Haldir v0.2.2 — AutoGen integration (Big 4 complete)

Big 4 agent-framework integrations complete

Haldir now ships native governance for every major AI agent framework developers use in 2026:

• langchain-haldir
• crewai-haldir
• autogen-haldir — new in this release
• @haldir/ai-sdk (Vercel AI SDK)

Each adds scope-checked permissions, hash-chained audit, and a kill-switch session in ~10 lines of code to any existing agent.

AutoGen highlights

from autogen_haldir import create_session, govern_tool

client, sid = create_session(api_key='hld_xxx', agent_id='bot',
                             scopes=['read','search'], spend_limit=10.0)

governed = govern_tool(my_tool, client=client, session_id=sid,
                       required_scope='search', cost_usd=0.003)

agent = AssistantAgent(name='researcher', model_client=model, tools=[governed])

Wraps BaseTool / FunctionTool at both run and run_json entry points, preserves the full tool surface (name, description, schema, args_type, return_type) so AutoGen treats it as native, and raises HaldirPermissionError on revocation mid-run.

Also in this release

• Architecture diagram SVG embedded in the README (handcoded, no raster deps)
• Framework-integrated examples: langchain_agent.py, crewai_crew.py, vercel_ai_sdk.ts
• Repository hygiene: issue + PR templates, dependabot across 7 ecosystems, CODEOWNERS, FUNDING
• Proxy policy-engine tests (25 cases) — 79 total across Gate / Vault / Watch / Proxy
• Package metadata polish on PyPI + npm (0.2.2): full classifiers, keywords, cross-linked URLs
• Comprehensive wiki — 17 pages covering architecture through roadmap at github.com/ExposureGuard/haldir/wiki
• SECURITY.md with safe-harbor + disclosure policy

Full changelog: CHANGELOG.md

Haldir v0.2.1 — AES-256-GCM Vault

Vault upgraded to AES-256-GCM

Prior: AES-128-CBC + HMAC-SHA256 (Fernet).
Now: AES-256-GCM with additional authenticated data (AAD) binding each ciphertext to its (tenant_id, secret_name).

What this means for buyers

"AES-256-GCM at rest" is a compliance checklist item on every serious enterprise procurement review. Saying AES-128 previously cost a meaningless objection; making it AES-256 is accurate and stronger.

What this means for security

AAD binding means an attacker with DB write access can no longer:

• Move a ciphertext between tenants
• Rename a ciphertext under the same tenant

Decryption fails with InvalidTag in both cases — a defense-in-depth layer the old Fernet setup didn't have.

Breaking change

Existing Fernet ciphertexts are not decryptable by the new code. Self-hosted deployments upgrading from v0.2.0 must rotate every stored secret. The hosted service had no external-user secrets at upgrade time, so no action needed there.

Smoke-tested

6 cases: roundtrip, cross-tenant swap rejection, name-swap rejection, wrong-key rejection, raw-key and base64url key formats. All pass.

Full changelog: CHANGELOG.md

Haldir v0.2.0 — Framework Integrations

Haldir v0.2.0 — now embedded in every major agent framework

Native integrations shipped

• langchain-haldir — governance callbacks, tool wrappers, secrets helper
• crewai-haldir — CrewAI BaseTool wrapping with scope enforcement + audit logging
• @haldir/ai-sdk — Vercel AI SDK tool wrapping (TypeScript, ESM + CJS + types)

One pip install or npm install, 10 lines of code, and every tool call your agent makes is now scope-checked, audited, and policy-enforced.

Also in this release

• Hash-chained audit trail — every Watch entry cryptographically chains to the previous; tamper-evident
• TypeScript types for haldir npm package — full index.d.ts ships with the JS SDK
• Landing page refresh — Proxy product card, Design Partners CTA, Pricing nav
• Stripe subscription checkout — live at /pricing
• Glama-ready Dockerfile — Dockerfile.glama starts the stdio MCP server for registry introspection
• New blog post — Securing MCP servers with Haldir Proxy

For design partners

Now accepting 5 design partners. 30 days free, full access, direct line to the founder. Email sterling@haldir.xyz if you're shipping AI agents to production.

Full changelog

See CHANGELOG.md.

Haldir v0.1.0 — The Guardian Layer for AI Agents

What's included

Gate — Agent Identity & Auth

• Scoped sessions with permissions and spend limits
• Permission checking on every tool call
• Session revocation

Vault — Encrypted Secrets & Payments

• AES-encrypted secret storage
• Session-scoped access control
• Payment authorization with budget enforcement

Watch — Audit Trail & Compliance

• Immutable audit log for every action
• Anomaly detection
• Cost tracking and spend reports
• Compliance export

Proxy — Enforcement Layer

• Intercepts every MCP tool call
• Policy enforcement: allow/deny lists, spend limits, rate limits, time windows
• Automatic tool discovery from upstream MCP servers

Approvals — Human-in-the-Loop

• Pause agent execution for human review
• Auto-rules: spend_over, tool_blocked, destructive
• Webhook notifications

Infrastructure

• 28+ REST API endpoints
• 10 MCP tools (98/100 on Smithery)
• Python SDK (sync + async)
• Multi-tenant isolation
• Postgres support
• Rate limiting
• Usage tracking
• Dashboard UI
• API docs

Install

pip install haldir

Links

• Live: https://haldir.xyz
• Docs: https://haldir.xyz/docs
• OpenAPI: https://haldir.xyz/openapi.json
• Smithery: https://smithery.ai/server/haldir/haldir
• PyPI: https://pypi.org/project/haldir/