Metadata-Version: 2.4
Name: yagami
Version: 0.6.1
Summary: Open-source AI context firewall for governed model, tool, and retrieval access.
Project-URL: Homepage, https://github.com/MatthewTracy/yagami
Project-URL: Repository, https://github.com/MatthewTracy/yagami
Project-URL: Documentation, https://matthewtracy.github.io/yagami/
Project-URL: Issues, https://github.com/MatthewTracy/yagami/issues
Project-URL: Changelog, https://github.com/MatthewTracy/yagami/blob/main/CHANGELOG.md
Project-URL: Security, https://github.com/MatthewTracy/yagami/security/policy
Project-URL: Roadmap, https://github.com/MatthewTracy/yagami/blob/main/docs/roadmap.md
Author: Matthew Tracy
License-Expression: MIT
License-File: LICENSE
Keywords: ai-gateway,ai-security,context-firewall,data-governance,llm,local-ai,mcp,openai,policy,privacy
Classifier: Development Status :: 3 - Alpha
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Requires-Python: >=3.11
Requires-Dist: aiosqlite>=0.20
Requires-Dist: anthropic>=0.39
Requires-Dist: cryptography>=43
Requires-Dist: fastapi>=0.115
Requires-Dist: httpx>=0.27
Requires-Dist: keyring>=25.4
Requires-Dist: mcp>=1.28
Requires-Dist: openai>=2.0
Requires-Dist: opentelemetry-api>=1.28
Requires-Dist: prometheus-client>=0.21
Requires-Dist: pydantic-settings>=2.6
Requires-Dist: pydantic>=2.9
Requires-Dist: pyjwt[crypto]>=2.10
Requires-Dist: pypdf>=5.0
Requires-Dist: python-dotenv>=1.0
Requires-Dist: python-multipart>=0.0.20
Requires-Dist: pyyaml>=6.0.2
Requires-Dist: sqlite-vec>=0.1.6
Requires-Dist: uvicorn[standard]>=0.32
Provides-Extra: dev
Requires-Dist: mypy>=1.15; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
Requires-Dist: pytest-cov>=6.0; extra == 'dev'
Requires-Dist: pytest>=8.3; extra == 'dev'
Requires-Dist: ruff>=0.7; extra == 'dev'
Requires-Dist: types-pyyaml>=6.0; extra == 'dev'
Provides-Extra: observability
Requires-Dist: opentelemetry-exporter-otlp-proto-http>=1.28; extra == 'observability'
Requires-Dist: opentelemetry-sdk>=1.28; extra == 'observability'
Description-Content-Type: text/markdown

# Yagami

**An open-source, self-hosted context firewall for AI applications and agents.**

[![CI](https://github.com/MatthewTracy/yagami/actions/workflows/ci.yml/badge.svg)](https://github.com/MatthewTracy/yagami/actions/workflows/ci.yml)
[![PyPI](https://img.shields.io/pypi/v/yagami.svg)](https://pypi.org/project/yagami/)
[![Python](https://img.shields.io/pypi/pyversions/yagami.svg)](https://pypi.org/project/yagami/)
[![License: MIT](https://img.shields.io/badge/license-MIT-green.svg)](https://github.com/MatthewTracy/yagami/blob/main/LICENSE)
[![Status](https://img.shields.io/badge/status-alpha-orange.svg)](https://github.com/MatthewTracy/yagami/blob/main/docs/roadmap.md)

[Documentation](https://matthewtracy.github.io/yagami/) | [Gateway API](https://matthewtracy.github.io/yagami/gateway/) | [Deployment](https://matthewtracy.github.io/yagami/deployment/) | [Security](https://github.com/MatthewTracy/yagami/security/policy) | [Roadmap](https://github.com/MatthewTracy/yagami/blob/main/docs/roadmap.md)

Yagami sits between your software and local models, cloud LLMs, retrieval
systems, and tools. It classifies context locally, evaluates versioned policy,
routes only to allowed destinations, inspects outputs, and produces
content-free evidence for each decision.

Existing OpenAI SDK applications can adopt it by changing one `base_url`.
Yagami can run as a headless gateway, in a container or Kubernetes, or with its
included React control surface.

## Try it in 60 seconds

The demo requires no API key, provider account, Ollama model, or Node.js:

```bash
python -m pip install yagami
yagami demo
```

Open [http://127.0.0.1:8000](http://127.0.0.1:8000). Demo mode uses a local
echo backend, blocks cloud routing, and exercises the UI, policy, lineage,
storage, and audit path.

[Watch the two-minute demo](https://github.com/user-attachments/assets/a7be9449-eafc-4acb-99b6-ea39edc43cd2).

## Protect an application

Initialize persistent user configuration, check the host, and start Yagami:

```bash
yagami init
yagami doctor
yagami serve
```

Then point an OpenAI client at the gateway:

```python
from openai import OpenAI

client = OpenAI(
    base_url="http://127.0.0.1:8000/v1",
    api_key="your-yagami-project-key",
)

response = client.chat.completions.create(
    model="yagami-auto",
    messages=[{"role": "user", "content": "Summarize this document."}],
    metadata={
        "purpose": "internal-documentation",
        "sensitivity": "none",
        "session_id": "example-session",
    },
)
print(response.choices[0].message.content)
```

Supported caller sensitivity values are `none`, `phi`, `phi_medical`, and
`secret`. A caller hint can make the policy stricter; it cannot lower a
sensitivity detected by Yagami.

For production authentication, policy, and deployment settings, follow the
[deployment guide](https://matthewtracy.github.io/yagami/deployment/).

## Why teams use Yagami

- **Deterministic containment after classification.** Once context is labeled
  as PHI or secret, default policy permits local backends only. Sensitive
  history and tool results inherit the same restriction.
- **One governed data plane.** Chat Completions, Responses, the browser chat,
  and MCP use the same policy, lineage, transformation, output-DLP, budget,
  and audit pipeline.
- **Policy as code.** Preview and replay decisions, run regression cases in
  CI, and promote deterministic Ed25519-signed policy bundles.
- **Evidence without prompt logging.** Policy passports, hash-chained audit
  records, Prometheus metrics, and OpenTelemetry spans carry labels, hashes,
  IDs, and counts rather than prompt or completion content.
- **Model choice without policy duplication.** Route to local engines, direct
  cloud providers, or an existing OpenAI-compatible gateway behind one
  enforcement point.
- **Governed tools.** Evaluate function tools and MCP calls before execution,
  require short-lived one-time approvals, and keep inbound credentials from
  being forwarded to downstream servers.

## Core capabilities

| Area | Included |
|---|---|
| Compatible APIs | OpenAI Chat Completions, core Responses API, Streamable HTTP MCP |
| Identity | Scoped project API keys and OIDC/JWT workload identity |
| Policy | Versioned YAML/JSON rules, restrictive merging, preview, replay, shadow mode, regression tests, signed bundles |
| Privacy | Local classification, caller sensitivity, context lineage, AES-GCM tokenization, rehydration, output DLP, optional Presidio |
| Tools | Function calling, governed built-in skills, stdio and remote MCP, one-time approvals |
| Operations | Spend/rate/concurrency/context limits, health checks, Prometheus, OpenTelemetry, SIEM export, approval webhooks |
| Packaging | Python 3.11-3.14, PyPI, non-root container, Docker Compose, Helm, SBOMs, checksums, and build provenance |

## Models and integrations

Local generation works with [Ollama](https://ollama.com/), llama.cpp through
the optional `llama-cpp-python` runtime, and Microsoft Foundry Local through
its loopback OpenAI-compatible service. Direct cloud adapters cover Anthropic,
OpenAI, Mistral, Groq, OpenRouter, Google Gemini, and Stability AI image
generation.

Yagami also works with LangChain/LangGraph, the Vercel AI SDK, Microsoft
Presidio, Splunk HEC and generic SIEM webhooks, Slack and Teams approval
notifications, and upstream gateways such as LiteLLM, Portkey, Kong, or Envoy.
See the [integration recipes](https://matthewtracy.github.io/yagami/integrations/).

## How enforcement works

```text
application or agent
  -> authentication and project limits
  -> local sensitivity and context-lineage inspection
  -> versioned policy and optional transformation
  -> allowed local model, cloud model, retrieval source, or tool
  -> output DLP
  -> response plus content-free policy passport and audit evidence
```

Policy is the final authority. Slash commands and explicit backend selection
cannot override a sensitive-data restriction. Classifier failures fail local
by default, and cloud routes can be blocked entirely or stopped at a daily
spend cap.

## Important limitations

Yagami is an enforcement component, not a compliance certification. Automated
detection can miss sensitive data. Strict deployments should declare
sensitivity at the caller, use a local-only policy, test organization-specific
cases, encrypt storage at the host or volume layer, and review the
[threat model](https://matthewtracy.github.io/yagami/threat-model/).

The project is alpha. Validate policy and failure behavior against your own
requirements before production use.

## Documentation

- [Start here](https://matthewtracy.github.io/yagami/)
- [Gateway API](https://matthewtracy.github.io/yagami/gateway/)
- [Integrations](https://matthewtracy.github.io/yagami/integrations/)
- [Deployment](https://matthewtracy.github.io/yagami/deployment/)
- [Security and threat model](https://matthewtracy.github.io/yagami/threat-model/)

## Contributing

Focused issues and pull requests are welcome. Read
[CONTRIBUTING.md](https://github.com/MatthewTracy/yagami/blob/main/CONTRIBUTING.md),
the [security policy](https://github.com/MatthewTracy/yagami/blob/main/SECURITY.md),
and the [code of conduct](https://github.com/MatthewTracy/yagami/blob/main/CODE_OF_CONDUCT.md).

## License

[MIT](https://github.com/MatthewTracy/yagami/blob/main/LICENSE) - Copyright
(c) 2026 Matthew Tracy and Yagami contributors.
