🚀 Project Status: In active development. All components subject to change. Contributions and feedback welcome.
🎯 Intent: Simplify and strengthen security for AI agents, tool interactions, and data access across workflows and environments. Provide a lightweight, user-friendly solution for hobbyists, small businesses, and enterprises.
🛠️ Goals:
- Simplify Integration
- Enhance Security
- Broad Applicability
- Configurability
- Performance
- Scalability
- Description
- Installation
- Usage
- Features
- Configuration
- Testing
- Development Setup
- Proposed Implementation
- Security Best Practices
- Contribution
- License
- Contact
- Troubleshooting
- Acknowledgments
- References
A lightweight, modular security framework for AI/ML models, agents, tools, and data, targeting Google ADK, Anthropic MCP, and extensible protocols that emphasizes ease of use, zero-trust security, and flexible deployment.
To install the Aphelion Agent Security Framework, use pip:
pip install git+https://github.com/tzervas/aphelion-agent-security-framework.git@mainFor development, we recommend using UV for managing dependencies. See the Development Setup section for more details.
Here’s a simple example of how to use the framework:
from aphelion import SecurityFramework
# Initialize the framework
framework = SecurityFramework(config_path="config.yaml")
# Authenticate a user
user = framework.authenticate(token="valid_token")
# Authorize an action
if framework.authorize(user, action="call_tool", resource="tool1"):
result = framework.dispatch(protocol="MCP", action="call_tool", resource="tool1")
print(result)
else:
print("Access denied")For more advanced usage, including FastAPI integration, refer to the Proposed Implementation section.
- Unified security interface for MCP and ADK
- Zero-trust authentication and authorization
- Dynamic RBAC/ABAC policies
- Data encryption and input validation
- Comprehensive logging and monitoring
- Flexible deployment options (Docker, Kubernetes, etc.)
The framework can be configured using a YAML file or environment variables. Example config.yaml:
authentication:
jwt_secret: "your_secret_key"
authorization:
model_file: "rbac_model.conf"
policy_file: "rbac_policy.csv"
logging:
level: "INFO"
file: "security.log"For a full list of options, see the Configuration Guide.
To run the tests, use:
pytestEnsure development dependencies are installed. See the Development Setup section.
- Clone the repository:
git clone https://github.com/tzervas/aphelion-agent-security-framework.git
- Navigate to the project directory:
cd aphelion-agent-security-framework - Use UV to install dependencies:
uv sync
- Configure the framework by updating
config.yamlor setting environment variables. - Run the application:
or use Docker:
python main.py
docker-compose up
Demonstrates core security concepts in a simplified form.
import jwt
from casbin import Enforcer
from anthropic import Anthropic # Hypothetical MCP client
from google.adk.agents import Agent # Hypothetical ADK client
enforcer = Enforcer("rbac_model.conf", "rbac_policy.csv")
def authenticate(token):
return jwt.decode(token, "secret", algorithms=["HS256"])["sub"]
def authorize(subject, action, resource):
return enforcer.enforce(subject, action, resource)
def handle_request(protocol, token, action, resource):
subject = authenticate(token)
if authorize(subject, action, resource):
if protocol == "MCP":
return Anthropic().call_tool(action, resource)
elif protocol == "ADK":
return Agent().call_tool(action, resource)
raise PermissionError("Access denied")
# Test
request = {"protocol": "MCP", "token": "valid_token", "action": "call_tool", "resource": "tool1"}
result = handle_request(**request)
print(result)Robust, configurable, and deployment-ready for go-to-market.
from fastapi import FastAPI, HTTPException
from casbin import Enforcer
from jwt import decode
from pydantic import BaseModel
from anthropic import Anthropic
from google.adk.agents import Agent
import logging
app = FastAPI()
enforcer = Enforcer("rbac_model.conf", "rbac_policy.csv")
logging.basicConfig(level=logging.INFO)
class Request(BaseModel):
token: str
action: str
resource: str
def authenticate(token):
return decode(token, "secret", algorithms=["HS256"])["sub"]
@app.post("/mcp/call_tool")
async def mcp_call(request: Request):
subject = authenticate(request.token)
if enforcer.enforce(subject, request.action, request.resource):
result = Anthropic().call_tool(request.action, request.resource)
logging.info(f"Allowed: {subject} -> {request.action} on {request.resource}")
return {"result": result}
logging.warning(f"Denied: {subject} -> {request.action} on {request.resource}")
raise HTTPException(403, "Access denied")
@app.post("/adk/call_tool")
async def adk_call(request: Request):
subject = authenticate(request.token)
if enforcer.enforce(subject, request.action, request.resource):
result = Agent().call_tool(request.action, request.resource)
logging.info(f"Allowed: {subject} -> {request.action} on {request.resource}")
return {"result": result}
logging.warning(f"Denied: {subject} -> {request.action} on {request.resource}")
raise HTTPException(403, "Access denied")🔒
- Zero-Trust: Validate all requests with JWT and enforce least privilege.
- RBAC/ABAC: Dynamic policies via
pycasbinfor fine-grained control. - Encryption: Use
cryptographyfor sensitive data (configurable). - Input Validation: Prevent injection attacks with strict parsing.
- Logging: Comprehensive audit trails with
loggingand Prometheus. - Dependency Management: Minimal, vetted dependencies with regular updates.
- Secure Defaults: Enable encryption and strict policies by default.
Contributions are welcome! Please see the Developer Guide and CONTRIBUTING.md for guidelines.
This project is licensed under the MIT License. See LICENSE for more information.
- Author: Tyler Zervas
- GitHub: tzervas
- X: @vec_wt_tech
If you encounter issues, check the issue tracker or contact the author.
Special thanks to the developers of pycasbin, pyjwt, and the Loguru library for their excellent tools.
Happy Secure Agent Building!