Introduction

The Behavioral Firewall for AI Agents.

Kyvvu is a governance platform that evaluates policies against the full execution path of your AI agent — before each step runs. It decides allow, warn, or block in sub-millisecond time, directly inside your agent process. No proxy. No gateway. No perceptible latency.

The first 5 minutes

pip install kyvvu

kyvvu register
# → creates your account, returns an API key

kyvvu init my-agent
# → registers a demo agent, applies 8 OWASP security policies, scaffolds a project

cd my-agent
pip install -r requirements.txt
export KV_API_KEY=KvKey-...
python agent.py

The demo agent runs three steps (a model call, a resource read, and a code execution). The first two pass. The third — step.exec — is blocked by the OWASP policy "Code execution requires a preceding gate":

Policy blocked this step: ...
   Risk score: 1.00
   Action:     block
   * Code execution requires a preceding gate (critical)

This is Kyvvu working as intended — the OWASP security policies
flagged an action that requires oversight. In a real agent, you'd
add a step.gate (human approval) before the blocked action.

That's runtime policy enforcement. The engine evaluated the agent's full task history, found no step.gate preceding the step.exec, and blocked it before execution.

For why this architecture matters, see the blog post: The Hot Path Tax.

Architecture

Your Agent Code
  |  @kv.step / LangChain handler / REST API
  v
kyvvu SDK (translates events -> Behaviors)
  |  template.match() -> deep_merge -> Behavior
  v
kyvvu-engine (in-process, sub-ms policy evaluation)
  |  evaluate() -> allow / warn / block
  |  record() -> append to task history
  |  end_task() -> flush behavioral trace
  v
Kyvvu Platform API (platform.kyvvu.com)
  |  policy storage, incident management, audit trail
  v
Dashboard (platform.kyvvu.com)
  |  policy config, incident triage, reports

The engine runs in your process. Policy evaluation is pure CPU — no network calls, no database queries, no I/O. Policies are fetched in the background and cached. Log flushing happens asynchronously on task completion.

What Kyvvu does

Registration enforcement — agents must declare their purpose, tools, and risk classification before they can start. Policies validate these declarations at startup.
Runtime policy evaluation — every atomic step your agent takes is evaluated against loaded policies before execution. Decisions depend on the full ordered history of the current task ("policies on paths").
Behavioral trace logging — completed steps are recorded into an audit trail, flushed to the platform API on task completion. The trace is a structured JSON record of everything the agent did.
Incident management — policy violations generate incidents that surface in the dashboard for triage, acknowledgment, and resolution.

Quick links

Resource

URL

Documentation

docs.kyvvu.com

Platform

platform.kyvvu.com

GitHub

github.com/Kyvvu/platform

PyPI

pypi.org/project/kyvvu

Paper

Runtime Governance for AI Agents: Policies on Paths

Jobs

kyvvu.com/join

Next steps

Installation — install the SDK and set up your account
Your First Agent — walk through kyvvu init step by step
Architecture — understand the three-package split and why the engine is in-process
Creating Policies — author your first custom policy

NextInstallation

Last updated 7 days ago

Good night

hashtagThe first 5 minutes

hashtagArchitecture

hashtagWhat Kyvvu does

hashtagQuick links

hashtagNext steps

The first 5 minutes

Architecture

What Kyvvu does

Quick links

Next steps