Labsco
ExposureGuard logo

Haldir

β˜… 4

from ExposureGuard

Identity, secrets, and audit for AI agents. Proxy mode intercepts every MCP tool call.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup

Haldir β€” The Guardian Layer for AI Agents

Smithery

PyPI Downloads

The open-source governance layer for AI agents. Identity, secrets, audit, and policy enforcement β€” MIT licensed, self-host or use our cloud.

Haldir enforces governance on every AI agent tool call: scoped sessions with spend caps, encrypted secrets the model never sees, hash-chained tamper-evident audit trail, human-in-the-loop approvals, and a proxy that intercepts every MCP call before it reaches your tools. Native SDKs for LangChain, CrewAI, AutoGen, and Vercel AI SDK.

Haldir quickstart: install, create a scoped session, check permission, log the action to the hash-chained audit trail

Haldir architecture: Agent β†’ Proxy β†’ (Gate/Vault/Watch/Policy) β†’ Upstream APIs

CLI

$ haldir overview

  Haldir tenant overview
  acct_xyz123  Β·  tier pro  Β·  2026-04-19T18:42:11+00:00

  Status     ● ok
  Actions      4,217 / 50,000   β–ˆβ–ˆβ–ˆβ–ˆβ–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘β–‘    8.4%
  Spend      $ 47.30 this month
  Sessions        12 active  Β·  3/10 agents
  Vault            8 secrets  Β·  62 accesses this month
  Audit        1,847 entries  Β·  0 flagged (7d)  Β·  chain βœ“
  Webhooks         2 registered  Β·  541 deliveries (24h)  Β·  99.82% success
  Approvals        1 pending

Install once, drive the whole platform from the terminal:

pip install haldir
haldir login                           # one-time; stashes API key
haldir overview --watch                # top-style live dashboard
haldir status                          # green/yellow/red component pills
haldir ready                           # exits 0/1, perfect for CI
haldir audit tail --agent my-bot       # the last N entries
haldir audit export --format=jsonl --out audit-2026-04.jsonl
haldir audit verify                    # hash chain integrity check
haldir webhooks deliveries             # last 20 retry attempts
haldir migrate up                      # apply pending schema migrations

Every command takes --json for scripts. haldir --help for the full surface.

Two ways to run Haldir

Self-hostCloud (haldir.xyz)
PriceFree foreverFree tier + paid plans
FeaturesEverythingEverything β€” same API, same SDKs
You runAPI + PostgresNothing
Best forRegulated industries, air-gapped, "must own data""Just make it work"

Self-host in 5 minutes

git clone https://github.com/ExposureGuard/haldir.git
cd haldir
cp .env.example .env
python3 -c 'import base64, os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
# paste the output into .env as HALDIR_ENCRYPTION_KEY, then:
docker compose up -d
curl http://localhost:8000/health

Full self-hosting guide: SELF_HOSTING.md

Or use our cloud

pip install haldir

That's it β€” point at https://haldir.xyz, no signup, live API.


Live now: haldir.xyz Β· API Docs Β· OpenAPI Spec Β· Smithery

πŸ§ͺ Now accepting 5 design partners. 30 days free, full access, direct line to the founder. If you're shipping AI agents to production, email sterling@haldir.xyz.

Performance

Haldir is fast enough to sit in the hot path of every agent tool call without becoming the bottleneck.

Single-box HTTP throughput (gunicorn 4 workers, 32 concurrent clients, tuned SQLite backend, every request goes through the full middleware stack β€” auth, validation, idempotency, metrics, structured logging):

EndpointRPSp50p95p99
GET /healthz1,63819.1 ms32.5 ms41.6 ms
GET /v1/status1,38222.2 ms30.8 ms45.4 ms
GET /v1/sessions/:id90329.2 ms95.5 ms172.1 ms
POST /v1/sessions (create)1,14227.7 ms35.2 ms39.9 ms
POST /v1/audit (hash-chain write)1,09228.7 ms37.6 ms52.6 ms

Hardware: 12th-gen Intel Core i3-1215U (8 cores, 8 GB RAM). SQLite is configured with WAL + synchronous=NORMAL + 256 MiB mmap + in-memory temp store β€” the session-lookup p99 dropped by 52 % versus the untuned path. Postgres deployments (configurable pool via HALDIR_PG_POOL_MIN/MAX) flatten the p99 further still; enable via DATABASE_URL=postgresql://....

Primitive cost (pure-Python, no I/O):

Primitivep50Notes
Vault.store_secret (AES-256-GCM encrypt + AAD binding)< 10 Β΅sin-memory, no DB write
Vault.get_secret (AES-256-GCM decrypt + AAD verify)< 10 Β΅sin-memory
AuditEntry.compute_hash (SHA-256 over canonical payload)< 10 Β΅s
Gate.check_permission over REST~50-120 msnetwork + DB round-trip, Cloudflare-fronted
Watch.log_action over REST~50-150 msincludes chain lookup + DB write
Full governed-tool envelope (check + log)~100-250 ms

Agents typically wait 500-3000 ms for an LLM completion and 100-1000 ms for an upstream API call, so Haldir's overhead sits inside the noise. Reproduce locally:

# Concurrent HTTP throughput (launches a local gunicorn, ~60s total)
python bench/bench_http.py --duration 10 --concurrency 32 --workers 4

# Primitive cost only (no API key needed)
python bench/bench_primitives.py --local

# End-to-end against the hosted service
export HALDIR_API_KEY=hld_...
python bench/bench_primitives.py

Compliance

One endpoint produces an auditor-ready proof-of-control pack covering eight sections, each anchored to a SOC2 trust services criterion:

haldir compliance evidence --since 2026-01-01 --out evidence-q1-2026.md
#SectionSOC2
1Identity (tenant, subscription, period)β€”
2Access control (API keys + per-key scopes)CC6.1
3Encryption (AES-256-GCM, AAD binding)CC6.7
4Audit trail (entry count, hash chain integrity)CC7.2
5Spend governance (per-session caps, payment records)CC5.2
6Human approvals (request/decision lifecycle)CC8.1
7Outbound alerting (webhook delivery success rate)CC7.3
8Document signature (SHA-256 self-hash)β€”

The pack signs itself: a SHA-256 over the canonical JSON of sections 1-7. An auditor receiving an archived pack can re-call /v1/compliance/evidence/manifest and confirm the digest matches β€” proof the document was not modified after issuance.

JSON for evidence-locker upload, Markdown for the "show this to the auditor" moment, both from the same /v1/compliance/evidence endpoint.

Why Haldir

AI agents are calling APIs, spending money, and accessing credentials with zero oversight. Haldir is the missing layer:

Without HaldirWith Haldir
Agent has unlimited accessScoped sessions with permissions
Secrets in plaintext env varsAES-encrypted vault with access control
No spend limitsPer-session budget enforcement
No record of what happenedImmutable audit trail
No human oversightApproval workflows with webhooks
Agent talks to tools directlyProxy intercepts and enforces policies

Products

Gate β€” Agent Identity & Auth

Scoped sessions with permissions, spend limits, and TTL. No session = no access.

curl -X POST https://haldir.xyz/v1/sessions \
  -H "Authorization: Bearer hld_xxx" \
  -H "Content-Type: application/json" \
  -d '{"agent_id": "my-bot", "scopes": ["read", "browse", "spend:50"], "ttl": 3600}'

Vault β€” Encrypted Secrets & Payments

AES-encrypted storage. Agents request access; Vault checks session scope. Payment authorization with per-session budgets.

curl -X POST https://haldir.xyz/v1/secrets \
  -H "Authorization: Bearer hld_xxx" \
  -H "Content-Type: application/json" \
  -d '{"name": "api_key", "value": "sk_live_xxx", "scope_required": "read"}'

Watch β€” Audit Trail & Compliance

Immutable log for every action. Anomaly detection. Cost tracking. Compliance exports.

curl https://haldir.xyz/v1/audit?agent_id=my-bot \
  -H "Authorization: Bearer hld_xxx"

Proxy β€” Enforcement Layer

Sits between agents and MCP servers. Every tool call is intercepted, authorized, and logged. Supports policy enforcement: allow lists, deny lists, spend limits, rate limits, time windows.

# Register an upstream MCP server
curl -X POST https://haldir.xyz/v1/proxy/upstreams \
  -H "Authorization: Bearer hld_xxx" \
  -H "Content-Type: application/json" \
  -d '{"name": "myserver", "url": "https://my-mcp-server.com/mcp"}'

# Call through the proxy β€” governance enforced
curl -X POST https://haldir.xyz/v1/proxy/call \
  -H "Authorization: Bearer hld_xxx" \
  -H "Content-Type: application/json" \
  -d '{"tool": "scan_domain", "arguments": {"domain": "example.com"}, "session_id": "ses_xxx"}'

Approvals β€” Human-in-the-Loop

Pause agent execution for human review. Webhook notifications. Approve or deny from dashboard or API.

# Require approval for spend over $100
curl -X POST https://haldir.xyz/v1/approvals/rules \
  -H "Authorization: Bearer hld_xxx" \
  -H "Content-Type: application/json" \
  -d '{"type": "spend_over", "threshold": 100}'

MCP Server

Haldir is available as an MCP server with 10 tools for Claude, Cursor, Windsurf, and any MCP-compatible AI:

{
  "mcpServers": {
    "haldir": {
      "command": "haldir-mcp",
      "env": {
        "HALDIR_API_KEY": "hld_xxx"
      }
    }
  }
}

MCP Tools: createSession, getSession, revokeSession, checkPermission, storeSecret, getSecret, authorizePayment, logAction, getAuditTrail, getSpend

MCP HTTP Endpoint: POST https://haldir.xyz/mcp

Architecture

Agent (Claude, GPT, Cursor, etc.)
    β”‚
    β–Ό
β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
β”‚       Haldir Proxy          β”‚  ← Intercepts every tool call
β”‚  Policy enforcement layer   β”‚
β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
       β”‚          β”‚
  β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β” β”Œβ”€β”€β”€β–Όβ”€β”€β”€β”€β”
  β”‚  Gate   β”‚ β”‚ Watch  β”‚
  β”‚identity β”‚ β”‚ audit  β”‚
  β”‚sessions β”‚ β”‚ costs  β”‚
  β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜ β””β”€β”€β”€β”€β”€β”€β”€β”€β”˜
       β”‚
  β”Œβ”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”
  β”‚ Vault   β”‚
  β”‚secrets  β”‚
  β”‚payments β”‚
  β””β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”˜
       β”‚
       β–Ό
  Upstream MCP Servers
  (your actual tools)

API Reference

Full docs at haldir.xyz/docs

EndpointMethodDescription
/v1/keysPOSTCreate API key
/v1/sessionsPOSTCreate agent session
/v1/sessions/:idGETGet session info
/v1/sessions/:idDELETERevoke session
/v1/sessions/:id/checkPOSTCheck permission
/v1/secretsPOSTStore secret
/v1/secrets/:nameGETRetrieve secret
/v1/secretsGETList secrets
/v1/secrets/:nameDELETEDelete secret
/v1/payments/authorizePOSTAuthorize payment
/v1/auditPOSTLog action
/v1/auditGETQuery audit trail
/v1/audit/spendGETSpend summary
/v1/approvals/rulesPOSTAdd approval rule
/v1/approvals/requestPOSTRequest approval
/v1/approvals/:idGETCheck approval status
/v1/approvals/:id/approvePOSTApprove
/v1/approvals/:id/denyPOSTDeny
/v1/approvals/pendingGETList pending
/v1/webhooksPOSTRegister webhook
/v1/webhooksGETList webhooks
/v1/proxy/upstreamsPOSTRegister upstream
/v1/proxy/toolsGETList proxy tools
/v1/proxy/callPOSTCall through proxy
/v1/proxy/policiesPOSTAdd policy
/v1/usageGETUsage stats
/v1/metricsGETPlatform metrics

Agent Discovery

Haldir is discoverable through every major protocol:

URLProtocol
haldir.xyz/openapi.jsonOpenAPI 3.1
haldir.xyz/llms.txtLLM-readable docs
haldir.xyz/.well-known/ai-plugin.jsonChatGPT plugins
haldir.xyz/.well-known/mcp/server-card.jsonMCP discovery
haldir.xyz/mcpMCP JSON-RPC
smithery.ai/server/haldir/haldirSmithery registry
pypi.org/project/haldirPyPI