Architecture
Kite Logik sits between your agent runtime and the tools it calls. Every action the agent attempts becomes a structured event, evaluated against your Rego policies, before the side effect runs. Three layers, each with a single responsibility:
┌──────────────────────────────────────────────────────────┐
│ EMBEDDED SDK (in-process) │
│ @governed · GovernedToolbox · 11 framework adapters │
│ Turns a tool invocation into a GovernanceEvent │
└──────────────────────────┬───────────────────────────────┘
│
┌───────────────────▼─────────────────────┐
│ TETHER │
│ Policy engine — OPA HTTP or Regorus │
│ Deny-by-default, fail-closed │
│ 2-tier hierarchy (global + project) │
└───────────────────┬─────────────────────┘
│
┌───────────────────▼─────────────────────┐
│ ANCHOR │
│ CredentialBroker · HITLQueue │
│ AuditStore (append-only) · OTel │
└─────────────────────────────────────────┘The three layers
Embedded SDK
Lives in your agent process. No network hop. Two integration patterns:
@governeddecorator — wrap a single function. The gate runs before the function body; a denial raisesGovernanceErrorwith the full decision attached.GovernedToolbox— register many tools, call by name. Used by every framework adapter under the hood.
Both produce the same GovernanceEvent shape regardless of which framework called them.
Tether (policy engine)
Evaluates GovernanceEvents against your Rego policies. Two backends implement the same PolicyEvaluator protocol:
OPAClient— talks to an OPA server over HTTP. Defaulthttp://localhost:8181. Production-ready, pairs with the standard OPA toolchain (Conftest, Gatekeeper, OPA bundles).RegorusClient— evaluates Rego in-process via Microsoft's Regorus Rust engine. No external server. Labelled experimental upstream — fine for dev and lightweight deployments, preferOPAClientin production.
Tether also supports a 2-tier hierarchy — global policies layered under per-project policies — through HierarchicalEvaluator.
Anchor (oversight + audit)
Everything the agent runtime needs to be operationally trustworthy:
CredentialBroker— issues scoped, short-livedSessionTokens. Delegated tokens can only narrow scope, never widen it.HITLQueue— SQLite-backed async queue. When a policy returnsrequires_hitl := true, the call is enqueued and the agent'sawait_decision()blocks until a human approves or rejects (default 300-second timeout).AuditStore— append-only audit log. Every governed event is recorded with the policy version that decided it. SQL triggers prevent in-band tampering.- OpenTelemetry — every gate evaluation emits a span. Compatible with the GenAI semconv attributes.
What the gate intercepts (and what it doesn't)
Kite Logik intercepts structured agent actions:
- Tool calls (
tool_call) - Sub-agent spawn (
agent.spawn) - Agent-to-agent delegation (
agent.delegate) - Multi-step plans (
agent.plan) - Resource budgets (
agent.budget)
Cross-cutting policy data (e.g. data_classification on a tool call) is attached to the same events.
The gate does not look at:
- The LLM's prompt or response text — that's the output-validator layer (Guardrails AI, LLM Guard). See the comparisons.
- Network egress — that's a service-mesh / proxy concern.
- Memory contents —
MemoryStoretags trust tiers, but the policy gate evaluates the action that consumes the memory, not the memory itself.
Where this lives in the codebase
kitelogik/
governed.py @governed decorator, GovernedToolbox, GovernanceError
adapters/ 11 framework adapters, all built on _base.py
tether/ Policy engine: OPA client, Regorus client, gate, hierarchy
anchor/ Credential broker, HITL queue, session tokens
audit/ Append-only audit store
memory/ Trust-tiered memory with provenance
observability/ OpenTelemetry tracing
policies/ Compiled Rego, YAML compiler, starter library, examplesEditions
OSS ships all three layers — Embedded SDK, Tether, Anchor — on SQLite storage. Kite Logik Enterprise swaps Anchor's storage for Postgres and adds a centralized Governance Gateway (HTTP API for fleet-wide enforcement), real-time dashboard, SSO/RBAC, and compliance export packs. Same policy semantics either way — see OSS vs Enterprise for the full table.