Skip to main content

Open-source AI context firewall for governed model, tool, and retrieval access.

Project description

Yagami

An open-source, self-hosted context firewall for AI applications and agents.

CI PyPI Python License: MIT Status

Documentation | Gateway API | Deployment | Security | Roadmap

Yagami sits between your software and local models, cloud LLMs, retrieval systems, and tools. It classifies context locally, evaluates versioned policy, routes only to allowed destinations, inspects outputs, and produces content-free evidence for each decision.

Existing OpenAI SDK applications can adopt it by changing one base_url. Yagami can run as a headless gateway, in a container or Kubernetes, or with its included React control surface.

Try it in 60 seconds

The demo requires no API key, provider account, Ollama model, or Node.js:

python -m pip install yagami
yagami demo

Open http://127.0.0.1:8000. Demo mode uses a local echo backend, blocks cloud routing, and exercises the UI, policy, lineage, storage, and audit path.

Watch the two-minute demo.

Protect an application

Initialize persistent user configuration, check the host, and start Yagami:

yagami init
yagami doctor
yagami serve

Then point an OpenAI client at the gateway:

from openai import OpenAI

client = OpenAI(
    base_url="http://127.0.0.1:8000/v1",
    api_key="your-yagami-project-key",
)

response = client.chat.completions.create(
    model="yagami-auto",
    messages=[{"role": "user", "content": "Summarize this document."}],
    metadata={
        "purpose": "internal-documentation",
        "sensitivity": "none",
        "session_id": "example-session",
    },
)
print(response.choices[0].message.content)

Supported caller sensitivity values are none, phi, phi_medical, and secret. A caller hint can make the policy stricter; it cannot lower a sensitivity detected by Yagami.

For production authentication, policy, and deployment settings, follow the deployment guide.

Why teams use Yagami

  • Deterministic containment after classification. Once context is labeled as PHI or secret, default policy permits local backends only. Sensitive history and tool results inherit the same restriction.
  • One governed data plane. Chat Completions, Responses, the browser chat, and MCP use the same policy, lineage, transformation, output-DLP, budget, and audit pipeline.
  • Policy as code. Preview and replay decisions, run regression cases in CI, and promote deterministic Ed25519-signed policy bundles.
  • Evidence without prompt logging. Policy passports, hash-chained audit records, Prometheus metrics, and OpenTelemetry spans carry labels, hashes, IDs, and counts rather than prompt or completion content.
  • Model choice without policy duplication. Route to local engines, direct cloud providers, or an existing OpenAI-compatible gateway behind one enforcement point.
  • Governed tools. Evaluate function tools and MCP calls before execution, require short-lived one-time approvals, and keep inbound credentials from being forwarded to downstream servers.

Core capabilities

Area Included
Compatible APIs OpenAI Chat Completions, core Responses API, Streamable HTTP MCP
Identity Scoped project API keys and OIDC/JWT workload identity
Policy Versioned YAML/JSON rules, restrictive merging, preview, replay, shadow mode, regression tests, signed bundles
Privacy Local classification, caller sensitivity, context lineage, AES-GCM tokenization, rehydration, output DLP, optional Presidio
Tools Function calling, governed built-in skills, stdio and remote MCP, one-time approvals
Operations Spend/rate/concurrency/context limits, health checks, Prometheus, OpenTelemetry, SIEM export, approval webhooks
Packaging Python 3.11-3.14, PyPI, non-root container, Docker Compose, Helm, SBOMs, checksums, and build provenance

Models and integrations

Local generation works with Ollama, llama.cpp through the optional llama-cpp-python runtime, and Microsoft Foundry Local through its loopback OpenAI-compatible service. Direct cloud adapters cover Anthropic, OpenAI, Mistral, Groq, OpenRouter, Google Gemini, and Stability AI image generation.

Yagami also works with LangChain/LangGraph, the Vercel AI SDK, Microsoft Presidio, Splunk HEC and generic SIEM webhooks, Slack and Teams approval notifications, and upstream gateways such as LiteLLM, Portkey, Kong, or Envoy. See the integration recipes.

How enforcement works

application or agent
  -> authentication and project limits
  -> local sensitivity and context-lineage inspection
  -> versioned policy and optional transformation
  -> allowed local model, cloud model, retrieval source, or tool
  -> output DLP
  -> response plus content-free policy passport and audit evidence

Policy is the final authority. Slash commands and explicit backend selection cannot override a sensitive-data restriction. Classifier failures fail local by default, and cloud routes can be blocked entirely or stopped at a daily spend cap.

Important limitations

Yagami is an enforcement component, not a compliance certification. Automated detection can miss sensitive data. Strict deployments should declare sensitivity at the caller, use a local-only policy, test organization-specific cases, encrypt storage at the host or volume layer, and review the threat model.

The project is alpha. Validate policy and failure behavior against your own requirements before production use.

Documentation

Contributing

Focused issues and pull requests are welcome. Read CONTRIBUTING.md, the security policy, and the code of conduct.

License

MIT - Copyright (c) 2026 Matthew Tracy and Yagami contributors.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

yagami-0.6.1.tar.gz (323.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

yagami-0.6.1-py3-none-any.whl (367.9 kB view details)

Uploaded Python 3

File details

Details for the file yagami-0.6.1.tar.gz.

File metadata

  • Download URL: yagami-0.6.1.tar.gz
  • Upload date:
  • Size: 323.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for yagami-0.6.1.tar.gz
Algorithm Hash digest
SHA256 cf238c05a01640b22e5f9fe427b4716e68892b6998b9babd357d3223aad88faa
MD5 0ea14ff72a7791a59bd041ae4a90fecd
BLAKE2b-256 5716bb0431b3fd8644856ab87a3ae2f4418145a0d7699c50b8a01f1c3c5a4ce1

See more details on using hashes here.

Provenance

The following attestation bundles were made for yagami-0.6.1.tar.gz:

Publisher: release.yml on MatthewTracy/yagami

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file yagami-0.6.1-py3-none-any.whl.

File metadata

  • Download URL: yagami-0.6.1-py3-none-any.whl
  • Upload date:
  • Size: 367.9 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for yagami-0.6.1-py3-none-any.whl
Algorithm Hash digest
SHA256 68425f5a2b9018b90b238c8c49ceda588c156913c9984637076d1416c4b00d44
MD5 661566b7cd3d5dedd8f6a3b6d0f864a9
BLAKE2b-256 5e140ce96835cbdca136769ac8adc74b1392a958c038b648ade0168a93780db1

See more details on using hashes here.

Provenance

The following attestation bundles were made for yagami-0.6.1-py3-none-any.whl:

Publisher: release.yml on MatthewTracy/yagami

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page