kaizen-security 0.1.0__py3-none-any.whl

kaizen_security/__init__.py

@@ -0,0 +1,5 @@
+from .client import Kaizen, KaizenBlocked
+from .models import Action, Finding, Policy, Verdict
+
+__all__ = ["Kaizen", "KaizenBlocked", "Action", "Finding", "Policy", "Verdict"]
+__version__ = "0.1.0"

kaizen_security/client.py

@@ -0,0 +1,141 @@
+from __future__ import annotations
+
+import functools
+import threading
+import warnings
+from collections import deque
+from typing import Optional
+
+from . import engine
+from .models import Action, Finding, Policy, Verdict
+from .report import Reporter
+
+
+class KaizenBlocked(Exception):
+    def __init__(self, verdict: Verdict):
+        self.verdict = verdict
+        super().__init__(verdict.reason)
+
+
+class Kaizen:
+    """The data plane client. Enforces policy locally for low latency, and
+    reports verdicts to the control plane for the dashboard.
+
+        kz = Kaizen(api_key="kz_live_...")
+        v = kz.inspect(tool="clawhub2", publisher="hightower6eu")
+        if v.blocked: ...
+
+    fail_open defaults to False: if our own evaluation errors, we block. This is
+    a security control, so the safe failure is to deny. Set fail_open=True only
+    if you accept that our bugs become a bypass, and watch your logs.
+    """
+
+    def __init__(
+        self,
+        api_key: str = "",
+        base_url: str = "https://api.getkaizen.io",
+        policies: Optional[list[Policy]] = None,
+        agent: str = "default",
+        fail_open: bool = False,
+        report: bool = True,
+        sync: bool = True,
+        on_verdict=None,
+    ):
+        self.api_key = api_key
+        self.base_url = self._check_url(base_url.rstrip("/"))
+        self.policies = list(policies) if policies else []
+        self.agent = agent
+        self.fail_open = fail_open
+        self._session: deque[Action] = deque(maxlen=20)
+        self._lock = threading.Lock()
+        self._report = report
+        # the reporter exists whenever there is an api_key (it also fetches policy);
+        # the report flag only controls whether we send verdicts back.
+        self._reporter = Reporter(self.base_url, api_key) if api_key else None
+        # optional callback fired after every verdict (used by the OTel exporter)
+        self._on_verdict = on_verdict
+        if sync and api_key and not self.policies:
+            self._sync_policies()
+
+    @staticmethod
+    def _check_url(url: str) -> str:
+        if url.startswith("http://") and not url.startswith(("http://localhost", "http://127.0.0.1")):
+            warnings.warn(
+                "Kaizen base_url is http://, the API key and action data would travel in cleartext. Use https.",
+                stacklevel=3,
+            )
+        return url
+
+    def _sync_policies(self) -> None:
+        if not self._reporter:
+            return
+        fetched = self._reporter.get_policies(self.agent)
+        if fetched is not None:
+            self.policies = fetched
+
+    def inspect(self, action: Optional[Action] = None, **kw) -> Verdict:
+        a = action if action is not None else Action(**kw)
+        try:
+            v = engine.evaluate(a, self.policies)
+        except Exception:
+            v = Verdict("allow" if self.fail_open else "block", "engine error, failed " + ("open" if self.fail_open else "closed"))
+
+        # correlation may only escalate an allow to a block, never downgrade a block
+        if v.allowed:
+            try:
+                v = self._correlate(a, v)
+            except Exception:
+                if not self.fail_open:
+                    v = Verdict("block", "correlation error, failed closed")
+
+        with self._lock:
+            self._session.append(a)
+        if self._reporter and self._report:
+            self._reporter.send(self.agent, a, v)
+        if self._on_verdict:
+            try:
+                self._on_verdict(v, a)
+            except Exception:
+                pass
+        return v
+
+    def enforce(self, action: Optional[Action] = None, **kw) -> Verdict:
+        v = self.inspect(action, **kw)
+        if v.blocked:
+            raise KaizenBlocked(v)
+        return v
+
+    def _correlate(self, a: Action, v: Verdict) -> Verdict:
+        # v1 session rule: a sensitive read earlier, then an outbound connect now.
+        for p in self.policies:
+            if not p.enabled or p.mode != "correlation":
+                continue
+            if (p.rules or {}).get("risky_sequence") == "read_then_connect" and a.kind == "connect":
+                with self._lock:
+                    prior = list(self._session)
+                if any(prev.kind == "file" and (prev.metadata or {}).get("sensitive") for prev in prior):
+                    return Verdict(
+                        "block",
+                        "blocked by correlation: sensitive read then outbound connect",
+                        [Finding("risky sequence", "sensitive read then connect", "correlation")],
+                    )
+        return v
+
+    def guard(self, fn=None, *, tool: Optional[str] = None, kind: str = "tool_call"):
+        """Decorator that inspects a tool call before running it.
+
+        The inspected tool name defaults to the function name; pass tool= to
+        match the name your agent actually invokes. We do not serialize the
+        call arguments into the action, to avoid shipping secrets.
+        """
+        def deco(func):
+            name = tool or getattr(func, "__name__", "tool")
+
+            @functools.wraps(func)
+            def wrapper(*args, **kwargs):
+                self.enforce(Action(kind=kind, tool=name))
+                return func(*args, **kwargs)
+
+            return wrapper
+
+        return deco(fn) if callable(fn) else deco

kaizen_security/engine.py

@@ -0,0 +1,147 @@
+from __future__ import annotations
+
+import ipaddress
+import re
+import unicodedata
+from typing import Optional
+from urllib.parse import urlparse
+
+from .models import Action, Finding, Policy, Verdict
+
+# zero-width and format characters used to disguise lookalike strings
+_ZERO_WIDTH = dict.fromkeys(map(ord, "​‌‍⁠"), None)
+
+_MAX_PATTERN = 200   # cap remote regex length to bound catastrophic backtracking
+_MAX_TOOL = 512      # cap the string we match against
+
+
+def _norm(s: Optional[str]) -> Optional[str]:
+    if not isinstance(s, str):
+        return s
+    return unicodedata.normalize("NFKC", s).translate(_ZERO_WIDTH).strip().lower()
+
+
+def _as_ip(host: str):
+    """Parse a host as an IP, tolerating integer form. Returns None if not an IP."""
+    try:
+        return ipaddress.ip_address(host)
+    except ValueError:
+        pass
+    if host.isdigit():
+        try:
+            return ipaddress.ip_address(int(host))
+        except ValueError:
+            return None
+    return None
+
+
+def _host_of(target: str):
+    """Pull the host out of a URL or host:port, return (ip_or_none, host_lower)."""
+    t = target.strip()
+    if "://" in t:
+        t = urlparse(t).hostname or t
+    else:
+        t = t.split("/", 1)[0]
+    if t.startswith("[") and "]" in t:                 # IPv6 with brackets
+        host = t[1 : t.index("]")]
+    elif t.count(":") == 1:                            # host:port
+        host = t.rsplit(":", 1)[0]
+    else:
+        host = t
+    host = host.rstrip(".").lower()
+    return _as_ip(host), host
+
+
+def _networks(values) -> list:
+    nets = []
+    for v in values or []:
+        try:
+            nets.append(ipaddress.ip_network(str(v).strip(), strict=False))
+        except ValueError:
+            continue
+    return nets
+
+
+def _domain_hit(host: str, domains) -> Optional[str]:
+    h = host.rstrip(".").lower()
+    for d in domains or []:
+        dn = (_norm(str(d)) or "").rstrip(".")
+        if dn and (h == dn or h.endswith("." + dn)):  # match the domain and any subdomain
+            return dn
+    return None
+
+
+def evaluate(action: Action, policies: list[Policy]) -> Verdict:
+    """Stateless evaluation of allowlist and blocklist policies.
+
+    Session-aware correlation lives in the client, which holds the session.
+    Defensive throughout: a malformed remote policy must not throw, because the
+    client's outer handler would otherwise fail the whole evaluation open.
+    """
+    findings: list[Finding] = []
+    for p in policies:
+        if not p.enabled:
+            continue
+        rules = p.rules or {}
+        if p.mode == "blocklist":
+            findings += _blocklist(action, rules)
+        elif p.mode == "allowlist":
+            f = _allowlist(action, rules)
+            if f:
+                findings.append(f)
+    if findings:
+        kinds = ", ".join(sorted({f.kind for f in findings}))
+        return Verdict("block", f"blocked by policy: {kinds}", findings)
+    return Verdict("allow", "no policy matched")
+
+
+def _blocklist(a: Action, rules: dict) -> list[Finding]:
+    out: list[Finding] = []
+
+    pub = _norm(a.publisher)
+    if pub and pub in {_norm(x) for x in (rules.get("publishers") or [])}:
+        out.append(Finding("blacklisted publisher", a.publisher, "blocklist"))
+
+    if a.target:
+        ip, host = _host_of(a.target)
+        if ip is not None:
+            if any(ip in net for net in _networks(rules.get("ips"))):
+                out.append(Finding("known-bad address", str(ip), "blocklist"))
+        else:
+            hit = _domain_hit(host, rules.get("domains"))
+            if hit:
+                out.append(Finding("malicious domain", host, "blocklist"))
+
+    if a.hash:
+        h = a.hash.strip().lower()
+        if h in {str(x).strip().lower() for x in (rules.get("hashes") or [])}:
+            out.append(Finding("known-bad hash", a.hash[:16] + "…", "blocklist"))
+
+    if a.tool:
+        tool = a.tool[:_MAX_TOOL]
+        for pat in (rules.get("skill_patterns") or []):
+            if not isinstance(pat, str) or len(pat) > _MAX_PATTERN:
+                continue
+            try:
+                if re.fullmatch(pat, tool):
+                    out.append(Finding("malicious skill pattern", a.tool, "blocklist"))
+                    break
+            except re.error:
+                continue
+    return out
+
+
+def _allowlist(a: Action, rules: dict) -> Optional[Finding]:
+    """Default-deny. Every dimension the policy constrains must match (AND).
+
+    Policy validation guarantees at least one of publishers or tools is set, so
+    an empty allowlist can never silently block everything.
+    """
+    allowed_pubs = {_norm(x) for x in (rules.get("publishers") or [])}
+    allowed_tools = {_norm(x) for x in (rules.get("tools") or [])}
+
+    if allowed_pubs and _norm(a.publisher) not in allowed_pubs:
+        return Finding("publisher not on the allowlist", a.publisher or "none", "allowlist")
+    if allowed_tools and _norm(a.tool) not in allowed_tools:
+        return Finding("tool not on the allowlist", a.tool or "none", "allowlist")
+    return None

kaizen_security/integrations/__init__.py

@@ -0,0 +1 @@
+"""Framework adapters that attach Kaizen to existing agent runtimes."""

kaizen_security/integrations/langchain.py

@@ -0,0 +1,62 @@
+"""Attach Kaizen to a LangChain / LangGraph agent.
+
+Observe every tool call with the callback handler:
+
+    from kaizen_security import Kaizen
+    from kaizen_security.integrations.langchain import KaizenCallbackHandler
+
+    kz = Kaizen(api_key="kz_live_...", agent="support-bot")
+    agent.invoke({"input": "..."}, config={"callbacks": [KaizenCallbackHandler(kz)]})
+
+The callback is observe-only: LangChain swallows exceptions raised inside
+callbacks, so it cannot block a tool. To BLOCK, wrap the tool instead:
+
+    from kaizen_security.integrations.langchain import guard_tool
+    safe_tool = guard_tool(kz, my_tool)
+
+langchain is an optional dependency; this module imports it lazily.
+"""
+from __future__ import annotations
+
+from ..models import Action
+
+try:  # modern LangChain
+    from langchain_core.callbacks import BaseCallbackHandler as _Base
+except Exception:  # pragma: no cover
+    try:  # older LangChain
+        from langchain.callbacks.base import BaseCallbackHandler as _Base
+    except Exception:
+        _Base = object
+
+
+class KaizenCallbackHandler(_Base):
+    """Reports every tool call to Kaizen so the Observer learns the agent's
+    behavior and flags deviations. Observe-only (see guard_tool to block)."""
+
+    def __init__(self, kaizen):
+        self.kaizen = kaizen
+
+    def on_tool_start(self, serialized, input_str, **kwargs):
+        name = (serialized or {}).get("name") or "tool"
+        self.kaizen.inspect(Action(kind="tool_call", tool=name, metadata={"input": input_str}))
+
+
+def guard_tool(kaizen, tool, enforce: bool = True):
+    """Wrap a LangChain tool so Kaizen inspects each call. With enforce (default),
+    a blocked call returns a refusal string instead of executing the tool."""
+    from langchain_core.tools import StructuredTool
+
+    name = getattr(tool, "name", None) or "tool"
+
+    def _wrapped(**kwargs):
+        verdict = kaizen.inspect(Action(kind="tool_call", tool=name, metadata={"input": kwargs}))
+        if enforce and verdict.blocked:
+            return f"Blocked by Kaizen: {verdict.reason}"
+        return tool.invoke(kwargs)
+
+    return StructuredTool.from_function(
+        func=_wrapped,
+        name=name,
+        description=getattr(tool, "description", "") or "",
+        args_schema=getattr(tool, "args_schema", None),
+    )

kaizen_security/integrations/openai_agents.py

@@ -0,0 +1,57 @@
+"""Attach Kaizen to an OpenAI Agents SDK agent in one line.
+
+    from agents import Agent, Runner
+    from kaizen_security import Kaizen
+    from kaizen_security.integrations.openai_agents import KaizenHooks
+
+    kz = Kaizen(api_key="kz_live_...", agent="support-bot")
+    await Runner.run(agent, "do the thing", hooks=KaizenHooks(kz))
+
+Every tool the agent calls flows to Kaizen: it is inspected against policy and
+reported, so the isolated Observer learns the agent's behavior and flags
+deviations. Observe-only by default; with enforce=True a blocked tool is stopped
+before it runs (via the SDK's tool-rejection path, falling back to raising).
+
+Importing this module does not require openai-agents to be installed; KaizenHooks
+only needs it at runtime when you actually run an agent.
+"""
+from __future__ import annotations
+
+from ..client import KaizenBlocked
+from ..models import Action
+
+try:  # the base class is provided by openai-agents when present
+    from agents import RunHooks as _Base
+except Exception:  # pragma: no cover - openai-agents optional
+    _Base = object
+
+
+def _tool_name(tool) -> str:
+    return getattr(tool, "name", None) or getattr(tool, "__name__", None) or "tool"
+
+
+def _tool_args(context):
+    for attr in ("tool_input", "tool_arguments"):
+        v = getattr(context, attr, None)
+        if v is not None:
+            return v
+    return None
+
+
+class KaizenHooks(_Base):
+    """RunHooks that route every tool call through Kaizen."""
+
+    def __init__(self, kaizen, enforce: bool = False):
+        self.kaizen = kaizen
+        self.enforce = enforce
+
+    async def on_tool_start(self, context, agent, tool):
+        action = Action(kind="tool_call", tool=_tool_name(tool), metadata={"arguments": _tool_args(context)})
+        verdict = self.kaizen.inspect(action)
+        if self.enforce and verdict.blocked:
+            reject = getattr(context, "reject_tool", None)
+            if callable(reject):
+                reject(verdict.reason)  # clean: tool never executes
+            else:
+                raise KaizenBlocked(verdict)
+        return None

kaizen_security/integrations/otel.py

@@ -0,0 +1,39 @@
+"""Emit an OpenTelemetry span for each Kaizen verdict.
+
+    from kaizen_security import Kaizen
+    from kaizen_security.integrations.otel import record_verdict
+
+    kz = Kaizen(api_key="kz_live_...", on_verdict=record_verdict)
+
+Every inspect() then appears in your traces as a `kaizen.inspect` span carrying
+the decision, reason, tool, and target. Blocked verdicts mark the span as an
+error, so they surface in Datadog, Grafana, Honeycomb, or any OTel backend with
+no per-vendor code. opentelemetry is an optional dependency.
+"""
+from __future__ import annotations
+
+try:
+    from opentelemetry import trace as _trace
+except Exception:  # pragma: no cover - opentelemetry optional
+    _trace = None
+
+
+def record_verdict(verdict, action=None):
+    if _trace is None:
+        return
+    tracer = _trace.get_tracer("kaizen-security")
+    with tracer.start_as_current_span("kaizen.inspect") as span:
+        span.set_attribute("kaizen.decision", verdict.decision)
+        if getattr(verdict, "reason", None):
+            span.set_attribute("kaizen.reason", verdict.reason)
+        if action is not None:
+            if action.kind:
+                span.set_attribute("kaizen.kind", action.kind)
+            if action.tool:
+                span.set_attribute("kaizen.tool", action.tool)
+            if getattr(action, "publisher", None):
+                span.set_attribute("kaizen.publisher", action.publisher)
+            if getattr(action, "target", None):
+                span.set_attribute("kaizen.target", action.target)
+        if verdict.blocked:
+            span.set_status(_trace.Status(_trace.StatusCode.ERROR, verdict.reason or "blocked"))

kaizen_security/mcp_shim.py

@@ -0,0 +1,109 @@
+"""Kaizen MCP shim: attach the Observer to any MCP agent with zero code change.
+
+An MCP client talks to an MCP server over stdio (newline-delimited JSON-RPC).
+This shim sits transparently in the middle: it spawns the real server, forwards
+traffic both ways, and intercepts every `tools/call`. Each call is inspected by
+Kaizen (and reported, so the Observer learns the agent's behavior). A blocked
+call is answered with an MCP error and never reaches the server.
+
+Usage (e.g. in an MCP client config, replacing the server command):
+
+    kaizen-mcp -- uvx some-mcp-server --flag value
+
+Config via env: KAIZEN_API_KEY, KAIZEN_AGENT, KAIZEN_BASE_URL.
+"""
+from __future__ import annotations
+
+import json
+import os
+import subprocess
+import sys
+import threading
+
+from .client import Kaizen
+from .models import Action
+
+
+def _kaizen_from_env() -> Kaizen:
+    return Kaizen(
+        api_key=os.environ.get("KAIZEN_API_KEY"),
+        agent=os.environ.get("KAIZEN_AGENT", "mcp-agent"),
+        base_url=os.environ.get("KAIZEN_BASE_URL", "https://api.getkaizen.io"),
+    )
+
+
+def _block_response(req_id, reason: str) -> dict:
+    # An MCP tool result with isError so the model sees a refusal, not a crash.
+    return {
+        "jsonrpc": "2.0",
+        "id": req_id,
+        "result": {"content": [{"type": "text", "text": f"Blocked by Kaizen: {reason}"}], "isError": True},
+    }
+
+
+def intercept(line: str, kz: Kaizen):
+    """Decide what to do with one client->server line.
+
+    Returns (forward, response):
+      forward  = the line to send on to the real server, or None to drop it
+      response = a JSON-RPC dict to send straight back to the client, or None
+    """
+    try:
+        msg = json.loads(line)
+    except Exception:
+        return line, None  # not JSON we understand; pass through untouched
+    if isinstance(msg, dict) and msg.get("method") == "tools/call":
+        params = msg.get("params") or {}
+        action = Action(kind="tool_call", tool=params.get("name"), metadata={"arguments": params.get("arguments")})
+        verdict = kz.inspect(action)
+        if verdict.blocked:
+            return None, _block_response(msg.get("id"), verdict.reason)
+    return line, None
+
+
+def run(server_cmd, kaizen: Kaizen = None, stdin=None, stdout=None) -> int:
+    kz = kaizen or _kaizen_from_env()
+    stdin = stdin or sys.stdin
+    stdout = stdout or sys.stdout
+    proc = subprocess.Popen(server_cmd, stdin=subprocess.PIPE, stdout=subprocess.PIPE, text=True, bufsize=1)
+
+    # server -> client (verbatim)
+    def pump_out():
+        for line in proc.stdout:
+            stdout.write(line)
+            stdout.flush()
+
+    t = threading.Thread(target=pump_out, daemon=True)
+    t.start()
+
+    # client -> server (intercepted)
+    for line in stdin:
+        line = line.rstrip("\n")
+        if not line:
+            continue
+        forward, response = intercept(line, kz)
+        if response is not None:
+            stdout.write(json.dumps(response) + "\n")
+            stdout.flush()
+        if forward is not None:
+            proc.stdin.write(forward + "\n")
+            proc.stdin.flush()
+
+    proc.stdin.close()
+    code = proc.wait()
+    t.join(timeout=5)  # drain remaining server output before returning
+    return code
+
+
+def main():
+    argv = sys.argv[1:]
+    if "--" in argv:
+        argv = argv[argv.index("--") + 1:]
+    if not argv:
+        sys.stderr.write("usage: kaizen-mcp -- <mcp-server-command> [args...]\n")
+        sys.exit(2)
+    sys.exit(run(argv))
+
+
+if __name__ == "__main__":
+    main()

kaizen_security/models.py

@@ -0,0 +1,73 @@
+from __future__ import annotations
+
+from dataclasses import dataclass, field, asdict
+from typing import Any, Optional
+
+MODES = {"allowlist", "blocklist", "correlation"}
+DECISIONS = {"allow", "block"}
+
+
+# An Action is what an agent is about to do, the thing we inspect.
+@dataclass
+class Action:
+    kind: str = "tool_call"          # tool_call | skill_load | connect | file
+    tool: Optional[str] = None       # tool or skill name
+    publisher: Optional[str] = None  # who published it
+    target: Optional[str] = None     # ip, domain, url, or path
+    hash: Optional[str] = None       # file hash
+    metadata: dict[str, Any] = field(default_factory=dict)
+
+    def to_dict(self) -> dict:
+        return asdict(self)
+
+
+@dataclass
+class Finding:
+    kind: str
+    value: str
+    source: str = "policy"
+
+    def to_dict(self) -> dict:
+        return asdict(self)
+
+
+# The stable verdict contract: allow or block, with a reason and the evidence.
+@dataclass
+class Verdict:
+    decision: str = "allow"          # allow | block
+    reason: str = ""
+    evidence: list[Finding] = field(default_factory=list)
+
+    @property
+    def blocked(self) -> bool:
+        return self.decision == "block"
+
+    @property
+    def allowed(self) -> bool:
+        return self.decision == "allow"
+
+    def to_dict(self) -> dict:
+        return {
+            "decision": self.decision,
+            "reason": self.reason,
+            "evidence": [f.to_dict() for f in self.evidence],
+        }
+
+
+@dataclass
+class Policy:
+    mode: str                        # allowlist | blocklist | correlation
+    rules: dict[str, Any] = field(default_factory=dict)
+    name: str = ""
+    enabled: bool = True
+
+    def __post_init__(self):
+        # A mistyped mode would silently become a no-op, which for a security
+        # control means a silent bypass. Reject it loudly instead.
+        if self.mode not in MODES:
+            raise ValueError(f"unknown policy mode {self.mode!r}, expected one of {sorted(MODES)}")
+        # An empty allowlist would otherwise block everything silently.
+        if self.mode == "allowlist":
+            r = self.rules or {}
+            if not (r.get("publishers") or r.get("tools")):
+                raise ValueError("an allowlist policy must list at least one allowed publisher or tool")

kaizen_security/report.py

@@ -0,0 +1,89 @@
+from __future__ import annotations
+
+import json
+import queue
+import ssl
+import threading
+import urllib.request
+from typing import Optional
+
+from .models import Action, Policy, Verdict
+
+SCHEMA_VERSION = "1"
+_SSL = ssl.create_default_context()
+
+
+# Talks to the control plane. Standard library only, so the SDK stays
+# dependency free. Verdict reporting goes through one bounded queue drained by a
+# small worker pool, so a slow or unreachable control plane can never spawn
+# unbounded threads or block the agent.
+class Reporter:
+    def __init__(self, base_url: str, api_key: str, timeout: float = 3.0, workers: int = 2, max_queue: int = 1000):
+        self.base_url = base_url.rstrip("/")
+        self.api_key = api_key
+        self.timeout = timeout
+        self._q: queue.Queue = queue.Queue(maxsize=max_queue)
+        self._started = False
+        self._workers = workers
+
+    def _ensure_workers(self) -> None:
+        if self._started:
+            return
+        self._started = True
+        for _ in range(self._workers):
+            threading.Thread(target=self._drain, daemon=True).start()
+
+    def _drain(self) -> None:
+        while True:
+            payload = self._q.get()
+            try:
+                self._post("/v1/verdicts", payload)
+            except Exception:
+                pass
+            finally:
+                self._q.task_done()
+
+    def _headers(self) -> dict:
+        return {"Authorization": f"Bearer {self.api_key}", "Content-Type": "application/json"}
+
+    def _post(self, path: str, payload: dict) -> None:
+        req = urllib.request.Request(
+            self.base_url + path,
+            data=json.dumps(payload).encode(),
+            headers=self._headers(),
+            method="POST",
+        )
+        urllib.request.urlopen(req, timeout=self.timeout, context=_SSL).close()
+
+    def send(self, agent: str, action: Action, verdict: Verdict) -> None:
+        self._ensure_workers()
+        payload = {
+            "schema_version": SCHEMA_VERSION,
+            "agent": agent,
+            "action": action.to_dict(),
+            "verdict": verdict.to_dict(),
+        }
+        try:
+            self._q.put_nowait(payload)   # drop, never block the agent, if the queue is full
+        except queue.Full:
+            pass
+
+    def get_policies(self, agent: str) -> Optional[list[Policy]]:
+        try:
+            req = urllib.request.Request(
+                self.base_url + f"/v1/policy?agent={agent}",
+                headers={"Authorization": f"Bearer {self.api_key}"},
+            )
+            with urllib.request.urlopen(req, timeout=self.timeout, context=_SSL) as r:
+                data = json.loads(r.read())
+            return [
+                Policy(
+                    mode=p["mode"],
+                    rules=p.get("rules", {}),
+                    name=p.get("name", ""),
+                    enabled=p.get("enabled", True),
+                )
+                for p in data.get("policies", [])
+            ]
+        except Exception:
+            return None

kaizen_security-0.1.0.dist-info/METADATA

@@ -0,0 +1,94 @@
+Metadata-Version: 2.4
+Name: kaizen-security
+Version: 0.1.0
+Summary: Pluggable enforcement for AI agent actions. Inspect every tool call and block known-bad.
+Author: Kaizen Security
+License: Apache-2.0
+Project-URL: Homepage, https://getkaizen.io
+Project-URL: Documentation, https://docs.getkaizen.io
+Keywords: ai,agents,security,mcp,guardrails
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Topic :: Security
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Provides-Extra: test
+Requires-Dist: pytest<9.0,>=8.0; extra == "test"
+Provides-Extra: openai-agents
+Requires-Dist: openai-agents>=0.1; extra == "openai-agents"
+Provides-Extra: langchain
+Requires-Dist: langchain-core>=0.1; extra == "langchain"
+Provides-Extra: opentelemetry
+Requires-Dist: opentelemetry-api>=1.20; extra == "opentelemetry"
+
+# kaizen-security
+
+Pluggable enforcement for AI agent actions. Inspect every tool call, skill load, or outbound connection, and block the known-bad before it reaches your data. Zero runtime dependencies.
+
+## Install
+
+```bash
+pip install kaizen-security
+```
+
+## Quickstart
+
+```python
+from kaizen_security import Kaizen
+
+kz = Kaizen(api_key="kz_live_...")          # syncs policy from the control plane
+
+verdict = kz.inspect(tool="clawhub2", publisher="hightower6eu", target="91.92.242.30")
+if verdict.blocked:
+    print(verdict.reason)                    # blocked by policy: blacklisted publisher, ...
+    for f in verdict.evidence:
+        print(f.kind, f.value)
+```
+
+Raise on a block instead of branching:
+
+```python
+from kaizen_security import KaizenBlocked
+
+try:
+    kz.enforce(tool="clawhub2", publisher="hightower6eu")
+except KaizenBlocked as e:
+    handle(e.verdict)
+```
+
+Wrap a tool function:
+
+```python
+@kz.guard
+def call_tool(name, **kwargs):
+    ...
+```
+
+## Run it fully local, no account
+
+```python
+from kaizen_security import Kaizen, Policy
+
+policy = Policy(mode="blocklist", rules={
+    "publishers": ["hightower6eu"],
+    "ips": ["91.92.242.30"],
+    "skill_patterns": [r"^clawhub[0-9]*$"],
+})
+kz = Kaizen(policies=[policy], report=False)
+```
+
+## The contract
+
+`inspect(action) -> Verdict(decision, reason, evidence)` where `decision` is `allow` or `block`. Enforcement runs locally for low latency. When an `api_key` is set, the client syncs policy from the control plane and reports verdicts back for the dashboard, fire and forget so it never adds latency.
+
+## Modes
+
+- `blocklist`: block on a match against blacklisted publishers, IPs, domains, skill patterns, or hashes.
+- `allowlist`: allow only approved publishers or tools, block the rest.
+- `correlation`: flag a risky session sequence, for example a sensitive read followed by an outbound connect.

kaizen_security-0.1.0.dist-info/RECORD

@@ -0,0 +1,16 @@
+kaizen_security/__init__.py,sha256=N6o5303FJKuQplX9_T46Wyn_eFApb65h7Wdlqkm1tJU,198
+kaizen_security/client.py,sha256=5J12Pmce4XP727pjh6_gQ_nE4eGu1LK_ssQBrYuYvmY,5329
+kaizen_security/engine.py,sha256=1E1NRdK54hz534MeBhW1XGVkOfc9NIvWJqnySPlPY_s,5053
+kaizen_security/mcp_shim.py,sha256=3EPT4Adv6Ill-b5eQW_lqM10OAm277Ed-AUXDl9vCOc,3512
+kaizen_security/models.py,sha256=PVypeNKZGyqt3HY9VNZvqCi0HV6v-qk-zEYTVF5Eqyc,2288
+kaizen_security/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+kaizen_security/report.py,sha256=7adLmcGLqGoB0eIJy71fehploMyLy4WW9n7UbzYNIdM,3013
+kaizen_security/integrations/__init__.py,sha256=tOJRNEslqI1f2hgOGwFbHJISVMQ_F_JpNcdhl5GgWis,72
+kaizen_security/integrations/langchain.py,sha256=ABMBR9Yjn3rPJaHgKgvobFaL9YykDboM58_7eUT5LA0,2290
+kaizen_security/integrations/openai_agents.py,sha256=3xD8TmtERDwf7ITqbFKBCJDA-pUoMXRh4_XknN7wscM,2084
+kaizen_security/integrations/otel.py,sha256=hY3NvhI4o0sh4pk53CvzfA5CXwKx2VFlvAiAGbQvbAA,1645
+kaizen_security-0.1.0.dist-info/METADATA,sha256=2JnRJow7Eg1ZdurJsI-lnEIDVtYzXOtxYbqhzIMUDNg,3050
+kaizen_security-0.1.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+kaizen_security-0.1.0.dist-info/entry_points.txt,sha256=UVdKCfjWsTGJ4Yxmv0ko07H8NiCpGFaVn2RVxjgCrf8,61
+kaizen_security-0.1.0.dist-info/top_level.txt,sha256=3xsiBAUi_Ny28MZveTWIfV_rStUjriEuJbPU63XAQbo,16
+kaizen_security-0.1.0.dist-info/RECORD,,

kaizen_security-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

kaizen_security-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+kaizen-mcp = kaizen_security.mcp_shim:main

kaizen_security-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+kaizen_security