Skip to main content

What is GuardAstra

GuardAstra is a security and observability platform for AI agents. It sits between your AI agents and LLM providers and inspects the traffic that flows through its configured surfaces — the LLM-key gateway, the /api/v1/intercept SDK path, and the Tier 4 hooks bridge — in real time to detect sensitive data exposure, prompt injection, policy violations, and anomalous behavior. Coverage is scoped to traffic that actually traverses those surfaces; see Coverage and Limitations and Security Limitations for what is and is not in scope.

GuardAstra ships as a single ~20 MB Go binary with an embedded PostgreSQL database. One port, one process, zero external dependencies required. Redis is optional (for caching and rate limiting). Point your agent's base URL at GuardAstra, and it handles the rest.

Who is GuardAstra for?

  • Platform teams deploying AI agents in production and needing guardrails before they go live.
  • Security teams that require audit trails, classification of sensitive content, and enforceable policies on the LLM calls and tool invocations routed through GuardAstra's covered surfaces.
  • AI engineers who want real-time visibility into what their agents are sending and receiving, without instrumenting application code.
  • Compliance officers who need to demonstrate that AI systems operate within defined boundaries.

Key capabilities

Content classification

Coverage depends on the surface. The LLM-key gateway sees both directions of a model call; /api/v1/intercept is tool-call shaped (the agent submits the tool/peer event it is about to execute); Tier 4 hook payloads are bounded to the prompt and last assistant message the host CLI hands over. Within those payloads, GuardAstra applies 107 regex-based rules organized into Standard (43 rules) and Finance (64 rules) packs for fast pattern matching — PII, credentials, credit card numbers, injection attacks — all in under 5ms P95. Three built-in ML classifiers add semantic analysis: prompt injection detection, semantic PII detection, and intent classification. Classifications are attached to every event for filtering, alerting, and policy enforcement.

Policy engine

An 8-level policy engine lets you define what agents are and are not allowed to do. Policies evaluate against classified content, agent identity, token budgets, and more. Actions include deny, redact (4 strategies), require human approval, and warn. Policies follow a version-tracked lifecycle (draft → approved → active → archived) with full audit trail.

Operating modes

GuardAstra supports 7 operating modes that control enforcement behavior: discovery (observe only), learning (build baselines), monitor (report anomalies), warn (dry-run enforcement), enforce (full policy enforcement), degraded (pass-through on system errors), and rolled_back (revert to prior state). The recommended path is a gradual transition: discovery → learning → monitor → warn → enforce.

Anomaly detection

67 anomaly detectors (15 generic + 52 finance-specific) continuously monitor agent behavior across dimensions like request rate, data sensitivity, payload size, timing patterns, and financial transaction patterns. When an agent deviates from its learned 7-day baseline, GuardAstra raises an anomaly that can trigger alerts, policies, or automatic throttling.

Multi-agent security

GuardAstra tracks agent-to-agent communication via peer headers and delegation chain tracking. When Agent A delegates a task to Agent B, GuardAstra records the full delegation chain (with circular delegation detection), propagates taint tags across agent boundaries, and enforces policies on cross-agent data flows. A dedicated Comms tab in the dashboard shows all peer relationships.

Complete audit trail

Every action is recorded in a tamper-proof, SHA-256 hash-chained audit trail with 30+ action types. Each record links to the previous via chain_hash, and a verification endpoint (POST /api/v1/audit/verify) checks the entire chain for tampering. No UPDATE or DELETE operations exist on audit records.

Authentication & RBAC

JWT-based authentication with httpOnly cookie refresh tokens. 6 hierarchical roles: developer < auditor < operator < team_admin < security_admin < platform_admin. Route-level enforcement ensures each API group requires a minimum role. Authentication is always enabled after the initial setup wizard completes.

Provider compatibility

The LLM-key gateway's provider allowlist is closed: anthropic, openai, groq, custom. Anything else is rejected at proxy-key creation.

  • Anthropic (Claude) — detected via x-api-key header
  • OpenAI (GPT-4, GPT-4o, o1, o3) — detected via Bearer sk-*
  • Groq — auto-detected via gsk_* keys
  • custom — any OpenAI-compatible HTTPS endpoint (Google Gemini's /v1beta/openai, Cerebras, Together AI, Fireworks, etc.) gated by the SSRF safe-dialer.

AWS Bedrock and Google Vertex are not in scope for the gateway — their request shapes / auth models do not match the OpenAI-compatible contract. Self-hosted upstreams (Ollama on http://localhost:11434, vLLM / TGI on private IPs) are rejected by the SSRF gate. For these flows use a Tier 3 SDK integration and call /api/v1/intercept directly. See Coverage and Limitations and Security Limitations for the full out-of-scope list.

Platform at a glance

MetricCount
Regex classification rules107 (43 standard + 64 finance)
ML classifiers3 (prompt injection, semantic PII, intent)
Anomaly detectors67 (15 generic + 52 finance)
Policy engine levels8
Redaction strategies4 (mask, replace, truncate, tokenize)
Operating modes7
API endpoints115+
Dashboard pages25
RBAC roles6
Trust score signals10
Binary size~20 MB
Startup time<100ms

Three ways to connect agents

GuardAstra offers three interception tiers so you can choose the right trade-off between simplicity and control:

  1. Tier 1 — Proxy Keys — Zero code changes. Create a proxy key, set it as your agent's API key, and point the base URL at GuardAstra. Supports proxy-level policy enforcement including deny, redact, token budget, and approval gates.
  2. Tier 2 — HTTP Headers — Add X-GuardAstra-Trace-Id, X-GuardAstra-Peer-Agent-Id, X-GuardAstra-Tenant-Id and related context headers for correlation and attribution. Identity headers (Agent-Id, Workspace-Id, etc.) are ignored by the proxy — identity is pinned to the ask_… proxy key. Context headers provide trace/tenant/peer attribution, not proof of identity.
  3. Tier 3 — SDK Intercept — Call POST /api/v1/intercept before each tool execution for pre-execution policy enforcement, full payload classification, taint tracking, and human-in-the-loop approval gates.

All tiers are composable — you can use Tier 1 + 2 + 3 together for maximum coverage.

Architecture

+-----------+       +----------------+       +--------------+
|           |       |                |       |              |
|  AI Agent +------>+  GuardAstra   +------>+  LLM Provider|
|           |       |  (Go binary)   |       |  (Anthropic, |
|           |<------+                |<------+   OpenAI, ..) |
+-----------+       +-------+--------+       +--------------+
                            |
                    +-------+--------+
                    |                |
               +----v----+    +-----v-----+
               |PostgreSQL|    |Redis      |
               |(embedded)|    |(optional) |
               +----------+    +-----------+

GuardAstra runs as a single process on a single port (default 4000). PostgreSQL stores all persistent data (events, policies, agent configs, audit logs). Redis is optional and used for caching, rate limiting, and token budget counters. An optional Python ML sidecar (port 50051) provides heavier transformer-based models if you want deep semantic analysis beyond the built-in heuristic classifiers.

How this documentation is organized

  • Getting Started — Installation, quick-start guide, configuration reference, and upgrade instructions. Start here.
  • Connecting Agents — Detailed guides for each interception tier: Proxy Keys, HTTP Headers, and SDK Intercept.
  • Classification — How content classification works, regex pack catalogs, ML classifiers, custom rules, and shadow mode.
  • Policies — The 8-level policy engine: precedence, conditions, actions, redaction strategies, auto-generation, and lifecycle.
  • Anomaly Detection — How the 67 detectors work, 7-day baselines, alert lifecycle, and full detector reference.
  • Multi-Agent — Peer tracking, delegation chains, cross-agent taint propagation, and the Comms dashboard.
  • Security — Authentication, RBAC roles, AES-256-GCM encryption, audit trail, and trust scores.
  • Dashboard — A tour of all 25 dashboard pages with usage guidance.
  • Deployment — Production deployment, Docker, cross-platform builds, and ML sidecar setup.
  • API Reference — Complete REST API documentation for all 115+ endpoints.
  • Guides — Task-oriented guides: FinanceAgent test harness, AuditBot cross-agent demo, and operating modes walkthrough.