Kavach is a default-deny execution gate. Every action passes identity, policy, drift, and invariants. The verdict is a signed permit any other service can verify.
Have an AI coding agent? Install the Kavach skill: npx skills add SarthiAI/kavach-skill
Kavach sits between your caller and the side-effecting action. Every evaluator must approve. The verdict is signed into a tamper-evident chain. No check, no Guarded<A>, no execution.
Wrap any side-effecting function: tool call, HTTP handler, webhook, MCP invocation. It becomes unrunnable without a proof.
Identity, policy, drift, and invariants evaluate in sequence. Any refusal halts the chain. No silent bypass path exists.
Only on unanimous approval do you get Guarded<A>: a type-safe, cryptographically signed permit token.
Run the action. Every verdict is appended to a signed audit chain. Splice a line, verification fails, everywhere.
Not another middleware stack. A type system and a crypto protocol, conspiring to make bypass structurally impossible.
The only way to hold a Guarded<A> is to pass the gate. Enforced by the type system: no convention to remember.
ML-DSA-65 signatures and ML-KEM-768 key exchange, wired in from day one. Hybrid mode available for transition.
Device fingerprint, geo, session age, action count. Catch compromised sessions mid-stream, not just at login.
A signed chain, not a mutable log. Every verdict signs the predecessor's hash. Splice a line, verification fails.
Write rules in TOML, JSON, or dict literals. Edit the file, the watcher picks it up in-flight, no redeploy.
Redis-backed broadcast. One replica revokes a session, every other node in the cluster knows within milliseconds.
Define the policy, gate the call, run only on Permit. A Refuse or Invalidate verdict raises (Python kavach.Refused, Node KavachRefused) before your side effect ever runs. Python and Node / TypeScript SDKs are available today; the Rust crates are built and under internal testing.
# Wrap an action. Only a fully-evaluated Permit # verdict unlocks execution. from kavach import Gate, guarded gate = Gate.from_dict({ "policy": [{ "name": "support_outbound_email", "effect": "permit", "conditions": [ {"identity_role": "support_agent"}, {"action": "send_email"}, {"time_window": "09:00-18:00 Asia/Kolkata"}, ], }], }) # evaluate through identity → policy → drift → invariants @guarded(gate, action="send_email") def send_email(to: str, body: str): smtp.send(to, body) # raises kavach.Refused if the gate blocks send_email("ceo@acme.com", "...", _principal_id="agent-bot", _principal_kind="agent", _roles=["support_agent"])
NIST's post-quantum primitives, wired in from day one. Your permit tokens, sealed channels, and signed audit chains are safe against adversaries that don't exist yet, and ready for the ones that will.
Read the post-quantum docIf your code path runs side-effects based on a model's output, a webhook body, or an admin token, Kavach is the layer between “we checked” and “we can prove we checked.”
Enforce policies on every tool invocation. The LLM can't route around the gate.
Drop a verifiable authorization layer over HTTP APIs, admin endpoints, and webhooks.
Post-quantum crypto without rolling your own. Tamper-evident audit by default.
A drop-in library: not a hosted platform, not a vendor dependency, not another control plane.