Capability-based security kernel for AI agents operating in large tool ecosystems

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dgenio from gravatar.com dgenio

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache License)
  • Author: agent-kernel contributors
  • Tags agents , ai , capabilities , llm , mcp , security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp , otel
Classifiers
Report project as malware

Project description

agent-kernel

CI Python 3.10+ License: Apache 2.0

A capability-based security kernel for AI agents operating in large tool ecosystems (MCP, A2A, 1000+ tools).

30-second pitch

Modern AI agents face three hard problems when given access to hundreds or thousands of tools:

  1. Context blowup — raw tool output floods the LLM context window.
  2. Tool-space interference — agents accidentally invoke the wrong tool or escalate privileges.
  3. No audit trail — there's no record of what ran, when, and why.

agent-kernel solves all three with a thin, composable layer that sits above your tool execution layer:

  • Capability Tokens — HMAC-signed, time-bounded, principal-scoped. No token → no execution.
  • Policy Engine — READ/WRITE/DESTRUCTIVE safety classes + PII/PCI sensitivity handling.
  • Context Firewall — raw driver output is never returned to the LLM; always a bounded Frame.
  • Audit Trail — every invocation creates an ActionTrace retrievable via kernel.explain().

Architecture

graph LR
    LLM["LLM / Agent"] -->|goal| K["Kernel"]
    K -->|search| REG["Registry"]
    K -->|evaluate| POL["Policy Engine"]
    K -->|sign| TOK["HMAC Token"]
    K -->|route| DRV["Driver (MCP/HTTP/Memory)"]
    DRV -->|RawResult| FW["Context Firewall"]
    FW -->|Frame| LLM
    K -->|record| AUD["Audit Trace"]

Quickstart

pip install weaver-kernel

Note: The PyPI package is weaver-kernel (Weaver ecosystem), but the Python import remains agent_kernel.

import asyncio, os
os.environ["AGENT_KERNEL_SECRET"] = "my-secret"

from agent_kernel import (
    Capability, CapabilityRegistry, HMACTokenProvider,
    InMemoryDriver, Kernel, Principal, SafetyClass, StaticRouter,
)
from agent_kernel.drivers.base import ExecutionContext
from agent_kernel.models import CapabilityRequest

# 1. Register a capability
registry = CapabilityRegistry()
registry.register(Capability(
    capability_id="tasks.list",
    name="List Tasks",
    description="List all tasks",
    safety_class=SafetyClass.READ,
    tags=["tasks", "list"],
))

# 2. Wire up a driver
driver = InMemoryDriver()
driver.register_handler("tasks.list", lambda ctx: [{"id": 1, "title": "Buy milk"}])

# 3. Build the kernel
kernel = Kernel(registry=registry, router=StaticRouter(routes={"tasks.list": ["memory"]}))
kernel.register_driver(driver)

async def main():
    principal = Principal(principal_id="alice", roles=["reader"])

    # 4. Discover → grant → invoke → expand → explain
    token = kernel.get_token(
        CapabilityRequest(capability_id="tasks.list", goal="list tasks"),
        principal, justification="",
    )
    frame = await kernel.invoke(token, principal=principal, args={})
    print(frame.facts)           # ['Total rows: 1', 'Top keys: id, title', ...]
    print(frame.handle)          # Handle(handle_id='...', ...)

    expanded = kernel.expand(frame.handle, query={"limit": 1, "fields": ["title"]})
    print(expanded.table_preview)  # [{'title': 'Buy milk'}]

    trace = kernel.explain(frame.action_id)
    print(trace.driver_id)       # 'memory'

asyncio.run(main())

Where it fits

┌─────────────────────────────────────────────┐
│             LLM / Agent loop                │
├─────────────────────────────────────────────┤
│  agent-kernel  ← you are here               │
│  (registry · policy · tokens · firewall)    │
├────────────────┬────────────────────────────┤
│  contextweaver │  tool execution layer       │
│  (context      │  (MCP · HTTP · A2A ·        │
│   compilation) │   internal APIs)            │
└────────────────┴────────────────────────────┘

agent-kernel sits above contextweaver (context compilation) and above raw tool execution. It provides the authorization, execution, and audit layer.

Security disclaimers

v0.1 is not production-hardened for real authentication.

  • HMAC tokens are tamper-evident (SHA-256) but not encrypted. Do not put sensitive data in token fields.
  • Set AGENT_KERNEL_SECRET to a strong random value in production. If unset, a random dev secret is generated per-process with a warning.
  • PII redaction is heuristic (regex). It is not a substitute for proper data governance.
  • See docs/security.md for the full threat model.

Documentation

Development

git clone https://github.com/dgenio/agent-kernel
cd agent-kernel
pip install -e ".[dev]"
make ci      # fmt + lint + type + test + examples

License

Apache-2.0 — see LICENSE.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dgenio from gravatar.com dgenio

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache License)
  • Author: agent-kernel contributors
  • Tags agents , ai , capabilities , llm , mcp , security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp , otel
Classifiers

Release history Release notifications | RSS feed

0.5.0

0.4.0

This version

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

weaver_kernel-0.3.0.tar.gz (65.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

weaver_kernel-0.3.0-py3-none-any.whl (42.2 kB view details)

Uploaded Python 3

File details

Details for the file weaver_kernel-0.3.0.tar.gz.

File metadata

  • Download URL: weaver_kernel-0.3.0.tar.gz
  • Upload date:
  • Size: 65.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for weaver_kernel-0.3.0.tar.gz
Algorithm Hash digest
SHA256 ec47e0a47eb818b898d6e951d979238869fdb15b405140beed15b8ee7016a68f
MD5 8d8611e67b4c1b829cefe7e4f01def64
BLAKE2b-256 4a56724bca6c21dc073e1562fb4824708445a5c4c13e68946d9b9bc47cef16b9

See more details on using hashes here.

Provenance

The following attestation bundles were made for weaver_kernel-0.3.0.tar.gz:

Publisher: publish.yml on dgenio/agent-kernel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file weaver_kernel-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: weaver_kernel-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 42.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for weaver_kernel-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6e19f90a9f0f83727a8d324bebeb75a532c6e86eda2833c2514412ac3b93b3a6
MD5 4db1e2a28285b238ad4f7ebfe03321f9
BLAKE2b-256 577cb426d6f202207055dc55a2171819f0699283531b7d7414a1e3ae9cd70908

See more details on using hashes here.

Provenance

The following attestation bundles were made for weaver_kernel-0.3.0-py3-none-any.whl:

Publisher: publish.yml on dgenio/agent-kernel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page