Governance for AI agents. Audit trails, policy enforcement, and compliance.
Website | Docs | 中文文档 | SDK Guide | Compliance
Thin Python SDK for asqav.com. All ML-DSA cryptography runs server-side. Zero native dependencies.
pip install asqavimport asqav
asqav.init(api_key="sk_...")
agent = asqav.Agent.create("my-agent")
sig = agent.sign("api:call", {"model": "gpt-4"})Your agent now has a cryptographic identity, a signed audit trail, and a verifiable action record.
Each signed action returns:
{
"signature_id": "sig_a1b2c3",
"agent_id": "agt_x7y8z9",
"action": "api:call",
"algorithm": "ML-DSA-65",
"timestamp": "2026-04-06T18:30:00Z",
"chain_hash": "b94d27b9934d3e08...",
"verify_url": "https://asqav.com/verify/sig_a1b2c3"
}| Without governance | With asqav |
|---|---|
| No record of what agents did | Every action signed with ML-DSA (FIPS 204) |
| Any agent can do anything | Policies block dangerous actions in real-time |
| One person approves everything | Multi-party authorization for critical actions |
| Manual compliance reports | Automated EU AI Act and DORA reports |
| Breaks when quantum computers arrive | Quantum-safe from day one |
@asqav.sign
def call_model(prompt: str):
return openai.chat.completions.create(model="gpt-4", messages=[{"role": "user", "content": prompt}])
with asqav.session() as s:
s.sign("step:fetch", {"source": "api"})
s.sign("step:process", {"records": 150})agent = await asqav.AsyncAgent.create("my-agent")
sig = await agent.sign("api:call", {"model": "gpt-4"})All API calls retry automatically with exponential backoff on transient failures.
pip install asqav[cli]
asqav quickstart # one-command project setup
asqav doctor # health check for your configuration
asqav verify sig_abc123
asqav agents list
asqav agents create my-agent
asqav syncSign actions offline when the API is unreachable. Queue syncs when connectivity returns.
from asqav import local_sign
local_sign("agt_xxx", "task:complete", {"result": "done"})
# Later: asqav syncNative integrations for 9 frameworks. Each extends AsqavAdapter for version-resilient signing.
pip install asqav[langchain]
pip install asqav[crewai]
pip install asqav[litellm]
pip install asqav[haystack]
pip install asqav[openai-agents]
pip install asqav[llamaindex]
pip install asqav[smolagents]
pip install asqav[dspy]
pip install asqav-pydantic # PydanticAI (external package)
pip install asqav[all]from asqav.extras.langchain import AsqavCallbackHandler
handler = AsqavCallbackHandler(api_key="sk_...")
chain.invoke(input, config={"callbacks": [handler]})
# Observe mode - test governance without API calls
handler = AsqavCallbackHandler(api_key="sk_...", observe=True)from asqav.extras.crewai import AsqavCrewHook
hook = AsqavCrewHook(api_key="sk_...")
task = Task(description="Research competitors", callbacks=[hook.task_callback])from asqav.extras.crewai import AsqavGuardrailProvider
provider = AsqavGuardrailProvider(agent_name="crew-guard")
# Implements the CrewAI GuardrailProvider interfacefrom asqav.extras.llamaindex import AsqavLlamaIndexHandler
handler = AsqavLlamaIndexHandler(api_key="sk_...")from asqav.extras.litellm import AsqavGuardrail
from asqav.extras.haystack import AsqavComponent
from asqav.extras.openai_agents import AsqavGuardrail
from asqav.extras.smolagents import AsqavSmolagentsHook
from asqav.extras.dspy import AsqavDSPyCallbackpip install asqav-pydanticfrom asqav_pydantic import AsqavHooksSee integration docs for full setup guides.
Break high-stakes actions into intent, decision, and execution phases. Each phase produces a signed receipt, and execution only proceeds if policy allows it.
# Three-phase signing: intent, decision, execution
chain = agent.sign_with_phases("data:delete", {"table": "users"})
print(chain.approved) # True if policy allowed it
print(chain.intent) # signed intent receipt
print(chain.decision) # policy evaluation result
print(chain.execution) # signed execution receipt (only if approved)Link actions across multi-step workflows with a shared trace ID. Useful for debugging distributed agent pipelines and correlating audit trails across services.
# Link actions across multi-step workflows
trace_id = asqav.generate_trace_id()
agent.sign("step:1", ctx, trace_id=trace_id)
agent.sign("step:2", ctx, trace_id=trace_id, parent_id="sig_prev")Kill switch that revokes all agents in your organization immediately. Use during security incidents to stop all agent activity until the situation is resolved.
# Kill switch: revoke all agents immediately
asqav.emergency_halt(reason="security incident")asqav provides three tiers of enforcement for AI agent governance:
Strong - the asqav-mcp server acts as a non-bypassable tool proxy. Agents call tools through the MCP server, which checks policy and signs the decision before allowing execution. With a tool_endpoint configured, the server forwards the call and signs request + response together as a bilateral receipt.
Bounded - pre-execution gates (gate_action) check policy and sign the decision before the agent acts. After completing the action, the agent calls complete_action to close the bilateral receipt, linking the approval to the outcome.
Detectable - every action gets a quantum-safe signature (ML-DSA-65) hash-chained to the previous one. If logs are tampered with or entries omitted, the chain breaks and verification fails.
Most teams use all three tiers for different tools. High-risk mutations go through the strong path, routine operations use bounded, and everything gets the detectable layer. Bilateral receipts ensure auditors can verify both what was authorized and what actually happened.
asqav.create_policy(
name="no-deletions",
action_pattern="data:delete:*",
action="block_and_alert",
severity="critical"
)pip install asqav-mcp
export ASQAV_PROXY_TOOLS='{"sql:execute": {"risk_level": "high", "require_approval": true}}'
asqav-mcpThe MCP server exposes gate_action (bounded) and enforced_tool_call (strong) tools to any MCP client - Claude Desktop, Claude Code, Cursor, or custom agents.
Distributed approval where no single entity can authorize alone:
config = asqav.create_signing_group("agt_xxx", min_approvals=2, total_shares=3)
session = asqav.request_action("agt_xxx", "finance.transfer", {"amount": 50000})
asqav.approve_action(session.session_id, "ent_xxx")Use descriptive labels instead of glob patterns for clearer policies:
sig = agent.sign("sql-destructive", {"query": "DROP TABLE users"})Combine revocation, suspension, and policy checks in a single call before running sensitive actions. Returns human-readable explanations of what each policy would do:
result = agent.preflight("data:delete")
if not result.cleared:
raise RuntimeError(f"blocked: {result.reasons}")
# result.explanations contains plain-English descriptions of each checkAttach system prompt hashes and other reproducibility context to signatures:
sig = agent.sign("llm:call", ctx, system_prompt_hash="sha256:a1b2c3...")Export signed action trails as regulation-specific compliance bundles:
bundle = asqav.export_bundle(signatures, "eu_ai_act_art12")Portable, short-lived tokens that let a receiving service verify what an agent is allowed to do without calling your org:
token = agent.create_scope_token(
actions=["data:read:customer"],
ttl=3600
)
# Attach to outgoing API calls
requests.get(url, headers=token.to_header())
# Receiving service verifies without calling your org
verified = asqav.verify_scope_token(token_string)Each scope token includes a unique nonce. Receivers should track used nonces and reject duplicates to prevent replay attacks.
token = agent.create_scope_token(actions=["data:read"], ttl=3600)
seen = set()
if token.nonce in seen:
reject()
seen.add(token.nonce)Reconstruct what an agent did in a session, with chain integrity verification:
timeline = asqav.replay(agent_id="agt_abc", session_id="sess_xyz")
print(timeline.summary())
assert timeline.chain_integrity # verify no tampering
# Or replay from offline bundle
timeline = asqav.replay_from_bundle(bundle)Bind a tool output to its input and verify later that nothing was tampered with:
import hashlib, json
prompt = {"query": "top customers"}
input_hash = hashlib.sha256(json.dumps(prompt, sort_keys=True).encode()).hexdigest()
output = run_tool(prompt)
sig = agent.sign_output("tool:search", input_hash, output)
# Later, from any verifier
result = asqav.verify_output(sig.signature_id, output)
assert result["verified"]Client-side spend tracker that persists every cost as a signed record. Fails closed when the limit would be exceeded:
budget = asqav.BudgetTracker(agent, limit=10.0, currency="USD")
decision = budget.check(estimated_cost=0.25)
if not decision.allowed:
raise RuntimeError(decision.reason)
budget.record("api:openai", actual_cost=0.23, context={"model": "gpt-4"})Generate a portable, signed attestation document proving an agent's governance status. Share it with auditors or partners for independent verification:
attestation = asqav.generate_attestation("agt_abc123", session_id="sess_xyz")
# Anyone with the document can verify it
result = asqav.verify_attestation(attestation)
assert result["valid"] and result["all_valid"]- Signed actions - every agent action gets a ML-DSA-65 signature with RFC 3161 timestamp
- Decorators -
@asqav.signwraps any function with cryptographic signing - Async - full async support with
AsyncAgentand automatic retry - CLI - verify signatures, manage agents, quickstart setup, doctor health check
- Local mode - sign actions offline, sync later
- Observe mode - test governance without API calls using
observe=True - Framework integrations - LangChain, CrewAI, LiteLLM, Haystack, OpenAI Agents SDK, LlamaIndex, smolagents, DSPy, PydanticAI
- Semantic action patterns - descriptive labels instead of glob patterns
- Reproducibility metadata - attach system prompt hashes to signatures
- Compliance bundles - export regulation-specific bundles with
export_bundle - Three-tier enforcement - strong (tool proxy), bounded (pre-execution gates), detectable (signed audit trail)
- Policy enforcement - block or alert on action patterns before execution
- Multi-party signing - m-of-n approval using threshold ML-DSA
- Pre-flight checks - combined revocation, suspension, and policy gate in one call
- Output verification - bind tool outputs to inputs and verify later with
sign_output/verify_output - Budget tracking - client-side spend limits with signed, replayable records
- Attestations - portable signed documents proving an agent's governance status
- Agent identity - create, suspend, revoke, and rotate agent keys
- Audit export - JSON/CSV trails for compliance reporting
- Tokens - scoped JWTs and selective-disclosure tokens (SD-JWT)
- Scope tokens - portable, short-lived tokens for cross-org action verification
- Replay - reconstruct agent sessions with chain integrity checks
- Three-phase signing - intent, decision, and execution phases with signed receipts
- Trace correlation - link actions across multi-step workflows with shared trace IDs
- Emergency halt - kill switch to revoke all agents immediately during incidents
- CrewAI GuardrailProvider - native CrewAI guardrail interface integration
| Package | What it does |
|---|---|
| asqav | Python SDK |
| asqav-mcp | MCP server for Claude Desktop/Code |
| asqav-compliance | CI/CD compliance scanner |
Get started at no cost. Free tier includes agent creation, signed actions, three-tier enforcement, policies, audit export, and framework integrations. Threat detection and monitoring on Pro ($39/mo). Compliance reports, multi-party signing, and incident management on Business ($149/mo). See asqav.com for pricing.
Machine-readable service descriptor at https://asqav.com/.well-known/governance.json for external tools that want to auto-discover asqav's endpoints, algorithms, capabilities, and integrations.
MIT - see LICENSE for details.
If asqav helps you, consider giving it a star. It helps others find the project.