NewkavachOS v0.1.0 -- edge runtime, D1 provider, Web CryptoSee releases →
kavachOS
Security

Trust but verify every agent

Anomaly detection, continuous trust scoring, and compliance reports. Know what your agents are doing before something goes wrong.

<50ms

authorize() latency

3

compliance frameworks

0.0-1.0

trust score range

Real-time

anomaly detection

Start freeRead docs
pnpm add kavachos

Capabilities

Six layers of agent security

Anomaly detection

Baseline normal agent behavior, flag deviations in real time. Spike in permission checks, unusual resources, off-hours activity.

Trust scoring

Continuous numerical score per agent based on behavior history, permission usage, and constraint compliance. Decays on anomalies.

Cost attribution

Track API spend per agent. Budget caps enforced inline during authorize(). Alerts at 80%, hard block at the cap.

Privilege analyzer

Find over-permissioned agents before they become a problem. Suggests least-privilege scopes based on actual usage.

Compliance reports

EU AI Act Article 12, SOC 2, NIST AI RMF. Generated in one API call with full agent inventory and audit references.

Data residency

Choose where your agent data lives. EU, US, or APAC regions. Required for GDPR and data sovereignty requirements.

Threat model

How kavachOS handles common threats

Token exfiltration

Tokens hashed at rest. Shown once at creation. Breach exposes nothing usable.

Privilege escalation

Delegated agents cannot exceed parent scope. Depth limits enforced.

Credential sprawl

Each agent owns one token. Rotate or revoke individually without affecting others.

Shadow agents

Every agent creation is audited. No unauthenticated agent creation endpoints.

Lateral movement

Wildcard matching scopes each agent to specific resources. No global access tokens.

Code example

Trust scoring and compliance

security.ts
import { createKavach } from "kavachos";

const kavach = createKavach({ db, secret: process.env.KAVACH_SECRET });

// Check agent trust score before high-risk operations
const score = await kavach.agents.trustScore(agentId);

if (score.value < 0.7) {
  // Route to human review queue
  await kavach.agents.requestApproval({
    agentId,
    action: "deploy:production",
    reason: "Low trust score",
  });
}

// Generate compliance report
const report = await kavach.compliance.generate({
  framework: "eu-ai-act",
  period: { from: "2026-01-01", to: "2026-03-31" },
});

Secure every agent interaction

Anomaly detection, trust scoring, and compliance reports included in Growth and Scale plans.

Start freeAll products