Capability-based security kernel for AI agents operating in large tool ecosystems

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dgenio from gravatar.com dgenio

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache License)
  • Author: agent-kernel contributors
  • Tags agents , ai , capabilities , llm , mcp , security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp , otel
Classifiers
Report project as malware

Project description

agent-kernel

CI Python 3.10+ License: Apache 2.0

A capability-based security kernel for AI agents operating in large tool ecosystems (MCP, A2A, 1000+ tools).

30-second pitch

Modern AI agents face three hard problems when given access to hundreds or thousands of tools:

  1. Context blowup — raw tool output floods the LLM context window.
  2. Tool-space interference — agents accidentally invoke the wrong tool or escalate privileges.
  3. No audit trail — there's no record of what ran, when, and why.

agent-kernel solves all three with a thin, composable layer that sits above your tool execution layer:

  • Capability Tokens — HMAC-signed, time-bounded, principal-scoped. No token → no execution.
  • Policy Engine — READ/WRITE/DESTRUCTIVE safety classes + PII/PCI sensitivity handling.
  • Context Firewall — raw driver output is never returned to the LLM; always a bounded Frame.
  • Audit Trail — every invocation creates an ActionTrace retrievable via kernel.explain().

Architecture

graph LR
    LLM["LLM / Agent"] -->|goal| K["Kernel"]
    K -->|search| REG["Registry"]
    K -->|evaluate| POL["Policy Engine"]
    K -->|sign| TOK["HMAC Token"]
    K -->|route| DRV["Driver (MCP/HTTP/Memory)"]
    DRV -->|RawResult| FW["Context Firewall"]
    FW -->|Frame| LLM
    K -->|record| AUD["Audit Trace"]

Quickstart

pip install weaver-kernel

Note: The PyPI package is weaver-kernel (Weaver ecosystem), but the Python import remains agent_kernel.

import asyncio, os
os.environ["AGENT_KERNEL_SECRET"] = "my-secret"

from agent_kernel import (
    Capability, CapabilityRegistry, HMACTokenProvider,
    InMemoryDriver, Kernel, Principal, SafetyClass, StaticRouter,
)
from agent_kernel.drivers.base import ExecutionContext
from agent_kernel.models import CapabilityRequest

# 1. Register a capability
registry = CapabilityRegistry()
registry.register(Capability(
    capability_id="tasks.list",
    name="List Tasks",
    description="List all tasks",
    safety_class=SafetyClass.READ,
    tags=["tasks", "list"],
))

# 2. Wire up a driver
driver = InMemoryDriver()
driver.register_handler("tasks.list", lambda ctx: [{"id": 1, "title": "Buy milk"}])

# 3. Build the kernel
kernel = Kernel(registry=registry, router=StaticRouter(routes={"tasks.list": ["memory"]}))
kernel.register_driver(driver)

async def main():
    principal = Principal(principal_id="alice", roles=["reader"])

    # 4. Discover → grant → invoke → expand → explain
    token = kernel.get_token(
        CapabilityRequest(capability_id="tasks.list", goal="list tasks"),
        principal, justification="",
    )
    frame = await kernel.invoke(token, principal=principal, args={})
    print(frame.facts)           # ['Total rows: 1', 'Top keys: id, title', ...]
    print(frame.handle)          # Handle(handle_id='...', ...)

    expanded = kernel.expand(frame.handle, query={"limit": 1, "fields": ["title"]})
    print(expanded.table_preview)  # [{'title': 'Buy milk'}]

    trace = kernel.explain(frame.action_id)
    print(trace.driver_id)       # 'memory'

asyncio.run(main())

Where it fits

┌─────────────────────────────────────────────┐
│             LLM / Agent loop                │
├─────────────────────────────────────────────┤
│  agent-kernel  ← you are here               │
│  (registry · policy · tokens · firewall)    │
├────────────────┬────────────────────────────┤
│  contextweaver │  tool execution layer       │
│  (context      │  (MCP · HTTP · A2A ·        │
│   compilation) │   internal APIs)            │
└────────────────┴────────────────────────────┘

agent-kernel sits above contextweaver (context compilation) and above raw tool execution. It provides the authorization, execution, and audit layer.

Security disclaimers

v0.1 is not production-hardened for real authentication.

  • HMAC tokens are tamper-evident (SHA-256) but not encrypted. Do not put sensitive data in token fields.
  • Set AGENT_KERNEL_SECRET to a strong random value in production. If unset, a random dev secret is generated per-process with a warning.
  • PII redaction is heuristic (regex). It is not a substitute for proper data governance.
  • See docs/security.md for the full threat model.

Documentation

Development

git clone https://github.com/dgenio/agent-kernel
cd agent-kernel
pip install -e ".[dev]"
make ci      # fmt + lint + type + test + examples

License

Apache-2.0 — see LICENSE.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for dgenio from gravatar.com dgenio

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache License)
  • Author: agent-kernel contributors
  • Tags agents , ai , capabilities , llm , mcp , security
  • Requires: Python >=3.10
  • Provides-Extra: dev , mcp , otel
Classifiers

Release history Release notifications | RSS feed

0.5.0

This version

0.4.0

0.3.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

weaver_kernel-0.4.0.tar.gz (70.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

weaver_kernel-0.4.0-py3-none-any.whl (43.4 kB view details)

Uploaded Python 3

File details

Details for the file weaver_kernel-0.4.0.tar.gz.

File metadata

  • Download URL: weaver_kernel-0.4.0.tar.gz
  • Upload date:
  • Size: 70.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for weaver_kernel-0.4.0.tar.gz
Algorithm Hash digest
SHA256 fdb16f12268e329014e0d123fac5950ce37c25ec9849377c14cd27b95199491c
MD5 530fa3eed3a792dd22c0b779a6f50603
BLAKE2b-256 2a4ec2f08df44fdae0639e71ca4cf86fe26fa628ff0de693d121f0e94ce6f30e

See more details on using hashes here.

Provenance

The following attestation bundles were made for weaver_kernel-0.4.0.tar.gz:

Publisher: publish.yml on dgenio/agent-kernel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file weaver_kernel-0.4.0-py3-none-any.whl.

File metadata

  • Download URL: weaver_kernel-0.4.0-py3-none-any.whl
  • Upload date:
  • Size: 43.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for weaver_kernel-0.4.0-py3-none-any.whl
Algorithm Hash digest
SHA256 795b9b4b5f36d6c1a97182aa54b2252d6342e935c6304e9a06e0468dc7c8c608
MD5 162f686af4f5f34b8760f5170ee7b119
BLAKE2b-256 305ea190712f3723dd8f19fb4b9fce708f9545a96fbc5f782ed7cc6086c9fe88

See more details on using hashes here.

Provenance

The following attestation bundles were made for weaver_kernel-0.4.0-py3-none-any.whl:

Publisher: publish.yml on dgenio/agent-kernel

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page