agentpaas

package module
v0.2.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 13, 2026 License: MIT Imports: 5 Imported by: 0

README

AgentPaaS

Run AI agents securely. Even if the agent is compromised, it can't leak your data.

You just built an agent using an LLM. Maybe you downloaded a skill from the internet. Maybe the model itself was instructed to be malicious. How do you know it won't phone home with your API keys, your files, your PII?

AgentPaaS runs every agent inside a locked-down container with a default-deny network policy. The agent can only talk to the exact endpoints you approve — nothing else. Credentials are brokered through a gateway sidecar and never visible to the agent code. Every call is logged to a tamper-evident audit trail.

If a prompt-injected agent tries to exfiltrate data to an unknown server, the gateway blocks it. You see the denial in the audit log. Your secrets stay safe.

How It Works

┌─────────────────────────────────────────────────────────┐
│                    YOUR MACHINE                          │
│                                                          │
│  ┌─────────────────────────────────────────┐            │
│  │         INTERNAL-ONLY DOCKER NETWORK     │            │
│  │         (no route to the internet)       │            │
│  │                                          │            │
│  │  ┌──────────────┐    ┌───────────────┐  │            │
│  │  │   AGENT      │    │   GATEWAY     │  │            │
│  │  │  CONTAINER   │    │   SIDECAR     │  │            │
│  │  │              │    │               │  │            │
│  │  │  · Python    │    │  · Policy     │  │            │
│  │  │    agent     │───▶│    enforcer   │  │            │
│  │  │  · No shell  │    │  · Credential │  │            │
│  │  │  · Non-root  │    │    broker     │  │            │
│  │  │  · Read-only │    │  · DNS stub   │  │            │
│  │  │    rootfs    │    │               │  │            │
│  │  │  · No caps   │    │       │       │  │            │
│  │  └──────────────┘    └───────┼───────┘  │            │
│  │                              │          │            │
│  └──────────────────────────────┼──────────┘            │
│                                 │                        │
│                          ONLY ALLOWED                    │
│                          EGRESS PATH                     │
│                                 │                        │
│                                 ▼                        │
│                    ┌─────────────────────┐               │
│                    │   APPROVED APIs     │               │
│                    │  (api.x.ai, etc.)   │               │
│                    └─────────────────────┘               │
│                                                          │
│  ┌──────────────────────────────────────────┐           │
│  │              DAEMON (agentpaasd)           │           │
│  │  · Tamper-evident audit trail              │           │
│  │  · Signed checkpoints                      │           │
│  │  · Hash-chained JSONL + SQLite index       │           │
│  └──────────────────────────────────────────┘           │
└─────────────────────────────────────────────────────────┘

The agent container has no direct internet route. All traffic goes through the gateway sidecar, which enforces your policy. The gateway is the only path out.

The PRIMARY egress control is network topology isolation: the agent container is on a Docker internal-only network with no default route to the internet. An additional iptables egress firewall runs inside the agent container as defense-in-depth — it applies OUTPUT DROP rules to the container's own network stack. This firewall may be unavailable in some container environments (e.g., when iptables is not installed or CAP_NET_ADMIN is absent), and the harness continues without it. Topology isolation remains the hard boundary regardless.

Security Features

Feature What it stops
Default-deny egress Agent can't call any endpoint you didn't explicitly approve
Container isolation Non-root (UID 64000), read-only rootfs, no shell, all capabilities dropped except NET_ADMIN when egress firewall is enabled (defense-in-depth), seccomp profile
Credential brokering Secrets never reach agent code — injected by gateway at request time
Internal-only network No route to internet except through gateway; DNS stub only resolves approved domains
Tamper-evident audit Hash-chained JSONL + signed checkpoints — in-chain tampering (modification, reordering, insertion) detected on verification. Tail truncation (removing last N records) leaves a valid prefix chain and requires external checkpoint anchoring (P2).
Signed audit export Portable signed bundle, verifiable on a second machine
Signed images Every agent image cosign-signed with per-agent identity key
SBOM on every artifact Software bill of materials surfaced at pack time
Domain fronting block Gateway cross-checks SNI/Host/DNS — mismatch = deny
DNS exfiltration block DNS only resolves via gateway stub — raw-IP dialing blocked
Pack-time secret scan Scans build context for leaked secrets before image creation
Budget enforcement Token/wall-clock/iteration limits kill runaway agents
Locked dependency installs uv lockfiles only — no typosquatted package injection
Publisher identity ECDSA P-256 keypair per publisher; bundles signed with publisher key; fingerprint verification via TOFU
Signed bundles .agentpaas file: deterministic tar.gz with lock, policy, SBOM, source; cosign-signed image optional
Provenance chains Every pack/fork appends a signed entry; chain verifies end-to-end; 32-entry cap prevents bloat
Policy deltas Forked bundles show exactly what egress/credentials/MCP tools changed at each hop
Tamper-evident install Post-install verification: lock signature, image digest, policy digest, source digest — all checked
Consent card Receiver sees publisher, policy summary, provenance chain, egress lints before approving install
Fork & redistribute agentpaas fork <ref> <dir> creates editable project; re-pack appends forked provenance entry
Verified by red-team smoke

Six attack fixtures through the real pack → run → gateway → audit pipeline:

Attack Result
Network exfiltration Blocked — gateway policy enforcement (primary: topology isolation)
DNS exfiltration Blocked — internal network isolation (primary: topology isolation)
File system access Restricted — container UID 64000, bind mounts
Privilege escalation Blocked — non-root container
Process escape Mitigated — Docker isolation, no new privs
Secret leakage Prevented — Keychain broker, no env passthrough

Prerequisites

  • Hermes Agent — every AgentPaaS experience runs through Hermes. Install it first.
  • Docker Desktop or Colima — agents run in containers. Install and start Colima:
    brew install colima docker
    colima start
    
  • An LLM API key — e.g. from OpenRouter, OpenAI, xAI, or Anthropic. You'll store this in macOS Keychain via agentpaas secret add — it never enters the Hermes conversation.
  • macOS (Apple Silicon or Intel)

Install

IMPORTANT: Install via Homebrew. Do NOT build from source. Even if you have the repo cloned, make build-all produces dev binaries (0.1.0-dev, unknown commit, no version stamp). The brew cask ships proper versioned binaries with the Linux harness bundled. A new user should never need Go, make, or the source repo.

1. Install Hermes

If you don't have Hermes yet:

brew install nousresearch/tap/hermes-agent
2. Install Docker (if you don't have it)
brew install colima docker
colima start
3. Install AgentPaaS
brew install agentpaas-ai/tap/agentpaas
xattr -cr /opt/homebrew/bin/agentpaas /opt/homebrew/bin/agentpaasd /opt/homebrew/bin/agentpaas-harness-linux
agentpaas daemon start
agentpaas doctor

Important: The brew cask is not notarized. Run xattr -cr BEFORE any agentpaas command — the binaries will be killed by macOS (exit 137) if you skip this step. You only need to do this once after install.

agentpaas doctor verifies Docker, the daemon, keychain, and the harness binary are all ready. If any check fails, it will tell you what to fix.

Quickstart: Build and Run a Governed Agent

Everything below happens inside Hermes. Launch a Hermes session:

hermes
Step 1: Install the AgentPaaS plugin

Tell Hermes:

Install the AgentPaaS plugin from github https://github.com/AgentPaaS-ai/agentpaas

IMPORTANT: Use hermes plugins install from GitHub. Do NOT use make install-plugin from a local clone — that bypasses the after-install flow (skill pointer creation, toolset registration) and a real user does not have the source repo.

Hermes installs the plugin, registers the toolset, and creates the skill pointer. Restart Hermes when it tells you to:

/quit
hermes
Step 2: Store your API key

API keys are never passed through the Hermes conversation — they go directly into macOS Keychain via the terminal. Run this in a separate terminal:

agentpaas secret add openrouter-key
# paste your API key when prompted

Then tell Hermes you're done. Hermes verifies the key exists (by label, never by value) and proceeds.

Step 3: Build an agent

Tell Hermes:

Build a weather agent that takes a city name as input, fetches real weather data from wttr.in, uses an LLM to summarize the conditions, and returns a short forecast.

Hermes asks you a few short questions (which LLM provider, which model, confirm the hostnames), writes the agent code, creates an egress policy allowing only wttr.in and your LLM provider's domain, packs it into a signed container image, and runs it under governance. The pack step enforces that every external hostname and credential is declared in the policy — if anything is missing, the build fails before the agent can ship with a broken or insecure runtime.

Step 4: Invoke the agent

Tell Hermes:

Ask the agent: "What is the capital of France?"

Hermes invokes the agent through the trigger API. The agent calls the LLM through the gateway (credential brokered, egress enforced), and returns the answer.

Step 5: Check the audit trail

Tell Hermes:

Show me the audit trail for the last run

Or from the terminal:

agentpaas audit query

Every allowed and denied call is logged: timestamp, agent identity, destination, credential used, and policy decision.

Sharing Agents

AgentPaaS supports signed agent bundles for secure sharing between users.

Export (Share)
# Initialize your publisher identity (first time only)
agentpaas identity init

# Export an agent as a shareable bundle
agentpaas export --project-dir ~/weather-agent

# Result: weather-agent.agentpaas bundle + your publisher fingerprint
# Read your fingerprint to the receiver over a separate channel
Install (Receive)
# Inspect before installing — see policy, credentials, provenance
agentpaas bundle inspect weather-agent.agentpaas

# Install (interactive — confirms fingerprint, policy, credentials)
agentpaas install weather-agent.agentpaas

# Run the installed agent
agentpaas run weather-agent@&lt;pub8&gt;
Fork and Redistribute
# Fork creates an editable project from an installed agent
agentpaas fork weather-agent@&lt;pub8&gt; ~/my-weather-agent

# After modifying, repack and re-export — provenance chain tracks all changes
cd ~/my-weather-agent && agentpaas pack . && agentpaas export --project-dir .

See docs/sharing.md for the full guide.

Documentation

Troubleshooting

agentpaas binary killed (exit 137) after brew install

The brew cask is not notarized. macOS kills the binary with exit code 137. Clear quarantine on ALL THREE binaries before running any agentpaas command:

xattr -cr /opt/homebrew/bin/agentpaas /opt/homebrew/bin/agentpaasd /opt/homebrew/bin/agentpaas-harness-linux
Daemon won't start (checkpoint key error)

After binary upgrades or clean state resets:

rm -f ~/.agentpaas/state/audit-checkpoint-key.der
agentpaas daemon start
No agentpaas_* tools visible in Hermes

The toolset isn't registered. Run the ensure-toolset script:

python3 ~/.hermes/profiles/<profile>/plugins/agentpaas/scripts/ensure-toolset.py <profile>

Then restart Hermes: /quit then hermes -p <profile>

Pack fails: "agentpaas-sdk was not found"

The SDK is bundled automatically — do NOT list agentpaas-sdk in requirements.txt. Only list your agent's own dependencies.

Agent returns "agentpaas fake llm response"

The LLM is not configured. Either set the llm: section in agent.yaml or tell Hermes to configure it.

Agent fails: "credential is not declared"

Credentials must be declared in policy.yaml, not just stored in Keychain:

credentials:
  - id: my-api-key
    type: header
    header: Authorization

See the manual testing guide for more.

Repository Layout

agentpaas/
├── cmd/                  # agent CLI, agentpaasd daemon, harness
├── internal/             # runtime, policy, secrets, audit, pack, llm, ...
├── api/                  # control + trigger protobuf APIs
├── web/dashboard/        # operator dashboard (not yet enabled)
├── python/agentpaas_sdk/ # Python SDK for agent code
├── integrations/hermes-plugin/
├── test/e2e/             # end-to-end tests
├── test/redteam/         # P1 adversarial smoke fixtures
├── third_party/agentgateway/
├── docs/
└── landing-page/

Changelog

v0.2.0 + v0.2.1 (July 2026)

Agent sharing, provenance chains, fork/redistribute, and release hardening.

What's new since v0.1.1:

  • Publisher identity (agentpaas identity init/show/export): ECDSA P-256 keypair per publisher, stored in macOS Keychain. Every pack signs the lockfile with both the agent identity key and the publisher key.
  • Signed bundles (.agentpaas): deterministic tar.gz containing lock, policy, SBOM, source, and optional cosign-signed image. Offline bundle inspect verifies all signatures and digests without a running daemon.
  • Provenance chains: every pack appends a signed created entry; every fork appends a signed forked entry with a policy delta. Chains verify end-to-end. 32-entry cap prevents chain bloat.
  • Fork & redistribute (agentpaas fork <ref> <dir>): creates an editable project from an installed agent with lineage.json capturing parent metadata. Re-packing appends a forked provenance entry. Tampering lineage.json fails pack closed.
  • Bundle install with consent card (agentpaas install): TOFU trust flow, policy approval, per-hop locally-verified/signer-claimed markings, tail-anchor trust sentence, chain egress lints.
  • Credential mapping (agentpaas installed map-credential): map declared credential IDs to local secrets. Raw values never appear in manifests or audit.
  • Gateway policy enforcement (B19): token budgets, rate limiting, LLM provider locking, ingress auth, guardrails, transformations, timeouts/retry, cost tracking, MCP tool access control — all compiled into per-run agentgateway configs and enforced at runtime.
  • Security claim closure (B20): credential zero-visibility, guaranteed audit ingestion on every terminal path, fail-closed on invalid input/missing credentials/fake LLM, README-claim red-team release gate.
  • Two-persona sharing E2E (B25): S1-S10 test cards covering identity onboarding, export, inspect-before-trust, TOFU install, tamper/impersonation detection, fork chains, credential invisibility.
  • Pack verification checklist: post-build verification (S30-002 through S30-010) catches divergent harness binaries, missing signatures, stale digests.
  • Doctor skopeo check: agentpaas doctor now includes a 12th check using skopeo to verify remote image digests.

Bug fixes since v0.1.1: gateway port field crash (#001), HTTP response status field (#013), stale harness credentials (#016), onboarding skip (#017), gateway-native rate limiting (#021), budget enforcement wiring (#019), HTTP_PROXY regression for non-LLM egress, CLI run timeout (30s→90s), install builder SDK resolution, divergent harness binary detection.

v0.2.1-specific: harness-linux binary now included in the brew cask (was missing — required Go toolchain to build manually). Install section now shows colima docker as a single brew install. agentpaas daemon start added to the install flow before doctor.

v0.1.1 (July 2026)

Initial public release. Local-first governed runtime with default-deny egress, credential brokering, tamper-evident audit, SBOM, pack-time secret scan, and budget enforcement.

License

MIT — see LICENSE.

Documentation

Overview

Package agentpaas embeds the Python SDK (python/agentpaas_sdk/) directly into the agentpaasd binary so that it is available at pack time regardless of how the binary was installed (brew, manual copy, release tarball).

Without this, a brew-only install has no SDK on disk and every packed image fails at runtime with:

ModuleNotFoundError: No module named 'agentpaas_sdk'

The go:embed directive must be in a .go file whose directory is a parent of the files to embed. We place this file at the repo root so it can embed python/agentpaas_sdk/**.

Index

Constants

View Source
const EmbeddedSDKPrefix = "python/agentpaas_sdk"

EmbeddedSDKDir returns the path that should be used as SDKDir when extracting the embedded SDK. Files are under "python/agentpaas_sdk".

Variables

This section is empty.

Functions

func EmbeddedSDKFiles

func EmbeddedSDKFiles() ([]string, error)

EmbeddedSDKFiles returns the list of embedded SDK file paths (POSIX-style, relative to the embed root, e.g. "python/agentpaas_sdk/__init__.py"). Excludes directories, __pycache__, and .pyc files.

func ExtractEmbeddedSDK

func ExtractEmbeddedSDK(dir string) (string, error)

ExtractEmbeddedSDK writes the embedded SDK files into dir, preserving the python/agentpaas_sdk/ directory structure. Returns the path to use as SDKDir (dir + "/python"). The caller MUST remove the temp dir when done.

func ExtractEmbeddedSDKToTemp

func ExtractEmbeddedSDKToTemp() (sdkDir string, cleanup func(), err error)

ExtractEmbeddedSDKToTemp creates a temporary directory, extracts the embedded SDK into it, and returns the SDKDir path. The caller MUST call the cleanup function when done with the SDK.

func HasEmbeddedSDK

func HasEmbeddedSDK() bool

HasEmbeddedSDK reports whether the binary contains the embedded SDK.

Types

This section is empty.

Directories

Path Synopsis
api
control/v1
Package controlv1 is a reverse proxy.
Package controlv1 is a reverse proxy.
trigger/v1
Package triggerv1 is a reverse proxy.
Package triggerv1 is a reverse proxy.
cmd
agent command
Package main provides the AgentPaaS CLI entry point.
Package main provides the AgentPaaS CLI entry point.
agentpaas command
Package main provides the AgentPaaS CLI entry point.
Package main provides the AgentPaaS CLI entry point.
agentpaasd command
Package main is the AgentPaaS daemon (agentpaasd) entry point.
Package main is the AgentPaaS daemon (agentpaasd) entry point.
harness command
Package main is the AgentPaaS harness (agentpaas-harness) entry point.
Package main is the AgentPaaS harness (agentpaas-harness) entry point.
internal
audit
Package audit provides hash-chain log, export, and verification for the AgentPaaS daemon.
Package audit provides hash-chain log, export, and verification for the AgentPaaS daemon.
binresolve
Package binresolve resolves the agentpaas-harness binary and Python SDK directory shared by the daemon pack path and the CLI install path.
Package binresolve resolves the agentpaas-harness binary and Python SDK directory shared by the daemon pack path and the CLI install path.
bundle
Package bundle implements the deterministic .agentpaas tar.gz format: hardened reader, writer, and offline verification (Block 22 T01).
Package bundle implements the deterministic .agentpaas tar.gz format: hardened reader, writer, and offline verification (Block 22 T01).
cli
Package cli implements the AgentPaaS CLI command surface using cobra.
Package cli implements the AgentPaaS CLI command surface using cobra.
daemon
Package daemon provides the AgentPaaS control daemon — a Unix-socket-bound gRPC server that implements the ControlService API.
Package daemon provides the AgentPaaS control daemon — a Unix-socket-bound gRPC server that implements the ControlService API.
dashboard
Package dashboard provides the embedded web dashboard for AgentPaaS. The dashboard is a Preact/TypeScript SPA compiled to static assets and embedded via go:embed.
Package dashboard provides the embedded web dashboard for AgentPaaS. The dashboard is a Preact/TypeScript SPA compiled to static assets and embedded via go:embed.
dockerclient
Package dockerclient provides a Docker client factory that mirrors the Docker CLI's endpoint discovery order.
Package dockerclient provides a Docker client factory that mirrors the Docker CLI's endpoint discovery order.
doctor
Package doctor provides system diagnostic checks for agentpaas.
Package doctor provides system diagnostic checks for agentpaas.
events
Package events provides the event bus and webhook delivery mechanism.
Package events provides the event bus and webhook delivery mechanism.
harness
Package harness runs Python agent code behind a local HTTP lifecycle API.
Package harness runs Python agent code behind a local HTTP lifecycle API.
home
Package home provides the agentpaas home directory layout, discovery, and secure permission management.
Package home provides the agentpaas home directory layout, discovery, and secure permission management.
identity
Package identity provides the local CA, agent keys, and SVID issuance.
Package identity provides the local CA, agent keys, and SVID issuance.
install
Package install implements trust resolution and TOFU (Trust On First Use) consent for the AgentPaaS verified install flow (Block 23).
Package install implements trust resolution and TOFU (Trust On First Use) consent for the AgentPaaS verified install flow (Block 23).
llm
logging
Package logging provides structured logging with built-in redaction for sensitive data.
Package logging provides structured logging with built-in redaction for sensitive data.
mcpmanager
Package mcpmanager manages MCP server resources declared in agent policy.
Package mcpmanager manages MCP server resources declared in agent policy.
naming
Package naming provides primitives for parsing and formatting agent references in the form "name@pub8", where pub8 is the first 8 hex characters of the publisher's public-key fingerprint.
Package naming provides primitives for parsing and formatting agent references in the form "name@pub8", where pub8 is the first 8 hex characters of the publisher's public-key fingerprint.
operator
Package operator provides the stable machine-readable diagnosis and repair-hint layer consumed by the AgentPaaS CLI, dashboard, and Block 13 MCP/Hermes integrations.
Package operator provides the stable machine-readable diagnosis and repair-hint layer consumed by the AgentPaaS CLI, dashboard, and Block 13 MCP/Hermes integrations.
otel
Package otel provides the in-process OpenTelemetry collector and SQLite WAL store for AgentPaaS observability data.
Package otel provides the in-process OpenTelemetry collector and SQLite WAL store for AgentPaaS observability data.
pack
Package pack provides the build pipeline, SBOM, signing, and secret scanning.
Package pack provides the build pipeline, SBOM, signing, and secret scanning.
policy
Package policy parses, validates, and compiles policy into agentgateway configuration.
Package policy parses, validates, and compiles policy into agentgateway configuration.
runtime
Package runtime provides the RuntimeDriver interface and its docker implementation.
Package runtime provides the RuntimeDriver interface and its docker implementation.
secrets
Package secrets provides SecretStore implementations for local profile secrets.
Package secrets provides SecretStore implementations for local profile secrets.
service
Package service generates launchd and systemd service unit files for the AgentPaaS daemon (agentpaasd).
Package service generates launchd and systemd service unit files for the AgentPaaS daemon (agentpaasd).
trigger
Package trigger serves the AgentPaaS Trigger API over gRPC on port 7718 and REST through grpc-gateway on port 7717.
Package trigger serves the AgentPaaS Trigger API over gRPC on port 7718 and REST through grpc-gateway on port 7717.
trust
Package trust manages the publisher trust store — a local, file-backed registry of trusted publisher public keys with TOFU and manual pre-pinning support.
Package trust manages the publisher trust store — a local, file-backed registry of trusted publisher public keys with TOFU and manual pre-pinning support.
test
golden
Package golden — Docker-tier and slow-tier graders.
Package golden — Docker-tier and slow-tier graders.
redteam
Package redteam implements the AgentPaaS P1 red-team smoke gate.
Package redteam implements the AgentPaaS P1 red-team smoke gate.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL