Kavach wraps every tool call, API hit, and agent action in a chain of evaluators: identity, policy, drift, invariants. The only way to run the action is to hold a Guarded<A> proof object. No proof, no execution.
Kavach sits between your caller and the side-effecting action. Every evaluator must approve. The verdict is signed into a tamper-evident chain. No check, no Guarded<A>, no execution.
Wrap any side-effecting function: tool call, HTTP handler, webhook, MCP invocation. It becomes unrunnable without a proof.
Identity, policy, drift, and invariants evaluate in sequence. Any refusal halts the chain. No silent bypass path exists.
Only on unanimous approval do you get Guarded<A>: a type-safe, cryptographically signed permit token.
Run the action. Every verdict is appended to a signed audit chain. Splice a line, verification fails, everywhere.
Not another middleware stack. A type system and a crypto protocol, conspiring to make bypass structurally impossible.
The only way to hold a Guarded<A> is to pass the gate. Enforced by the type system: no convention to remember.
ML-DSA-65 signatures and ML-KEM-768 key exchange, wired in from day one. Hybrid mode available for transition.
Device fingerprint, geo, session age, action count. Catch compromised sessions mid-stream, not just at login.
A signed chain, not a mutable log. Every verdict signs the predecessor's hash. Splice a line, verification fails.
Write rules in TOML, JSON, or dict literals. Edit the file, the watcher picks it up in-flight, no redeploy.
Redis-backed broadcast. One replica revokes a session, every other node in the cluster knows within milliseconds.
Declare the action, evaluate through the chain, unwrap the Guarded<A>, execute. Python SDK is available today; Node and Rust SDKs are built and under internal testing.
# Wrap an action. Only a signed, fully-evaluated # proof can unlock execution. from kavach import Gate, Action, Guarded gate = Gate.from_config("./policy.toml") @gate.action("send_email") def send_email(to: str, body: str) -> None: smtp.send(to, body) # evaluate through identity → policy → drift → invariants proof: Guarded[SendEmail] = gate.evaluate( action=SendEmail(to="ceo@acme.com", body="..."), principal=current_user(), context=request_ctx(), ) # only way to actually run it send_email.unwrap(proof)
NIST's post-quantum primitives, wired in from day one. Your permit tokens, sealed channels, and signed audit chains are safe against adversaries that don't exist yet, and ready for the ones that will.
Read the post-quantum docIf your code path runs side-effects based on a model's output, a webhook body, or an admin token, Kavach is the layer between “we checked” and “we can prove we checked.”
Enforce policies on every tool invocation. The LLM can't route around the gate.
Drop a verifiable authorization layer over HTTP APIs, admin endpoints, and webhooks.
Post-quantum crypto without rolling your own. Tamper-evident audit by default.
A drop-in library: not a hosted platform, not a vendor dependency, not another control plane.