples | Default outcome |
|---|---|---|
| Destructive shell | rm -rf, mkfs, dd of=/dev/*, fork bombs, chmod -R 777, curl | bash |
Blocked |
| Destructive SQL | DROP TABLE, TRUNCATE, DELETE/UPDATE without WHERE (incl. via psql/mysql -e) |
Blocked |
| Force-push / history rewrite | git push --force to protected branches, git reset --hard |
Blocked |
| Infra destroy | kubectl delete, terraform destroy / -auto-approve |
Blocked |
| Secret-file access | .env, private keys, credential files |
Gated for approval |
| Mass deletes | Bulk file/record deletion above a safe threshold | Gated for approval |
Everything else is deferred to policy (or allowed, if no policy is configured). When a policy file is present, the built-in classifier and your policy both run, and the more restrictive decision wins — the classifier is a floor, not a ceiling.
Deterministic guarantees:
- No LLM in the decision path.
- No network calls to reach a decision.
- Sub-millisecond evaluation.
- Every decision is explainable — you can see exactly which rule fired and why.
Human approvals
Actions classified as risky (or matched by a needs_approval policy rule) don't get
silently blocked — they pause and wait for a human.
- The agent's action is paused and an approval request is created.
- If
SUVRA_APPROVAL_WEBHOOK_URLis set, Suvra posts a notification to that URL. - Set
SUVRA_APPROVAL_WEBHOOK_FORMAT=slackto get a formatted Slack Block Kit message (action summary, reason, and a link to approve/deny) instead of a raw JSON payload. - Set
SUVRA_DASHBOARD_URLso the notification links straight to the approval in your dashboard. - An approver clicks approve or deny from Slack or the dashboard; the agent's action resumes (or stays blocked) based on that decision.
export SUVRA_APPROVAL_WEBHOOK_URL="https://hooks.slack.com/services/..."
export SUVRA_APPROVAL_WEBHOOK_FORMAT=slack
export SUVRA_DASHBOARD_URL="https://suvra.example.com"
See docs/WEBHOOKS.md for the full payload shape and signature verification.
Beyond zero-config: the policy engine
Zero-config catches the catastrophic cases everyone agrees on. When you need more than that, Suvra has a full deny-by-default policy engine underneath:
- Deny-by-default YAML policies, evaluated deterministically with no LLM in the path.
- A 69-rule built-in library spanning filesystem, shell, database, secrets, email, HTTP, and more enterprise-specific categories.
- A simulator so you can dry-run a policy change against real actions before it's live.
- A structured, explainable audit trail for every decision — which rule matched, why, and what the alternative would have been.
See docs/QUICKSTART.md to write your first policy and docs/SUVRA_CONTEXT.md for the full policy/rule reference.
Control. Record. Compound.
Because Suvra sits in the action path — not observing your agents from outside — every action your agents take becomes an asset. Three pillars, and every dashboard module belongs to exactly one:
- Control — block catastrophic actions, gate risky ones for a human, allow safe ones through. This is the firewall: the zero-config classifier, the policy engine, the rules library and simulator, human approvals, and agent registration all live here.
- Record — nothing passes through invisibly. Every decision lands in the Audit Explorer with a full explainable trace; the same trail rolls up into SOC 2, NIST AI RMF, and ISO 27001 Compliance reports, and into Memory for durable, queryable agent knowledge.
- Compound — the record becomes signal. Evals track denial-rate drift over your agents' real decisions, the Learning Loop turns every blocked action and pending review into a lesson with per-agent and per-action patterns, and Analytics rolls pass/deny rates, action distribution, and cost-to-outcome up over time.
Runtime, Gateway, and Nodes are how this scales — policy-gated agent-to-agent delegation, a workflow engine and MCP server registry (early access today), and distributed enforcement near your agents — infrastructure underneath the three pillars, not a fourth one.
Run suvra serve and open http://127.0.0.1:8000/dashboard to see all of it locally.
Framework integrations
Frameworks are never installed as a dependency of Suvra — install the framework you use, then import the matching wrapper.
| Framework | Module | One-liner |
|---|---|---|
| Claude Code | CLI (suvra init claude-code) |
Installs a PreToolUse hook into .claude/settings.json |
| Claude Agent SDK | suvra.integrations.anthropic |
suvra_hook(suvra) as a PreToolUse HookMatcher |
| OpenClaw | suvra.integrations.openclaw |
OpenClawGuard(suvra) wraps the OpenClaw runtime |
| OpenAI Codex | CLI (suvra init codex) |
Installs a PreToolUse hook into .codex/hooks.json |
| Hermes | CLI (suvra init hermes) |
Merges a pre_tool_call shell hook into ~/.hermes/config.yaml |
| Any MCP server | suvra mcp wrap -- <cmd> |
Wraps any stdio MCP server; gates tools/call through the firewall |
Full usage examples for each: docs/QUICKSTART.md and docs/SUVRA_CONTEXT.md.
Pricing
| Free | Team — $199/mo | Enterprise | |
|---|---|---|---|
| Agents | 1 | Up to 10 | Custom |
| CLI + local firewall | Yes | Yes | Yes |
| Slack approvals | — | Yes | Yes |
| Shared control plane | — | Yes | Yes |
| Full audit export | — | Yes | Yes |
| SSO / RBAC / compliance reports | — | — | Yes |
Suvra is Apache-2.0 licensed — free and open source, including production use. Paid tiers aren't a license requirement; they're the hosted control plane and Team/Enterprise features (Slack approvals, shared control plane, compliance reports, SSO/RBAC, enforcement nodes, support). Full breakdown in docs/PRICING.md.
Enterprise
- Control plane plus enforcement nodes deployed near your agents, with RBAC and SSO-ready identity so access maps to how your org is actually structured.
- SOC 2, NIST, and ISO 27001 compliance report packs generated straight from the audit trail your agents already produce.
- Offline, fail-closed enforcement nodes keep protecting agents even when the control plane is unreachable — cached policy, no silent "allow if uncertain" fallback.
Enterprise installs use the same PyPI package as the quickstart above, with the
postgres extra, plus the repo's Docker Compose file for the full stack:
pip install "suvra[postgres]"
# or, for the full stack (Postgres-ready image + persistent volume):
docker compose up -d --build
Full deployment topology (Postgres, Caddy/reverse proxy, control plane + enforcement
nodes), HA guidance, and rollout steps: docs/DEPLOYMENT.md.
Contact sales@suvra.io for enterprise licensing and onboarding.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file suvra-26.3.1.tar.gz.
File metadata
- Download URL: suvra-26.3.1.tar.gz
- Upload date:
- Size: 323.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.12 {"installer":{"name":"uv","version":"0.11.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
51684c16879922714dbeedaca7a9ef7f91194fd3bd159e23c5f4212ccfe41a09
|
|
| MD5 |
0a1026ba10162cce15a6bd151e29238e
|
|
| BLAKE2b-256 |
fd826b969c5efad1bf3c466ab1babdda16f747f5d41d75023498660f4db3f238
|
File details
Details for the file suvra-26.3.1-py3-none-any.whl.
File metadata
- Download URL: suvra-26.3.1-py3-none-any.whl
- Upload date:
- Size: 386.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.12 {"installer":{"name":"uv","version":"0.11.12","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2fa28016eb01e510254bd4cde4456c6ede3ebbb401b5d8842794588353d473e2
|
|
| MD5 |
970e852bf597f33287e46ceae9689799
|
|
| BLAKE2b-256 |
869808ebedb2653a77df732615ee5b1e383517525d0b80a5d77a8f8c0e032061
|