AI Agent Security & Governance SDK
Deterministic governance, guardrails, cost tracking, and policy management for LLM applications. Open source. TypeScript + Python. Works with any provider.
Website · Documentation · Examples · Discord · Contributing
Install: npm install tealtiger or pip install tealtiger, then wrap one existing OpenAI call:
import { TealOpenAI } from 'tealtiger';
const client = new TealOpenAI({ apiKey: process.env.OPENAI_API_KEY, guardrails: { promptInjection: true } });
const res = await client.chat.completions.create({ model: 'gpt-4o-mini', messages: [{ role: 'user', content: 'Hello!' }] });
console.log(res.security?.decision ?? 'ALLOW');import os
from tealtiger import TealOpenAI
client = TealOpenAI(api_key=os.environ["OPENAI_API_KEY"], guardrails={"prompt_injection": True})
print(client.chat.completions.create(model="gpt-4o-mini", messages=[{"role": "user", "content": "Hello!"}]).security.decision)ALLOW
Governance receipt emitted; cost and guardrails tracked.
Next: full Quick Start and examples.
TealTiger is an open-source SDK that provides deterministic governance for AI agents. It enforces security policies, tracks costs, and produces structured evidence — all at runtime, with no infrastructure required.
Looking for the source code? This is the hub repo. The SDK source lives in the language-specific repos:
- TypeScript SDK: tealtiger-typescript-prod
- Python SDK: tealtiger-python-prod
Or clone this repo with submodules:
git clone --recurse-submodules https://github.com/agentguard-ai/tealtiger.git
Unlike probabilistic safety filters, TealTiger uses deterministic policy evaluation: same input + same policy = same decision, every time. Every governance verdict is reconstructable, traceable to the human who authored the policy, and exportable as structured evidence (SARIF, JUnit XML, JSON).
Key principle: Governance should be an engineering property embedded in the runtime — not a document reviewed after the fact.
npm install tealtigerimport { TealOpenAI } from 'tealtiger';
const client = new TealOpenAI({
apiKey: process.env.OPENAI_API_KEY,
guardrails: {
piiDetection: true,
promptInjection: true,
contentModeration: true,
},
budget: {
maxCostPerRequest: 0.50,
maxCostPerDay: 10.00,
},
});
const response = await client.chat.completions.create({
model: 'gpt-4',
messages: [{ role: 'user', content: 'Hello!' }],
});
// Guardrails enforced. Cost tracked. Evidence produced.pip install tealtigerfrom tealtiger import TealOpenAI
client = TealOpenAI(
api_key=os.getenv("OPENAI_API_KEY"),
guardrails={
"pii_detection": True,
"prompt_injection": True,
"content_moderation": True,
},
budget={
"max_cost_per_request": 0.50,
"max_cost_per_day": 10.00,
},
)
response = client.chat.completions.create(
model="gpt-4",
messages=[{"role": "user", "content": "Hello!"}],
)
# Guardrails enforced. Cost tracked. Evidence produced.- PII Detection — Detect and redact sensitive information automatically
- Prompt Injection Prevention — Block malicious prompt injection attempts
- Content Moderation — Filter toxic, harmful, or inappropriate content
- Secret Detection — 500+ patterns across 9 categories with confidence scoring
- Custom Rules — Define your own security policies
- Budget Enforcement — Hard limits per request, session, and day
- Cost Tracking — Real-time monitoring across all providers
- Cost Alerts — Notifications at configurable thresholds
- Circuit Breakers — Prevent runaway cost loops automatically
- OpenAI — GPT-4, GPT-4o, GPT-3.5
- Anthropic — Claude 3.5, Claude 3
- Google Gemini — Multimodal support
- AWS Bedrock — Claude, Titan, Jurassic, Command, Llama
- Azure OpenAI — Deployment-based routing
- Cohere — Chat, RAG, embeddings
- Mistral AI — European data residency
- DeepSeek — Cost-efficient reasoning models
- Groq — Ultra-low latency inference
- Together AI — Open-source model hosting
- HuggingFace TGI — Self-hosted inference
- xAI (Grok) — Real-time knowledge
- AWS Bedrock Agents — Native guardrail adapter
- AWS AgentCore — Pre/post action governance plugin
- Azure AI Agent Service — Tool-call pipeline middleware
- Deterministic Policy Evaluation — No LLM in the governance path
- Structured Evidence — Every decision produces a reconstructable record
- Cryptographic Proof — Merkle trees + RFC 3161 timestamping (TealProof)
- Non-Human Identity (NHI) — Agent lifecycle, scope enforcement, Zero Standing Privilege
- FREEZE Rules — Immutable emergency kill switches with tamper detection
- Correlation IDs — End-to-end traceability across the decision chain
- Policy Traceability — Every verdict traces to the human policy author
- OWASP Agentic Top 10 — Zero-config policy pack covering all 10 ASI risks
| Dimension | What it does | Module |
|---|---|---|
| 🛡️ Security | Secret detection (500+ patterns), prompt injection, PII, content moderation, Unicode normalization, encoded output detection | TealSecrets TealGuard |
| 🔑 Identity | Non-Human Identity lifecycle, scope enforcement, Zero Standing Privilege, agent attestation | TealEngine (NHI) |
| ⚡ Reliability | Circuit breakers, retry budgets, fallback chains, deterministic degradation | TealCircuit TealReliability |
| 🧠 Memory | Write provenance, instruction injection detection, exfiltration prevention, scope enforcement | TealMemory |
| 💰 Cost | Governance-owned ceilings, anomaly detection, reasoning-token budgets, per-agent attribution | TealMonitor |
| 📋 Evidence | Cryptographic receipts (Merkle + RFC 3161), SARIF export, OTel spans, SIEM integration | TealProof TealAudit |
| ⚙️ Policy | FREEZE rules, PLAN_ONLY mode, hot-swap bundles, anti-tamper, automation levels | TealEngine |
| 🔄 Workflow | Declarative YAML governance workflows, org-level inheritance, floor enforcement | TealFlow |
| 📊 Drift | Behavioral drift detection, statistical baselines, model output regression | TealDrift |
| ⏱️ Temporal | Session TTL, cooldown periods, time-of-day restrictions | TealTemporal |
| 🔍 Registry | MCP definition-drift monitoring, tool description scanning, adapter composition allowlist | TealRegistry |
| 🧠 Classification | Local ONNX ML inference (≤20ms), ensemble modes, regex+ML combination | TealClassifier |
Design principle: No LLM in the governance path. Same input + same policy = same decision, every time.
| Language | Source Code | Package | Install |
|---|---|---|---|
| TypeScript | tealtiger-typescript-prod | npm | npm install tealtiger |
| Python | tealtiger-python-prod | PyPI | pip install tealtiger |
| Framework | Package | Install |
|---|---|---|
| LangChain | langchain-tealtiger | pip install langchain-tealtiger |
| Vercel AI SDK | tealtiger-ai-sdk | npm install tealtiger-ai-sdk |
| PydanticAI | pydanticai-tealtiger | pip install pydanticai-tealtiger |
| Haystack | haystack-tealtiger | pip install haystack-tealtiger |
| CAMEL-AI | camelai-tealtiger | pip install camelai-tealtiger |
| Platform | What it provides | Install |
|---|---|---|
| Dakera | Persistent governance state backend (cost storage, decision receipts, delegation chains via KG) | pip install dakera[tealtiger] |
| AG2 Beta | Governance middleware Extension for AG2 Beta agents | pip install ag2-tealtiger |
| Portkey Gateway | Webhook guardrail for Portkey AI Gateway | Example |
| Daytona | Pre-execution governance for sandboxed code execution | Example |
- Why your AI agent needs a budget — cost governance for LLM apps
- OWASP Agentic Top 10 — practical defenses with TealTiger
- Quick Start Guide
- Security Guardrails
- Cost Governance
- Provider Setup
- FAQ
- Why TealTiger?
- Cross-SDK Feature Parity Matrix
- Governance Event Store Indexes
- Error Code Reference
- Troubleshooting
- Contributing Guide
- Security Policy
- Code of Conduct
- Roadmap
Use the TealTiger badge to show that a project is governed by deterministic agent security and cost policies.
Light badge:
[](https://github.com/agentguard-ai/tealtiger)Dark badge:
[](https://github.com/agentguard-ai/tealtiger)Use examples/python/huggingface_tgi_quickstart.py to try the guarded
Hugging Face Text Generation Inference provider from the Python SDK.
export HF_API_TOKEN="your-hugging-face-token"
export HF_TGI_ENDPOINT="https://your-endpoint.endpoints.huggingface.cloud"
export HF_TGI_MODEL="meta-llama/Meta-Llama-3.1-8B-Instruct"
python examples/python/huggingface_tgi_quickstart.pyThe example enables guardrail and cost-tracking configuration, sends one sample
chat request, then prints the response, token usage, estimated cost, provider,
and correlation ID. Use placeholder values in docs and .env.example files;
never commit a real HF_API_TOKEN.
Use schemas/tealtiger-policy.schema.json for editor autocomplete and validation when authoring TealEngine policy JSON or YAML files. JSON policy files can include:
{
"$schema": "./schemas/tealtiger-policy.schema.json"
}For YAML policies, configure your editor's YAML schema mapping to point policy files such as tealtiger-policy.yml at ./schemas/tealtiger-policy.schema.json.
Use the policy validator script to check a TealTiger policy JSON file before using it in CI/CD or runtime governance:
npm install
npx ts-node scripts/validate-policy.ts ./my-policy.jsonYou can also run the npm script:
npm run validate:policy -- ./my-policy.jsonThe validator loads
schemas/tealtiger-policy.schema.json,
prints schema validation errors, exits 0 when the policy is valid, and exits
1 when the policy is invalid.
TealTiger is open source and we're looking for early contributors to shape the future of AI agent governance.
| Area | Examples | Difficulty |
|---|---|---|
| 🔍 Secret Detection | New detection patterns, custom categories | 🟢 Beginner |
| 📝 Documentation | Guides, examples, API docs, typo fixes | 🟢 Beginner |
| 🧪 Tests | Unit tests, property-based tests, integration tests | 🟡 Intermediate |
| 🔌 Integrations | LangChain, CrewAI, AG2, LlamaIndex middleware | 🟡 Intermediate |
| 💾 Memory Adapters | Redis, Pinecone, Weaviate, ChromaDB adapters | 🟡 Intermediate |
| 🔄 CI/CD Templates | Jenkins, Azure Pipelines, Bitbucket Pipelines | 🟡 Intermediate |
| 🏗️ Core Modules | Governance engine, evidence export, policy evaluation | 🔴 Advanced |
- 🏆 Named in CONTRIBUTORS.md and release notes
- 🎖️ "Founding Contributor" badge — first 25 merged PRs get permanent recognition
- 📣 Shoutout on TealTiger social channels (LinkedIn, X, Dev.to)
- 🔑 Early access to upcoming governance features before public release
- 💬 Direct access to the core team via GitHub Discussions
- 📝 Co-authorship opportunity on technical blog posts
# 1. Star this repo (it helps!)
# 2. Fork and clone the SDK you want to contribute to:
# TypeScript SDK:
git clone https://github.com/agentguard-ai/tealtiger-typescript-prod.git
# Python SDK:
git clone https://github.com/agentguard-ai/tealtiger-python-prod.git
# 3. Pick a "good first issue"
# https://github.com/agentguard-ai/tealtiger/issues?q=label%3A%22good+first+issue%22
# 4. Submit a PR
# 5. Join the team 🐯See CONTRIBUTING.md for detailed guidelines.
Current: v1.3.0 — Autonomous Agent Governance (Released May 18, 2026)
- TealEngine v1.3 with pre/post evaluation pipeline, FREEZE rules, automation levels
- Non-Human Identity (NHI) governance with Zero Standing Privilege
- TealProof — cryptographic governance receipts (Merkle + RFC 3161)
- TealFlow — declarative YAML governance workflows
- TealClassifier — local ONNX ML inference (≤20ms)
- TealDrift, TealState, TealTemporal — behavioral, context, and session governance
- TealMonitor v2 — governance-owned cost ceilings, anomaly detection
- OWASP Agentic Top 10 policy pack (zero-config)
- 12 LLM providers + 3 platform adapters (Bedrock, AgentCore, Azure)
- Full Python SDK parity
Next: v1.4.0 — Zero-Config Adoption & MCP Governance (July 2026)
observe(client)— 1-line auto-instrumentation, zero config, instant visibility- Local CLI dashboard (
npx tealtiger dashboard) - Progressive disclosure: observe → suggest → enforce → govern
- 8 framework adapters: LangChain, LangGraph, CrewAI, AG2, LlamaIndex, CAMEL-AI, Haystack, Vercel AI SDK
- MCP governance: tool validation, per-identity grants, argument-level policies
- Tool poisoning & rug pull defense
- Runaway loop detection & per-trace token budgets
- TEEC v2.1 Execution Receipts (cryptographic evidence)
- EU AI Act, NIST AI RMF, ISO 42001 compliance mappings
- Universal Adapter Governance Contract — enforced across all framework adapters:
- Every proposed tool call, budget change, freeze/unfreeze, and delegated handoff creates a decision record before execution
- Decision binds: agent_id, turn_id, parent_turn_id, action kind, tool name, canonical args digest, policy digest, decision source, expiry, delegation scope
- Execution outcome backlinks to decision_id and effective args digest that actually ran
- Denial, timeout, and require-approval become visible terminal or pending states (no silent transcript gaps)
- Per-actor enforcement: channel/hub approval does not become ambient authority for every agent
- Delegation creates scope-bound authorization: delegatee emits its own decision and outcome record
- Invariant tests: same payload in two turns produces two decision IDs; approval for one agent does not authorize another; revised args create a new pending decision; timeout produces durable terminal result; retry returns prior terminal state instead of re-running side effect
- Supply Chain Integrity Verification — validate AI dependency hashes before agent execution (response to LiteLLM supply chain attack, March 2026)
- A2A Protocol Governance — per-task access scoping, token lifetime enforcement, consent flow governance for Agent2Agent interactions (A2A GA under Linux Foundation, 150+ orgs)
- MCP Tool Integrity Monitoring — definition-drift detection, tool description scanning, adapter composition allowlist, rug-pull defense with cryptographic pinning
- Kill Switch Latency SLA — guaranteed <5ms FREEZE propagation with published benchmarks, quantified time-to-halt for compliance
- Shadow Agent Detection — discover ungoverned agents in the environment, surface unmonitored tool calls and untracked cost
- AI Dependency SBOM — generate Software Bill of Materials for agent dependencies, model provenance, and MCP server inventory
- Dakera Integration (shipped) — persistent governance state backend for distributed deployments (
pip install dakera[tealtiger]). Cost records, decision receipts, and delegation chains survive restarts via agent-scoped memory with importance-weighted retention. - Pack Hunt Defense — multi-agent coordinated attack detection:
- Cross-session intent correlation: link related sessions via
session_group_id, query receipts across sessions by agent + time window - Reassembly detection: flag when N individually-benign requests from different agents/sessions converge on the same output scope within a time window (deterministic, no LLM)
- Multi-model coordination detection: track which model produced which output, flag when output from model A becomes input to model B without governance evaluation in between
- Cross-session intent correlation: link related sessions via
Planned: v1.5.0 — Enterprise Platform (Q3 2026)
- Multi-tenancy with complete data isolation
- RBAC (Owner, Admin, Policy Author, Viewer, Auditor)
- SSO via SAML 2.0 / OIDC (Okta, Azure AD, Google)
- SIEM export (Splunk, Elastic, Sentinel, Datadog)
- Policy staging, dry-run mode, canary deployments
- Scheduled compliance reports & executive dashboard
Future: v2.0.0 — SaaS Security Platform (Q1 2027)
- Full SaaS control plane (CSPM/CWPP model for AI agents)
- CISO executive console with governance health scoring
- TealTiger Operator & Agent for Kubernetes
- Shadow AI detection (discover ungoverned agents)
- Remote kill switch from SaaS console
- CloudEvents, OpenTelemetry, Backstage plugin
All features maintain: in-process <5ms, zero-config entry, no LLM in governance path, offline-capable.
- Discord: Join TealTiger Community
- GitHub Discussions: Ask questions, share ideas
- LinkedIn: TealTiger
- X (Twitter): @TealtigerAI
- Documentation: docs.tealtiger.ai
- Blog: blogs.tealtiger.ai
- Playground: playground.tealtiger.ai
- Email: reachout@tealtiger.ai
TealTiger is committed to responsible open-source security practices.
For vulnerability reports, see our Security Policy.
TealTiger is Apache 2.0 licensed.
Built with ❤️ by the TealTiger team and contributors.
Want to contribute? Check out our CONTRIBUTING.md guide!
⭐ Star this repo if you believe AI agents need governance, not just guardrails.