Private AI policy gateway for governed routing across local models, cloud LLMs, and tools.
Project description
Yagami
An open-source, self-hosted context firewall for AI applications and agents.
Documentation | Gateway API | Integrations | Deployment | Roadmap
Yagami sits between your software and local models, cloud LLMs, retrieval systems, and tools. It classifies context locally, evaluates versioned policy, routes only to allowed destinations, inspects outputs, and produces content-free evidence for each decision.
Existing OpenAI SDK applications can adopt it by changing one base_url.
Yagami can run as a headless gateway, in a container or Kubernetes, or with its
included React control surface.
Try it in 60 seconds
The demo requires no API key, provider account, Ollama model, or Node.js:
python -m pip install yagami
yagami demo
Open http://127.0.0.1:8000. Demo mode uses a local echo backend, blocks cloud routing, and exercises the UI, policy, lineage, storage, and audit path.
https://github.com/user-attachments/assets/a7be9449-eafc-4acb-99b6-ea39edc43cd2
Protect an application
Initialize persistent user configuration, check the host, and start Yagami:
yagami init
yagami doctor
yagami serve
Then point an OpenAI client at the gateway:
from openai import OpenAI
client = OpenAI(
base_url="http://127.0.0.1:8000/v1",
api_key="your-yagami-project-key",
)
response = client.chat.completions.create(
model="yagami-auto",
messages=[{"role": "user", "content": "Summarize this document."}],
metadata={
"purpose": "internal-documentation",
"sensitivity": "none",
"session_id": "example-session",
},
)
print(response.choices[0].message.content)
Supported caller sensitivity values are none, phi, phi_medical, and
secret. A caller hint can make the policy stricter; it cannot lower a
sensitivity detected by Yagami.
For production authentication, policy, and deployment settings, follow the deployment guide.
Why teams use Yagami
- Deterministic containment after classification. Once context is labeled as PHI or secret, default policy permits local backends only. Sensitive history and tool results inherit the same restriction.
- One governed data plane. Chat Completions, Responses, the browser chat, and MCP use the same policy, lineage, transformation, output-DLP, budget, and audit pipeline.
- Policy as code. Preview and replay decisions, run regression cases in CI, and promote deterministic Ed25519-signed policy bundles.
- Evidence without prompt logging. Policy passports, hash-chained audit records, Prometheus metrics, and OpenTelemetry spans carry labels, hashes, IDs, and counts rather than prompt or completion content.
- Model choice without policy duplication. Route to local engines, direct cloud providers, or an existing OpenAI-compatible gateway behind one enforcement point.
- Governed tools. Evaluate function tools and MCP calls before execution, require short-lived one-time approvals, and keep inbound credentials from being forwarded to downstream servers.
Core capabilities
| Area | Included |
|---|---|
| Compatible APIs | OpenAI Chat Completions, core Responses API, Streamable HTTP MCP |
| Identity | Scoped project API keys and OIDC/JWT workload identity |
| Policy | Versioned YAML/JSON rules, restrictive merging, preview, replay, shadow mode, regression tests, signed bundles |
| Privacy | Local classification, caller sensitivity, context lineage, AES-GCM tokenization, rehydration, output DLP, optional Presidio |
| Tools | Function calling, governed built-in skills, stdio and remote MCP, one-time approvals |
| Operations | Spend/rate/concurrency/context limits, health checks, Prometheus, OpenTelemetry, SIEM export, approval webhooks |
| Packaging | Python 3.11-3.14, PyPI, non-root container, Docker Compose, Helm, SBOMs, checksums, and build provenance |
Models and integrations
Local generation backends:
- Ollama
- llama.cpp through the optional
llama-cpp-pythonruntime - Microsoft Foundry Local through its loopback OpenAI-compatible service
Cloud backends:
- Anthropic
- OpenAI
- Mistral
- Groq
- OpenRouter
- Google Gemini
- Stability AI image generation
Yagami also works with LangChain/LangGraph, the Vercel AI SDK, Microsoft Presidio, Splunk HEC and generic SIEM webhooks, Slack and Teams approval notifications, and upstream gateways such as LiteLLM, Portkey, Kong, or Envoy. See the integration recipes.
Microsoft Foundry Local
Foundry Local provides offline, hardware-accelerated inference on supported Windows and macOS systems. Yagami connects to its local OpenAI-compatible service without bundling the Foundry CLI or any model:
foundry model load qwen2.5-0.5b-instruct
foundry service status
Copy the reported endpoint and exact loaded model ID into
~/.yagami/config/yagami.toml:
[foundry_local]
enabled = true
base_url = "http://localhost:5272/v1"
model = "qwen2.5-0.5b-instruct-generic-cpu"
max_tokens = 4096
[routing]
default_backend = "foundry_local"
The port can change after the Foundry service restarts. Yagami accepts only
localhost and loopback IPs for this trusted-local backend; use [upstream] for
a network-hosted compatible service. Ollama remains the classifier and memory
embedding service in this first integration. Read the full
Foundry Local setup.
How enforcement works
application or agent
-> authentication and project limits
-> local sensitivity and context-lineage inspection
-> versioned policy and optional transformation
-> allowed local model, cloud model, retrieval source, or tool
-> output DLP
-> response plus content-free policy passport and audit evidence
Policy is the final authority. Slash commands and explicit backend selection cannot override a sensitive-data restriction. Classifier failures fail local by default, and cloud routes can be blocked entirely or stopped at a daily spend cap.
Important limitations
Yagami is an enforcement component, not a compliance certification. Automated detection can miss sensitive data. Strict deployments should declare sensitivity at the caller, use a local-only policy, test organization-specific cases, encrypt storage at the host or volume layer, and review the threat model.
The project is alpha. Validate policy and failure behavior against your own requirements before production use.
Documentation
- Start here
- Gateway API
- Policy configuration
- Integrations
- Deployment
- Local development and extensions
- Knowledge base
- Architecture
- Threat model
- Release verification
- Benchmarks
- Product roadmap
Contributing
Focused issues and pull requests are welcome. Read CONTRIBUTING.md, the security policy, and the code of conduct.
License
MIT - Copyright (c) 2026 Matthew Tracy and Yagami contributors.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file yagami-0.6.0.tar.gz.
File metadata
- Download URL: yagami-0.6.0.tar.gz
- Upload date:
- Size: 323.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8c84e79c97c9d2f1b1c3a9e6f2da46059cbf816fd7e5148cd20a7afab444b22d
|
|
| MD5 |
ccd7c179855202a274ffa2e00c0b9fd2
|
|
| BLAKE2b-256 |
396576d889fa1279499da84f5e56002fd6526b7506275aa41a328a77cd706357
|
Provenance
The following attestation bundles were made for yagami-0.6.0.tar.gz:
Publisher:
release.yml on MatthewTracy/yagami
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
yagami-0.6.0.tar.gz -
Subject digest:
8c84e79c97c9d2f1b1c3a9e6f2da46059cbf816fd7e5148cd20a7afab444b22d - Sigstore transparency entry: 2171192273
- Sigstore integration time:
-
Permalink:
MatthewTracy/yagami@abacc012319b4b0222746bb71915b0f84ebe529f -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/MatthewTracy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@abacc012319b4b0222746bb71915b0f84ebe529f -
Trigger Event:
push
-
Statement type:
File details
Details for the file yagami-0.6.0-py3-none-any.whl.
File metadata
- Download URL: yagami-0.6.0-py3-none-any.whl
- Upload date:
- Size: 367.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
da5dd892246d3d5c94400a536a269f13e070355e5cb5156aec6b71cc8302b277
|
|
| MD5 |
2ed4e18d79a588cf786f4b1c321b0539
|
|
| BLAKE2b-256 |
ac58727a9fda4402e0de07a2eca7e25feb7cb2aed53ac96816f804f4e1543a9d
|
Provenance
The following attestation bundles were made for yagami-0.6.0-py3-none-any.whl:
Publisher:
release.yml on MatthewTracy/yagami
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
yagami-0.6.0-py3-none-any.whl -
Subject digest:
da5dd892246d3d5c94400a536a269f13e070355e5cb5156aec6b71cc8302b277 - Sigstore transparency entry: 2171192289
- Sigstore integration time:
-
Permalink:
MatthewTracy/yagami@abacc012319b4b0222746bb71915b0f84ebe529f -
Branch / Tag:
refs/tags/v0.6.0 - Owner: https://github.com/MatthewTracy
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@abacc012319b4b0222746bb71915b0f84ebe529f -
Trigger Event:
push
-
Statement type: