GitHub - EdoardoBambini/Agent-Armor-Iaga: AI agents are getting tool access — shell, file system, databases, APIs, secrets. But **nobody is governing what they actually do with it**. Frameworks like LangChain, CrewAI, AutoGen, and Claude Code give agents the power to execute. Agent Armor gives you the power to control, audit, and approve every single action before it happens.

10 min read Original article ↗

Zero-trust governance kernel for autonomous AI agents.

version license 12 layers Rust

What 1.0 is · Quickstart · Features · Architecture · Docs · Status

Agent Armor 1.0 — kernel-enforced governance for autonomous agents

What 1.0 is

Three things in one binary, glued by a typed deterministic policy language:

  1. A kernel. Armor sits below the agent SDK. Process launches go through armor run, which consults the governance pipeline before spawning. The 0.4.0 HTTP sidecar still works for SDK-aware agents; the kernel is the chokepoint for everything else.
  2. A signed log. Every governance verdict produces an Ed25519-signed receipt linked to the previous one in a Merkle append-log per run. Replay verifies the chain bit-exact and detects policy drift.
  3. A reasoning brain. Optional ML models (ONNX, opt-in) emit evidence — never verdicts. The deterministic policy decides; ML produces scores the policy can read. Receipts embed the SHA-256 of every model that touched the decision.

All driven by APL: a typed DSL with deterministic tree-walk evaluation, loadable as a --policy overlay on top of the YAML profile system.

Quickstart

Install + start

cargo install --path crates/armor-core

# Default sqlite, demo data seeded on first boot
armor serve

CLI flow (no auth)

# Path to a JSON file (camelCase keys, see note below)
armor inspect ./payload.json

# Launch a child process under the governance pipeline
armor run --agent-id openclaw-builder-01 -- python my_agent.py

# Replay the signed receipt chain
armor replay --list
armor replay <run_id>

# Test an APL policy file
armor policy lint crates/armor-apl/examples/no_pii_egress.apl
armor policy test crates/armor-apl/examples/no_pii_egress.apl \
    --context crates/armor-apl/examples/sample_context.json

# Inspect kernel + reasoning posture
armor kernel status
armor reasoning info

# Load an APL bundle as a live overlay on top of YAML
armor serve --policy crates/armor-core/examples/policies/strict.apl

HTTP API flow

# Generate an API key once
armor gen-key --label my-app
# → Key: aa_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

# Inspect via HTTP. Auth header is `Authorization: Bearer <key>`.
# Payload uses camelCase: agentId, toolName, actionType.
curl -X POST http://localhost:7777/v1/inspect \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer aa_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -d '{
    "agentId":  "openclaw-builder-01",
    "framework":"langchain",
    "action": {
      "type":     "shell",
      "toolName": "bash",
      "payload":  {"cmd": "ls"}
    }
  }'

Docker

docker compose up -d
curl http://localhost:4010/health     # → 200
docker compose down

The container persists its DB and signer key in a named volume (agent-armor-data). Receipts signed inside the container can only be verified by the same container; to share a signer key across deployments mount your own key file or set ARMOR_SIGNER_KEY_PATH.

Postgres

DATABASE_URL=postgres://user:pwd@host/agent_armor \
  cargo install --path crates/armor-core --features postgres

armor serve   # receipts now go to Postgres automatically

Features

Cargo features on armor-core:

Feature Default Adds
sqlite SQLite backend for audit + receipts.
postgres Postgres backend.
receipts Ed25519-signed Merkle-chained receipts (M2).
apl Armor Policy Language parser + evaluator + armor policy ... (M3).
reasoning Reasoning plane scaffold + armor reasoning info (M3.5).
ml tract-onnx ML backend; opt-in, +~5 MB binary, +~2 min cold compile.
kernel Enforcement kernel + armor run + armor kernel status (M4).
linux-bpf Linux eBPF/LSM scaffold. Real loader ships in 1.0.1.
ui-embed Embeds ui/dist/ into the binary via rust-embed.

default = ["demo", "sqlite", "receipts", "apl", "reasoning", "kernel"].

Architecture

12 layers of defense in depth, organized into 7 architectural pillars described in AGENT_ARMOR_1.0.md:

  1. Enforcement Kernelcrates/armor-kernel/ (M4 scaffold + 1.0.1 loader).
  2. Signed Receiptscrates/armor-receipts/ (M2).
  3. Armor Policy Languagecrates/armor-apl/ (M3 + M6 live overlay).
  4. Attested Plugins — supply-chain integrity (1.1).
  5. Governance Mesh — federated rate budgets (1.1).
  6. Visual Planeui/ embedded via ui-embed feature.
  7. Probabilistic Reasoningcrates/armor-reasoning/ (M3.5).

Workspace layout:

agent-armor/
├── crates/
│   ├── armor-core/          # pipeline, server, CLI, AppState
│   ├── armor-receipts/      # Ed25519 + Merkle log + replay
│   ├── armor-apl/           # APL parser + evaluator
│   ├── armor-reasoning/     # ML evidence (tract-onnx behind `ml`)
│   └── armor-kernel/        # cross-platform launcher + eBPF scaffold
├── docs/adr/                # 8 ADRs (0001–0008)
├── ui/                      # frontend (embedded via ui-embed feature)
├── media/                   # hero assets
├── AGENT_ARMOR_1.0.md       # design document
├── MIGRATION.md             # 0.4.0 → 1.0 + per-milestone notes
└── CHANGELOG.md             # release notes

Documentation

Status

1.0 GA candidate. All six 1.0 milestones complete, 234/234 default tests passing, clippy --all-targets -D warnings clean.

What's intentionally honest about the posture:

  • armor kernel status reports authoritative: no (soft enforcement) until 1.0.1 ships the real eBPF/LSM loader. We don't market enforcement we don't yet provide.
  • armor reasoning info reports engine: noop unless models are configured; pre-trained models for intent-drift / prompt-injection / anomaly-seq ship in 1.0.2.
  • WASM codegen for APL is 1.0.3. Today the evaluator is tree-walking, fully deterministic, and replay-safe — the WASM swap is purely a performance / sandbox-isolation upgrade.
  • macOS Endpoint Security and Windows ETW kernel backends, governance mesh, KMS/HSM signers, GPU ML — all 1.1.

The 1.0 surface is locked. Patch releases are additive; 1.1 is the next major.

Community vs Enterprise

Agent Armor Enterprise: from governance kernel to audit dossier in 14 days.

The governance kernel is the same in both editions. Enterprise adds modules that live in a separate commercial repository. The table below lists only what is verifiable today — what you can clone, build, inspect, or call against a running instance. Roadmap items (eBPF loader, mesh, WASM codegen, curated ML models) are tracked in CHANGELOG.md under the version where they ship.

What ships in the open-source build today (this repository)

Verifiable by git clone && cargo test --workspace && docker compose up -d:

  • 12-layer governance pipeline — single binary, single endpoint (POST /v1/inspect), 234/234 tests passing.
  • Signed action receipts — Ed25519 + Merkle append-log per run, verifiable offline with armor replay <run_id> --verify-only.
  • Armor Policy Language (APL) — typed DSL with deterministic tree-walk evaluator, instruction budget, short-circuit evaluation. Try with armor policy lint <file.apl>.
  • APL live overlay — load a bundle as armor serve --policy <file.apl>. Stricter-wins merge with the YAML profile system.
  • Reasoning plane scaffoldarmor reasoning info. Bring your own ONNX models via --features ml (tract backend, no native deps).
  • Cross-platform UserspaceKernelarmor run -- <cmd> spawns governed child processes on Linux, macOS, Windows.
  • HTTP API with Bearer autharmor gen-key then call POST /v1/inspect with Authorization: Bearer <key>.
  • SQLite and Postgres backends — switch by setting DATABASE_URL=postgres://... and building with --features postgres. Receipts go to the matching backend automatically.
  • BYOK-ready signerARMOR_SIGNER_KEY_PATH lets you point at any 32-byte Ed25519 key file, including one served by your KMS (AWS KMS, Azure Key Vault, HashiCorp Vault, on-prem HSM via the filesystem-mount pattern).
  • Docker deploymentdocker compose up -d, /health returns 200 within ~10 seconds on the first attempt.
  • WASM plugin loadingarmor plugins list and armor plugins validate <file.wasm>.

Run the smoke yourself, every claim above is reproducible from a clean checkout.

What Agent Armor Enterprise adds (separate commercial repository)

Verifiable on request with a sandbox instance — these are concrete modules, not promises. Each lives in a separate commercial repo and is not feasible to reimplement quickly from the OSS surface alone:

  • EU AI Act + GDPR + DORA compliance evidence engine. Generates Annex IV dossiers, RoPA, DPIA, post-market monitoring reports, EU AI Office incident notifications. PDF + JSON-LD output, signed with qualified e-signatures (eIDAS). Tied to the OSS receipt schema so dossiers cite the chain that produced them.
  • DPO Dashboard. Web app for human-in-the-loop review queues, escalation, SLA timers, audit-trailed approvals signed Ed25519 for non-repudiation.
  • Multi-tenant isolation paths. Schema-per-tenant DB layer, per-tenant resource quotas, cross-tenant audit isolation, tenant lifecycle management.
  • Enterprise SSO. SAML 2.0 + OIDC + SCIM provisioning, fine-grained RBAC with role inheritance, MFA enforcement, IP allowlist per tenant.
  • eIDAS qualified signature pipeline. ETSI EN 319 132 (XAdES / PAdES / CAdES), Long-Term Validation profile, connectors to specific EU Trust Service Providers. Receipts gain legal weight in EU jurisdictions.
  • Native SIEM connectors. Splunk, Datadog, Elastic, Sentinel, Chronicle. Field mappings done; not "send us a webhook".
  • Air-gapped distribution. Offline update channel with signed bundle delivery, custom installer, air-gap registry, bundle verification chain.
  • Founder-led support. SLA 99.95%, 24/7 oncall handled by the same team that wrote the kernel. No tier-1 ticket triage.
  • Iaga Cloud managed deployment — when you do not want to run the box yourself.

The compliance pieces require a compliance officer + EU regulatory lawyer kept current as the regulator publishes new guidelines. That work is what you are paying for, on top of the code itself.

Open-core promise

The governance kernel (receipt schema, replay algorithm, APL evaluator, reasoning framework, BYOK signer support, the eBPF loader when it ships in 1.0.1, the single-cluster mesh when it ships in 1.1) is the open-source build of Agent Armor. It is licensed under BUSL-1.1 with Change License: Apache-2.0 baked into the licence itself: four years after publication every release converts automatically and irrevocably to Apache-2.0. No manual switch, no walk-back possible.

Enterprise never gates the security fundamentals. The promise is documented in AGENT_ARMOR_1.0.md §9 so future founders cannot rewrite it.

Why Enterprise exists

For teams in regulated environments (banks, insurers, healthcare, public sector, critical infrastructure), the question is not "can we be compliant" — OSS answers that. The question is "can we prove it to the auditor / notified body / DPO / regulator within two weeks instead of six months". Enterprise turns the OSS mechanisms into the dossiers, dashboards, and signed evidence packs that the EU AI Act, GDPR, and DORA ask for in their acceptance language, and gives you a phone number to the people who wrote the governance kernel when something goes wrong.

See ENTERPRISE.md for the full Enterprise pitch and the EU AI Act / GDPR / DORA article-by-article mapping. Contact: enterprise@iaga.start@gmail.com.

License

The open-source build of Agent Armor is licensed under Business Source License 1.1 with Change License: Apache-2.0 and a Change Date of four years from publication. What that means in plain English:

  • You can run, copy, modify, and redistribute Agent Armor freely for internal use, research, evaluation, and any non-production use.
  • You can run Agent Armor in production as long as your use does not consist of offering Agent Armor itself to third parties as a hosted or managed service that exposes a substantial set of its features (see the Additional Use Grant in LICENSE). Building your own product on top of Agent Armor for your customers is fine.
  • Four years after each release is published, that specific release converts automatically and irrevocably to Apache-2.0. The conversion is written into the licence itself, so it is not something we can walk back later.

Agent Armor Enterprise is sold under a separate commercial agreement. The two share the same kernel; Enterprise adds modules that live in a separate repository and are not covered by this licence.

Repository: https://github.com/EdoardoBambini/Agent-Armor-Iaga Contact: iaga.start@gmail.com