Structural persistence guarantee for LLM agent systems
Project description
Keel
Persistent safety policies and cryptographic audit trails for tool-using agents.
Keel keeps constraints on disk, not in the prompt. Policies survive context compaction. Every action is logged to a tamper-evident SHA-256 hash chain. Policy enforcement is deterministic -- no LLM in the enforcement path.
Install
pip install threshold-keel
Requires Python 3.10 or later. Zero runtime dependencies.
Quick start
# Initialise (creates ~/.keel/ with default safety policies)
keel init
# Check status
keel --human status
# List active policies
keel --human policies
# Add a policy
keel add-policy --content "Block all financial transactions" --scope financial --priority 0
# Check a proposed action against policies
keel check-policy --action-json '{"action_type":"payment","target_ids":["vendor@example.com"],"surface":"financial","reversibility":"irreversible"}'
# Log an action to the WAL
keel wal-append --event-type PROPOSED --payload '{"action_type":"send_email","target_ids":["user@example.com"]}'
# Verify hash chain integrity
keel verify-chain
# Run a full fidelity self-check
keel fidelity
What it does
Keel is a safety layer for autonomous agents that use tools. It provides three things:
Persistent policies. Rules live on disk in ~/.keel/store.json, not in the chat
prompt. They survive context compaction, session restarts, and machine changes. The
agent checks policies before every action. A blocked action stays blocked -- the agent
cannot override it.
Cryptographic audit trail. Every action the agent takes is logged to an append-only
write-ahead log (WAL) with SHA-256 hash chaining. Each entry contains a cryptographic
hash of the previous entry, making the log tamper-evident. Chain integrity can be
verified at any time with keel verify-chain.
Deterministic policy evaluation. The CLI checks policies using structural matching,
not language model interpretation. A constraint scoped to financial blocks all actions
on the financial surface. No ambiguity, no "I think the user meant...".
CLI commands
| Command | What it does |
|---|---|
keel init |
Create ~/.keel/ directory with default safety policies |
keel check-policy |
Check a proposed action against active policies |
keel wal-append |
Log an event to the write-ahead log |
keel wal-query |
Query recent WAL entries |
keel verify-chain |
Verify WAL hash chain integrity |
keel --human status |
Show session overview |
keel fidelity |
Run a full self-check (policies, WAL, chain) |
keel --human policies |
List active policies |
keel add-policy |
Add a new policy |
keel remove-policy |
Deactivate a policy |
keel quarantine |
List quarantined items |
keel restore |
Restore an item from quarantine |
All commands output JSON by default. Add --human before the subcommand for
human-readable output. Add --local to force local mode when cloud credentials
are set.
Exit codes
| Code | Meaning |
|---|---|
| 0 | Success / action allowed |
| 1 | Blocked by policy or error |
| 2 | Requires human approval (T2/T3 action) |
Risk tiers
Keel classifies actions into four risk tiers:
| Tier | Risk | Examples |
|---|---|---|
| T0 | Read-only | Fetch email, list files, search |
| T1 | Reversible | Create files, add labels |
| T2 | Reversible within window | Archive, move to bin |
| T3 | Irreversible | Send email, permanent delete, publish, pay |
Cloud sync (optional)
Set KEEL_CLOUD_API_KEY and the CLI syncs policies and WAL events with
Threshold Cloud automatically. Local safety continues uninterrupted if the
cloud is unreachable.
export KEEL_CLOUD_API_KEY=sk-keel-your-key-here
keel --human status
See thresholdsignalworks.com/cloud for plans and pricing.
OpenClaw integration
Keel ships with a SKILL.md that can be installed as an OpenClaw skill. In instructions-only mode, the agent follows Keel's safety rules using file tools directly. When the CLI is installed, the agent uses it automatically for cryptographic hashing and deterministic policy checks.
Security
See SECURITY.md for the security model and vulnerability reporting process.
Licence
BSL 1.1. Converts to Apache 2.0 after 4 years.
Author
Brian McCallion, Threshold Signalworks Ltd, Limerick, Ireland. ORCID: 0009-0004-1442-1743
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file threshold_keel-0.2.4.tar.gz.
File metadata
- Download URL: threshold_keel-0.2.4.tar.gz
- Upload date:
- Size: 67.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
40b49f479810a126fe005f4a068b361bc01587596d9be8d11e01df1866b93ce9
|
|
| MD5 |
1cd3214146797849b2627c8f7b9d75f5
|
|
| BLAKE2b-256 |
9599cd93f780a1049baf05fcdbbd921cd5c0c583fb991f38a56dfc6476006d05
|
File details
Details for the file threshold_keel-0.2.4-py3-none-any.whl.
File metadata
- Download URL: threshold_keel-0.2.4-py3-none-any.whl
- Upload date:
- Size: 78.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.0
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0c05b87ca6e5e3f2aca9d8e76d71040ff3114ab2f223d5601394de14f6c54996
|
|
| MD5 |
37f0af6de84d2cd4b284886f15af7d5a
|
|
| BLAKE2b-256 |
188c569a4c73323dbe91cb1131a7a1ea1c2f180df1ac5730600759678d9eefeb
|
