Quickstart
Install Kite Logik, scaffold a governed agent, start the policy engine, run the demo. End-to-end in five minutes, no API keys required.
Prerequisites
- Python 3.11 or later
- Docker — used to run the OPA policy engine locally
- About 5 minutes
1. Install
pip install kitelogikThis pulls in the policy engine client, the YAML→Rego compiler, the audit store, the credential broker, and the 11 framework adapters.
2. Scaffold a governed agent
kitelogik init my-agent
cd my-agentkitelogik init writes five files into the target directory:
| File | What it is |
|---|---|
policies/policy.yaml | Starter governance rules in YAML — the high-level edit surface |
policies/policy.rego | The same rules compiled to Rego — what OPA actually evaluates |
agent.py | A minimal agent with two governed tools and a 3-call demo |
docker-compose.yml | A one-service compose file that runs OPA on :8181 |
.env.example | Environment template (e.g. ANTHROPIC_API_KEY for the optional Claude loop) |
The starter policy in policies/policy.yaml allows read-only customer lookups, allows refunds up to $200 for support agents, denies refunds above $200, and hard-denies any shell access. You'll edit this file later.
3. Start the policy engine
docker compose up -dOPA comes up on http://localhost:8181. The --watch flag in the compose file means OPA hot-reloads when you change policies/.
Already running OPA elsewhere?
Skip the compose step and pass OPAClient(base_url="https://your-opa") to PolicyGate instead. There is also an experimental in-process Rego engine (RegorusClient) for environments where Docker isn't an option — see Installation in the next round of docs.
4. Run the demo
python agent.pyExpected output:
Compiled policy.yaml -> .../policies/policy.rego
--- Governance Demo ---
ALLOW get_customer({'customer_id': 'cust_001'})
-> Customer cust_001: Acme Corp, plan=enterprise, since=2024
ALLOW approve_refund({'customer_id': 'cust_001', 'amount': 50.0})
-> Refund of $50.00 approved for cust_001
BLOCK approve_refund({'customer_id': 'cust_001', 'amount': 500.0})
-> Governance denied tool call: Refunds over $200 require manager approval
Set ANTHROPIC_API_KEY to build an interactive Claude agent.The third call was blocked before it executed — by the Rego policy, not by the model. The threshold lives in policies/policy.yaml; change it, then re-run python agent.py to see the new decision (OPA hot-reloads the Rego on change).
What just happened
kitelogik init generated an agent.py that wires three pieces together:
from kitelogik import (
GovernedToolbox,
OPAClient,
PolicyGate,
SessionContext,
GovernanceError,
)
gate = PolicyGate(opa_client=OPAClient()) # default: http://localhost:8181
context = SessionContext(
session_id="session-001",
user_role="support_agent",
session_scopes=["read_customer", "approve_refund"],
)
toolbox = GovernedToolbox(gate=gate, context=context)
toolbox.register("get_customer", get_customer)
toolbox.register("approve_refund", approve_refund)Every toolbox.call(name, args) becomes a structured event, the gate evaluates it against your Rego policies, and either runs the tool or raises GovernanceError with the policy decision attached.
What's next
- Your first governed tool — add the
@governeddecorator to your own functions, or wrap a whole toolbox. - Your first policy — write a YAML rule, compile it with
kitelogik compile, validate it withkitelogik validate, run policy unit tests withkitelogik test. - Adapters → Overview — wire Kite Logik into OpenAI, Agents SDK, LangChain, LangGraph, CrewAI, or whichever framework you're already on.
Troubleshooting
Connection refused on port 8181. OPA hasn't come up yet. docker compose ps should show the opa service healthy; if not, docker compose logs opa will show why (port conflict is the usual culprit).
kitelogik: command not found. The CLI installs at the same scope as the package. If you pip installed into a virtualenv, activate it first or run via python -m kitelogik.cli ....
policies/policy.yaml already exists. kitelogik init refuses to overwrite an existing project. Run it from an empty directory or remove the existing policies/ first.