Antihero Documentation v0.2.0
The policy engine for AI agents. Declarative policy enforcement, cryptographic audit trails, and fail-closed security for every AI agent, every tool call, every model.
Five Formal Guarantees
These are not marketing claims. They are mathematically enforced and verified by property-based tests.
1. Fail-closed — No matching rule? Deny. Engine error? Deny. Network failure? Deny.
2. Deterministic — Same input + same policy = same output. Always. No probabilistic decisions.
3. Deny dominates — Any deny in any tier overrides all allows. Composition is monotonic.
4. Monotonic safety — Adding restrictions can never reduce safety. Proven by property tests.
5. Hash-chain integrity — Modifying any audit event breaks the chain for all subsequent events. SHA-256 + RFC 8785 JCS canonicalization + optional Ed25519 signatures.
Architecture
Every AI action passes through three layers: declare policy, enforce at the boundary, record the receipt.
┌─────────────────────────────────────────────────┐
│ Policy Layer │
│ YAML rules, tiered composition, │
│ deny-dominates, fail-closed, glob match │
└────────────────────┬────────────────────────────┘
│
┌────────────┐ ┌────▼──────────────┐ ┌──────────────┐
│ TCE │─>│ Guard │─>│ AEE │
│ (input) │ │ policy evaluate │ │ (audit log) │
│ │ │ requirement gate │ │ hash-chained │
│ │ │ fail-closed │ │ append-only │
└────────────┘ └────┬──────────────┘ └──────┬───────┘
│ │
┌────▼──────┐ ┌──────▼───────┐
│ PDE │ │ Hash Chain │
│ (verdict) │ │ SHA-256 │
└───────────┘ │ RFC 8785 │
│ Ed25519 sig │
└──────────────┘| Envelope | Purpose |
|---|---|
| TCE (Tool Call Envelope) | Captures who wants to do what, with what parameters |
| PDE (Policy Decision Envelope) | The engine's verdict: allow, deny, or gate |
| AEE (Audit Event Envelope) | Immutable receipt, hash-chained to predecessor |
Install
pip install antihero# Optional extras
pip install antihero[mcp] # MCP server for Claude Code
pip install antihero[signing] # Ed25519 audit signing
pip install antihero[all] # Everything60-Second Quickstart
# 1. Initialize (choose a persona: consumer, developer, enterprise)
antihero init --persona developer
# 2. Gate a dangerous command
antihero run -- rm -rf /
# -> DENIED. Logged to tamper-evident hash chain.
# 3. Gate a safe command
antihero run -- echo "hello"
# -> ALLOWED. Executed and logged.
# 4. Verify nothing was tampered with
antihero audit verify
# -> Chain integrity verified.Policy Format
YAML rules compose across four tiers: baseline → org → app → user. Deny always dominates.
version: "1.0"
tier: app
name: my-policy
rules:
- id: deny-dangerous
effect: deny
priority: 100
actions: ["shell.execute"]
resources: ["rm -rf*", "format*", "mkfs*"]
risk_score: 1.0
- id: gate-writes
effect: allow_with_requirements
priority: 50
actions: ["file.write"]
resources: ["*"]
requirements:
- kind: confirm
params: { message: "Allow file write?" }
risk_score: 0.5Python SDK
from antihero import wrap
# Two lines. Every tool call is now policy-checked and audit-logged.
protected_agent = wrap(my_agent)
result = protected_agent.run("Deploy the update")Guard (fine-grained control)
from antihero import Guard
from antihero.policy.engine import PolicyEngine
from antihero.policy.loader import load_policies
from antihero.evidence.chain import HashChain
from antihero.evidence.store import AuditStore
guard = Guard(
engine=PolicyEngine(load_policies(".antihero")),
chain=HashChain(),
store=AuditStore(".antihero/audit.jsonl"),
)
guard.execute(
my_tool_function,
action="file.write",
resource="/etc/passwd",
parameters={"content": "..."},
)TypeScript / JavaScript SDK
npm install @antihero/sdkimport { AntiheroClient } from "@antihero/sdk";
const client = new AntiheroClient({
baseUrl: "https://api.antiheroes.dev",
apiKey: "ah_live_...",
});
const stats = await client.getDashboardStats();
const events = await client.listEvents({ limit: 50 });MCP Server
Works with any MCP-compatible client (Claude Code, OpenCode, Cursor). Every tool call is policy-gated and audit-logged.
Claude Code / Cursor
{
"mcpServers": {
"antihero": {
"command": "antihero",
"args": ["serve"]
}
}
}OpenCode
{
"mcp": {
"antihero": {
"type": "local",
"command": ["antihero", "serve"],
"enabled": true
}
}
}Exposed Tools
| Tool | What it does |
|---|---|
antihero_check_policy | Pre-check if an action would be allowed |
antihero_audit_recent | Get recent audit events |
antihero_audit_verify | Verify hash chain integrity |
antihero_risk_status | Current risk budget utilization |
antihero_policy_explain | Explain why an action was allowed/denied |
Compliance
# SOC 2 Type II export
antihero audit export --format soc2 --org-name "Acme Corp" -o report.json
# HIPAA Security Rule export
antihero audit export --format hipaa --org-name "Acme Health" -o hipaa.jsonMaps to Trust Services Criteria (CC6.1, CC6.3, CC7.2, CC8.1) and HIPAA Security Rule (164.312 b/c/d/e).
Three Markets, One Engine
| Consumer | Developer | Enterprise | |
|---|---|---|---|
| Surface | Browser extension | Python SDK + CLI + MCP | All + compliance |
| Policy | Max safety (0.8) | Balanced (1.0) | Strict (0.6) |
| Audit | Local only | JSONL hash chain | Signed + SOC 2 / HIPAA |
| Alerts | Visual banners | Console + webhook | Slack + webhook |
| Dashboard | Popup + side panel | CLI dashboard | Cloud dashboard |
CLI Reference
| Command | Description |
|---|---|
antihero init | Initialize .antihero/ with policy + config |
antihero run | Gate a shell command with policy enforcement |
antihero audit show | View audit trail (--json for machine-readable) |
antihero audit verify | Verify hash chain integrity |
antihero audit export | Export audit data (json, soc2, hipaa) |
antihero policy validate | Validate a policy YAML file |
antihero policy test | Test an action against loaded policies |
antihero scan | Scan text for built-in threat patterns |
antihero dashboard | Terminal dashboard (--web for browser UI) |
antihero serve | Start the MCP server |
antihero keygen | Generate Ed25519 signing keypair |