███╗ ███╗███████╗ ██████╗ ███████╗███╗ ██╗████████╗
████╗ ████║██╔════╝██╔════╝ ██╔════╝████╗ ██║╚══██╔══╝
██╔████╔██║█████╗ ██║ ███╗█████╗ ██╔██╗ ██║ ██║
██║╚██╔╝██║██╔══╝ ██║ ██║██╔══╝ ██║╚██╗██║ ██║
██║ ╚═╝ ██║███████╗╚██████╔╝███████╗██║ ╚████║ ██║
╚═╝ ╚═╝╚══════╝ ╚═════╝ ╚══════╝╚═╝ ╚═══╝ ╚═╝
A zero-trust safety layer for AI agents. Wrap tools fast. Ship with confidence.
Open-source AI agent security middleware for policy-enforced tool calls, prompt injection resistance, and PII masking.
Megent helps secure AI agents by enforcing allow/deny tool policies, masking sensitive data, and logging every tool decision.
AI agents are calling tools. Most of those calls look harmless. But sequences don't lie.
Traditional security tools inspect calls one by one. Megent enforces policy at execution time.
Built for teams that want speed without security debt.
Megent sits between your agent and its tools, running every call through three primitives:
┌─────────────────────────────────────────────────────┐
│ AGENT RUNTIME │
│ │
│ tool_call() ──► [ INTERCEPT ] ──► [ CONTEXT ] │
│ │ │
│ [ JUDGE ] │
│ │ │
│ allow / deny / modify │
└─────────────────────────────────────────────────────┘
pip install megentNo framework migration. No plugin boilerplate. Just one policy file and one decorator.
- Create a
megent.yamlfile in your project root:
version: "1"
default_action: deny
tools:
send_email:
allow: true
pii_mask: [email, phone]- Add Megent to your function:
import megent as mg
mg.configure(policy_path="megent.yaml")
@mg.guard
def send_email(to: str, body: str) -> str:
return "sent"
send_email("ops@example.com", "Call me at +1 555 111 2222")- Run your app. Calls are now policy-checked, and sensitive fields are masked automatically.
import megent as mg
mg.configure(policy_path="policies/agent.yaml")
@mg.guard
def send_email(to: str, subject: str, body: str) -> str:
# your tool implementation
return "sent"
send_email(
to="ops@example.com",
subject="Daily summary",
body="Contact me at jane.doe@example.com",
)import megent as mg
runtime = mg.Runtime(policy_path="policies/agent.yaml")
safe_execute = mg.wrap(
third_party_agent.execute,
runtime=runtime,
tool_name="agent_execute",
)
safe_execute(task="Summarize latest reports")That's it. Megent intercepts every tool call, evaluates it against your policy, and either allows, denies, or modifies it — all without changing your agent code.
Policies are plain YAML. No DSL to learn.
# policies/agent.yaml
version: "1"
default_action: deny
pii_mask: [email]
tools:
read_file:
allow: true
send_email:
allow: true
pii_mask: [email, phone, ssn]
delete_all_data:
allow: falseMegent can attribute calls to an agent identity using a JWT (HS256).
Set MEGENT_JWT_SECRET (or pass secret= to verify_agent_token) and
include agent_id (or sub) in the token claims.
import megent as mg
runtime = mg.Runtime(policy_path="policies/agent.yaml")
token = "<jwt-from-your-auth-system>"
safe_send = mg.wrap(send_email, runtime=runtime, tool_name="send_email", agent_token=token)
safe_send(to="ops@example.com", subject="Ping", body="hello")Every decision is logged in structured JSON.
{
"event": "allow",
"tool": "http_post",
"agent_id": "reports-agent-v2",
"timestamp": 1767945230.137,
"args": {
"body": "[REDACTED]"
},
"masked_fields": ["email"]
}Pipe to any SIEM. Query with any log tool.
Megent is not a plugin for LangChain, CrewAI, or any other framework. It is an independent security layer.
You build your agent on whatever platform you want. Megent wraps it.
┌──────────────────────────────────────┐
│ MEGENT │ ← security layer (this is us)
│ ┌────────────────────────────────┐ │
│ │ your agent (LangChain, │ │ ← built on any framework
│ │ CrewAI, OpenAI Agents SDK, │ │
│ │ raw Python, anything) │ │
│ └────────────────────────────────┘ │
└──────────────────────────────────────┘
Megent doesn't know or care what your agent is built on. It intercepts tool calls at the boundary — before execution — regardless of the underlying platform.
import megent as mg
# agent built on LangChain? wrap it.
safe_agent = mg.wrap(langchain_agent.invoke, runtime=mg.Runtime(policy_path="policies/agent.yaml"))
# agent built on CrewAI? wrap it.
safe_agent = mg.wrap(crew.kickoff, runtime=mg.Runtime(policy_path="policies/agent.yaml"))
# raw Python agent? same thing.
safe_agent = mg.wrap(my_agent.run, runtime=mg.Runtime(policy_path="policies/agent.yaml"))The platforms (LangChain, CrewAI, OpenAI Agents SDK, AutoGen, LlamaIndex) are where agents are built. Megent is where they are secured. These are separate concerns.
Megent does not ship policy packs in this repo anymore. Policy packs live in a separate policy repository, and Megent loads them by policy_repo path or MEGENT_POLICY_REPO.
Example:
import megent as mg
runtime = mg.Runtime(
policy_name="access-control/read-only",
policy_repo=r"C:\Users\dell\Downloads\megent-policies\megent-policies",
)
combined = mg.compose_policies(
"access-control/read-only",
"data-protection/pii-strict",
policy_repo=r"C:\Users\dell\Downloads\megent-policies\megent-policies",
)Policies use direct tool names and simple wildcards such as *.
| Attack | Megent Defense |
|---|---|
| Unauthorized tool calls | Per-tool allow/deny policy enforcement |
| Unknown-by-default execution | default_action: deny for explicit allowlists |
| PII leakage in arguments | Configurable regex masking (pii_mask) |
| Unattributed execution | Optional JWT-based agent_id attribution |
| Weak observability | Structured audit events via standard logging |
Megent is Apache 2.0 licensed and open to contributions.
git clone https://github.com/Megents/Megent.git
cd megent
pip install -e ".[dev]"
pytestSee CONTRIBUTING.md for guidelines.
Apache 2.0 — free to use, modify, and distribute.
Built for production AI. Designed for developers who ship.