[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-80845":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":15,"stars30d":16,"stars90d":14,"forks30d":14,"starsTrendScore":13,"compositeScore":17,"rankGlobal":9,"rankLanguage":9,"license":18,"archived":19,"fork":19,"defaultBranch":20,"hasWiki":19,"hasPages":21,"topics":22,"createdAt":9,"pushedAt":9,"updatedAt":23,"readmeContent":24,"aiSummary":25,"trendingCount":14,"starSnapshotCount":14,"syncStatus":26,"lastSyncTime":27,"discoverSource":28},80845,"AgentGuard","WhitzardAgent\u002FAgentGuard","WhitzardAgent","AgentGuard:An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent",null,"Python",72,8,1,0,4,36,2.86,"MIT License",false,"main",true,[],"2026-06-12 02:04:07","# 🛡️ AgentGuard\n\n\u003Cp align=\"center\">\n \u003Ca href=\"https:\u002F\u002Fwhitzardagent.github.io\u002FAgentGuard\u002F\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FDocument-Docs-0ea5e9?style=for-the-badge&logo=gitbook&logoColor=white\" alt=\"Document\" \u002F>\n \u003C\u002Fa>\n \u003Ca href=\"https:\u002F\u002Fgithub.com\u002FWhitzardAgent\u002FAgentGuard\u002Freleases\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FRelease-v1.0-111827?style=for-the-badge&logo=github&logoColor=white\" alt=\"Release v1.0\" \u002F>\n \u003C\u002Fa>\n \u003Ca href=\".\u002FLICENSE\">\n \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-16a34a?style=for-the-badge&logo=open-source-initiative&logoColor=white\" alt=\"License\" \u002F>\n \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cstrong>English\u003C\u002Fstrong> |\n \u003Ca href=\".\u002FREADME_CN.md\">简体中文\u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n \u003Cstrong>AgentGuard: An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent\u003C\u002Fstrong>\n\u003C\u002Fp>\n\n\u003Cp align=\"center\">\n Declarative policy enforcement, provenance-aware decisions, and human-in-the-loop safety for tool invocations.\n\u003C\u002Fp>\n\n\u003Ctable align=\"center\" width=\"100%\" cellspacing=\"0\" cellpadding=\"0\">\n \u003Ctr>\n \u003Ctd align=\"center\" width=\"30%\" style=\"padding: 20px 18px; border: 1px solid #e5e7eb; border-radius: 18px; background: #ffffff;\">\n \u003Cdiv style=\"font-size: 28px; line-height: 1; margin-bottom: 10px;\">🧩\u003C\u002Fdiv>\n \u003Csmall>\u003Cstrong>Seamless Integration\u003C\u002Fstrong>\u003C\u002Fsmall>\n \u003C\u002Ftd>\n \u003Ctd align=\"center\" width=\"30%\" style=\"padding: 20px 18px; border: 1px solid #e5e7eb; border-radius: 18px; background: #ffffff;\">\n \u003Cdiv style=\"font-size: 28px; line-height: 1; margin-bottom: 10px;\">🛡️\u003C\u002Fdiv>\n \u003Csmall>\u003Cstrong>Multi‑Risk Coverage\u003C\u002Fstrong>\u003C\u002Fsmall>\n \u003C\u002Ftd>\n \u003Ctd align=\"center\" width=\"40%\" style=\"padding: 20px 18px; border: 1px solid #e5e7eb; border-radius: 18px; background: #ffffff;\">\n \u003Cdiv style=\"font-size: 28px; line-height: 1; margin-bottom: 10px;\">👁️\u003C\u002Fdiv>\n \u003Csmall>\u003Cstrong>Visual Rule Setup & Audit\u003C\u002Fstrong>\u003C\u002Fsmall>\n \u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\n> [!IMPORTANT]\n> This project is still under active development and may contain bugs. Contributions via Issues and PRs are welcome.\n\nAgentGuard is an attribute-based access control framework for agent tool calls that sits between an LLM-based planning engine and the tools it invokes. Before each tool call is executed, and again after it completes, AgentGuard evaluates the agent's behavior against declarative policies to decide whether the action should proceed as-is, be blocked, or be routed for human check.\n\nToday, AgentGuard covers several key technical areas highlighted in Anthropic's [Zero Trust for AI Agents](https:\u002F\u002Fclaude.com\u002Fblog\u002Fzero-trust-for-ai-agents), including access control & privilege management, observability & auditing, and behavioral monitoring & response.\n\n![AgentGuard Positioning](.\u002Fdocs\u002Ffigs\u002Fpositioning.png)\n\nAgentGuard can be integrated into existing agent frameworks without modifying the underlying execution logic. Currently, it supports LangChain, AutoGen, and OpenAI Agents SDK, and we are continuously expanding support for additional agent ecosystems and frameworks.\n\n## ✨ Features\n\n### 1. Rich Policy Expressiveness\n\nAgentGuard policies are not hard-coded risk checks buried in business logic. They are written in a standalone DSL that describes when an action should be allowed, denied, or sent for human check. A policy can reference the principal's identity, tool metadata, tool arguments, target addresses, session history, and call-chain context, making it well-suited for the security boundaries commonly found in agent tool calls.\n\n#### Arithmetic & Logical Expressions\n\nPolicy conditions support numeric comparisons, set membership checks, regex matching, substring matching, and arbitrary `AND` \u002F `OR` \u002F `NOT` combinations. For instance, `principal.trust_level \u003C 2` distinguishes low-trust agents, `tool.recipient_domain NOT IN allowlist.email` restricts outbound destinations, and `tool.cmd MATCHES ...` identifies dangerous commands. These expressions can also be freely composed with `AND` \u002F `OR` \u002F `NOT`.\n\n#### Cross-Tool Policies\n\nAgentGuard can evaluate both individual tool calls and cross-step attack chains. Using `TRACE` and session-history functions, policies can express behaviors such as \"read from a database, then send email,\" \"read a sensitive file, then upload it to an external HTTP endpoint,\" or \"external input eventually flows into a shell command\", rather than relying solely on the current tool's arguments.\n\n#### Multi-Phase Intervention\n\nPolicies can apply at the pre-execution `requested` phase, the post-execution `completed` phase, or the failure `failed` phase. Pre-execution is suitable for blocking or requiring approval; post-execution can be used for logging results or triggering follow-up audits and rule evaluations based on `tool.result`.\n\n#### Diverse Policy Decisions\n\nWhen a rule matches, it can return `ALLOW`, `DENY`, `HUMAN_CHECK`, or `LLM_CHECK`. Policies are therefore not limited to a binary allow\u002Fdeny outcome: clearly dangerous operations can be rejected outright, while uncertain ones can be routed to a human or an LLM for review.\n\n#### Subject & Object Labels\n\nPolicies can enforce differentiated controls based on agent (subject) and tool (object) attributes. Agents declare identity information such as `agent_id`, `session_id`, `role`, `trust_level`, and `scope`. Tools declare static labels such as `boundary`, `sensitivity`, `integrity`, and `tags`. This enables rules such as \"low-trust agents cannot invoke privileged-boundary tools\" or \"results from high-sensitivity tools must not flow to external boundaries.\" Users can also define custom labels as needed.\n\n### 2. Seamless Integration with Agent Frameworks\n\nAgentGuard sits between the LLM-based planning engine and tools, and does not interfere with agent planning, reasoning, or task orchestration. Adapters are provided for several mainstream agent frameworks, allowing users to integrate AgentGuard with minimal code and without modifying framework internals or heavily refactoring existing agents. For frameworks not yet supported, AgentGuard offers a straightforward development interface for building custom adapters.\n\nCurrently, we support the following agent frameworks:\n- [LangChain](https:\u002F\u002Fgithub.com\u002Flangchain-ai\u002Flangchain)\n- [AutoGen](https:\u002F\u002Fgithub.com\u002Fmicrosoft\u002Fautogen)\n- [OpenAI Agents SDK](https:\u002F\u002Fgithub.com\u002Fopenai\u002Fopenai-agents-python)\n\n### 3. Visual Policy Configuration & Audit\n\nAgentGuard ships with a web console for managing agents. The visual interface lets users configure policies interactively without hand-writing DSL code. The policy editor relies heavily on dropdowns and other selection-based controls to reduce the policy configuration burden.\n\nThe runtime dashboard displays agent health, recent traffic, pending approval requests, and audit records. For any tool call that triggers a policy, users can inspect the matched rules, risk scores, final decisions, and the raw event\u002Fdecision JSON, making it easy to understand why a particular call was denied or escalated for review.\n\n### 4. Cluster Management\n\nAgentGuard uses a centralized control-plane architecture to govern distributed agent processes. Agents can be deployed across multiple nodes in the network, while policy configuration and runtime monitoring are managed centrally through the control server. This architecture is particularly well-suited for organizations that need unified management across a large fleet of agents.\n\n## 🚀 Quick Start\n\n### 1. Write Access Control Policies and Start the Control Server\n\n> Docker must be installed first.\n\nChoose a host to serve as the control server, then clone AgentGuard:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FWhitzardAgent\u002FAgentGuard.git\ncd AgentGuard\n```\n\nCreate an access control policy:\n\n```bash\nmkdir -p rules\n\ncat \u003C\u003CEOF > rules\u002Fblock_email_send.rules\nRULE: block_untrusted_email_send\nTRACE: Retriever -> ...? -> Mailer\nCONDITION: Retriever.name == \"retrieve_doc\"\n AND Mailer.name == \"send_email_to\"\n AND Retriever.id == 0\n AND Mailer.addr != \"admin@example.com\"\n AND principal.trust_level \u003C 2\nPOLICY: DENY\nSeverity: high\nCategory: data_exfiltration\nReason: \"Low-trust principal cannot send document 0 to non-admin recipients\"\nEOF\n```\n\nThis policy involves two agent tools: `retrieve_doc` and `send_email_to`, which retrieve a document by its id and send document content to a specified email address, respectively. The policy states that agents with a trust level below 2 may only send the confidential document (id=0) to `admin@example.com`; sending it to any other recipient is denied.\n\n> AgentGuard also supports visual policy configuration with dynamic hot-reloading. See [here](https:\u002F\u002Fwhitzardagent.github.io\u002FAgentGuard\u002Fen\u002Fpolicies\u002Fquick_config.html) for details.\n\nNext, configure the environment variables for the control server:\n\n> Skip this step if the defaults are sufficient.\n\n```bash\ncp .env.example .env\nvi .env\n```\n\nStart the control server:\n\n```bash\n.\u002Fscripts\u002Fstart.sh -d\n```\n\nThe control server listens on port `38080`.\nThe UI listens on port `8080`.\n\nVisit `http:\u002F\u002Flocalhost:8080` to see the UI.\n\n### 2. Agent-Side Setup\n\nOn the agent host, run:\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FWhitzardAgent\u002FAgentGuard.git\ncd AgentGuard\npip install -e .\n```\n\nThe following LangChain example shows the required integration points:\n\n> Install the dependencies first:\n> ```bash\n> pip install langchain==1.2.18\n> pip install langchain-openai==1.2.1\n> ```\n\n```python\nfrom langchain.agents import create_agent\nfrom langchain.tools import tool\n\n# 🚩 Import the AgentGuard client SDK\nfrom agentguard import Guard, Principal\n\nLLM_API_KEY = \"\u003CYOUR KEY>\" # Fill this manually\nLLM_MODEL_NAME = \"gpt-5.4-mini\"\n\n@tool\ndef retrieve_doc(id: int) -> str:\n \"\"\"Retrieve a document by integer id.\"\"\"\n return f\"DOC#{id}: This is a mocked document body.\"\n\n@tool\ndef send_email_to(doc: str, addr: str) -> str:\n \"\"\"Send a document to an email address.\"\"\"\n return f\"Email has sent to {addr}: {doc}\"\n\ndef build_llm():\n from langchain_openai import ChatOpenAI\n\n return ChatOpenAI(\n api_key=LLM_API_KEY,\n model=LLM_MODEL_NAME,\n temperature=0,\n )\n\ndef build_agent():\n return create_agent(\n model=build_llm(),\n tools=[retrieve_doc, send_email_to],\n system_prompt=(\n \"You are a zero-shot ReAct style agent. Decide which tool to use, \"\n \"observe tool results, and continue until the user's task is complete.\"\n ),\n )\n\ndef run(agent, prompt):\n print(\"===================================\")\n print(f\"Prompt: {prompt}\")\n result = agent.invoke(\n {\n \"messages\": [\n {\n \"role\": \"user\",\n \"content\": prompt,\n }\n ]\n }\n )\n print(f\"Output: {result[\"messages\"][-1].content}\")\n print(\"===================================\\n\")\n\nif __name__ == \"__main__\":\n agent = build_agent()\n\n # 🚩 Load the guard client\n guard = Guard(\n remote_url=\"http:\u002F\u002F\u003CControl Server IP>:38080\", # Replace with your control server IP and port\n mode=\"enforce\",\n fail_open=False,\n )\n\n # 🚩 Create a principal for the agent\n principal = Principal(\n agent_id=\"langchain-remote-demo\",\n session_id=\"langchain-remote-session\",\n role=\"default\",\n trust_level=1,\n )\n\n # 🚩 Start a session with the principal\n guard.start(principal=principal, goal=\"langchain remote runnable host demo\")\n\n # 🚩 Attach the guard to the LangChain agent\n guard.attach_langchain(agent)\n\n try:\n run(agent, \"Please retrieve document id=0 and send it to admin@example.com.\")\n run(agent, \"Please retrieve document id=0 and send it to alice@example.com.\")\n finally:\n # 🚩 Close the guard\n guard.close()\n```\n\nLines marked with 🚩 indicate where the AgentGuard client is inserted into the agent code. Make sure to replace the LLM API key and control server address with the values from your deployment.\n\n### 3. Run the Agent\n\nExecute the LangChain agent script:\n\n```bash\npython \u003CLANGCHAIN_AGENT_FILE>\n```\n\nThe agent performs two different tasks. The first sends document 0 (simulating a confidential file) to the admin email address, which the policy permits. The second sends the same document to another user, which the policy forbids.\n\nAgentGuard is expected to allow the first run and deny the second.\n\nExpected output:\n\n```\n===================================\nPrompt: Please retrieve document id=0 and send it to admin@example.com.\nOutput: Done — document 0 was retrieved and sent to admin@example.com.\n===================================\n\n===================================\nPrompt: Please retrieve document id=0 and send it to alice@example.com.\nTraceback (most recent call last):\n File \"...\", line 83, in \u003Cmodule>\n run(agent, \"Please retrieve document id=0 and send it to alice@example.com.\")\n ...\n raise DecisionDenied(\nagentguard.models.errors.DecisionDenied: block_untrusted_email_send\nDuring task with name 'tools' and id 'ab34afab-e0f3-14f6-7517-bba2e47f0ea6'\n```\n\nCurrently, AgentGuard enforces denials by raising an exception (hard blocking). A future version will introduce soft blocking, where the LLM receives an error message indicating the action was denied without terminating the agent process.\n\n### 4. Manage the Agent's Runtime with UI\n\nYou can inspect the agent's runtime status and policy enforcement audit logs through the UI.\n\nThe UI also supports visual policy configuration and dynamic hot-reloading.\n\nFor additional deployment details, refer to the [Documentation](https:\u002F\u002Fwhitzardagent.github.io\u002FAgentGuard\u002F).\n\n## 🎬 Demo Video\n\nhttps:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F75a17e37-7f51-4c59-96fa-ea449eb79859\n\n## 🏆 Advantages over Existing Frameworks\n\nCurrent defenses for agent security mainly fall into two categories: **malicious-intent detection at the model layer** and **tool-call behavior interception**. The former strengthens the underlying LLM through fine-tuning or detects unsafe intent by analyzing the model's reasoning process; the latter enforces predefined security policies at tool invocation time based on call traces, arguments, and runtime context to identify, block, or escalate high-risk actions.\n\nGiven that model fine-tuning is often expensive to train and deploy, and that many models do not expose a complete reasoning trace, AgentGuard focuses on the tool-call behavior layer. This approach does not require changing the underlying model. Instead, it places security controls around what the agent actually does, which makes it easier to integrate into existing agent stacks and more practical for production deployment.\n\nAs illustrated below, existing tool-call-based defenses address parts of the problem, but they are often fragmented and optimized for narrow risk scenarios, such as dangerous command filtering, isolated prompt-injection mitigation, or limited auditing. In contrast, AgentGuard provides a unified framework that more systematically covers access control, runtime behavior monitoring, and execution auditing. This design is also more closely aligned with the enterprise agent-security goals emphasized in Anthropic's [Zero Trust for AI Agents](https:\u002F\u002Fclaude.com\u002Fblog\u002Fzero-trust-for-ai-agents), including least-privilege permissions, constrained tool use, observable execution, and auditable policy enforcement.\n\n![Advantages over Existing Frameworks](.\u002Fdocs\u002Ffigs\u002Fcomparison_en.png)\n\n## 🏗️ Architecture\n\nThe high-level architecture of AgentGuard is shown below.\n\n\u003Cp align=\"center\">\n \u003Cimg src=\".\u002Fdocs\u002Ffigs\u002Foverview.png\" alt=\"AgentGuard architecture\" width=\"50%\" \u002F>\n\u003C\u002Fp>\n\n- **Client**: With minimal code modifications, the AgentGuard client integrates into agent frameworks. It monitors every tool call, forwards relevant contextual information to the server, and enforces the server's policy decisions.\n- **Server**: The server receives information from clients, evaluates agent actions against policies, produces policy decisions, and sends them back to clients. It also monitors agent status for administrative auditing.\n\n## 👥 Contributors\n\n\u003Ctable>\n \u003Ctr>\n \u003Cth align=\"left\">Contributor\u003C\u002Fth>\n \u003Cth align=\"left\">Role\u003C\u002Fth>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fdjrrr.github.io\u002F\" target=\"_blank\" rel=\"noreferrer\">Jiarun Dai\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctd>Asst. Prof., Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>Jiaqi Luo\u003C\u002Ftd>\n \u003Ctd>PhD Student, Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>Songyang Peng\u003C\u002Ftd>\n \u003Ctd>Master Student, Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>Zhile Chen\u003C\u002Ftd>\n \u003Ctd>Master Student, Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fzhxshen.github.io\u002F\" target=\"_blank\" rel=\"noreferrer\">Zhuoxiang Shen\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctd>Eng.D Student, Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fravensanstete.github.io\u002F\" target=\"_blank\" rel=\"noreferrer\">Xudong Pan\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctd>Asst. Prof., Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n \u003Ctr>\n \u003Ctd>\u003Ca href=\"https:\u002F\u002Fghong.site\u002F\" target=\"_blank\" rel=\"noreferrer\">Geng Hong\u003C\u002Fa>\u003C\u002Ftd>\n \u003Ctd>Asst. Prof., Fudan University\u003C\u002Ftd>\n \u003C\u002Ftr>\n\u003C\u002Ftable>\n\nListed in no particular order. Thanks to everyone who helped shape AgentGuard.\n\n## 🎯 Roadmap\n\n- Support more mainstream frameworks\n- Support agent systems in more programming languages\n- Enable protection for multi-agent scenarios\n- Add monitoring for LLM inputs and outputs\n- Add more varied policy actions\n- Provide automatic security policy recommendations\n\n## 📚 Citation\n\nIf you use AgentGuard in your research, please cite:\n\n```bibtex\n@misc{agentguard2026,\n title={AgentGuard: An Attribute-Based Access Control Framework for Tool-Use LLM-Based Agent},\n author={Jiaqi Luo* and Songyang Peng* and Jiarun Dai and Zhile Chen and Zhuoxiang Shen and Geng Hong and Xudong Pan and Yuan Zhang and Min Yang},\n year={2026},\n eprint={2605.28071},\n archivePrefix={arXiv},\n primaryClass={cs.CR},\n url={https:\u002F\u002Farxiv.org\u002Fabs\u002F2605.28071},\n}\n```\n\n## 📜 License\n\nThis project is licensed under the [MIT License](.\u002FLICENSE).\n","AgentGuard 是一个基于属性的访问控制框架,专为基于大语言模型(LLM)的代理工具调用设计。其核心功能包括声明式策略执行、来源感知决策以及人类参与的安全机制,确保每次工具调用前后的行为符合既定规则。技术特点上,AgentGuard 支持无缝集成到现有代理框架中,无需修改底层逻辑,并且具备多风险覆盖能力与可视化规则设置及审计功能。适用于需要对AI代理工具使用进行细粒度权限管理与安全监控的场景,如自动化任务处理、智能客服等。",2,"2026-06-11 04:02:33","CREATED_QUERY"]