Runtime security for AI agent tool execution.
Cerberus Core is the embeddable runtime enforcement layer for AI agents. It correlates privileged data access, untrusted content ingestion, and outbound behavior at the tool-call level, then interrupts guarded outbound actions before they execute.
Open the live public demo
Open the guided getting started path
Cerberus Core is built to prove one thing clearly: if an agent reads sensitive data, ingests untrusted instructions, and then attempts a guarded outbound action, Core can correlate that runtime chain and interrupt it before the tool executes.
npm install @cerberus-ai/core
# or
pip install cerberus-ai- Getting Started
- Verify Core Yourself
- Live Model Validation
- Core Live Attack Demo
- Animated Core Demo Source
- Demo Surface Strategy
npm install
npm run harness:action:reportThen open:
test-results/action-harness-report.html
This runs the real guard() runtime against a compact set of control, attack,
and observation scenarios and produces an operator-readable HTML report.
import { guard } from '@cerberus-ai/core';
const { executors: secured } = guard(
{
readDatabase: async (args) => fetchFromDb(args.query),
fetchUrl: async (args) => httpGet(args.url),
sendEmail: async (args) => smtp.send(args),
},
{
alertMode: 'interrupt',
threshold: 3,
trustOverrides: [
{ toolName: 'readDatabase', trustLevel: 'trusted' },
{ toolName: 'fetchUrl', trustLevel: 'untrusted' },
],
},
['sendEmail'],
);from cerberus_ai import Cerberus
from cerberus_ai.models import CerberusConfig, DataSource, ToolSchema
cerberus = Cerberus(CerberusConfig(
data_sources=[DataSource(name="customer_db", classification="PII", description="Customer records")],
declared_tools=[
ToolSchema(name="search_db", description="Search CRM", is_data_read=True),
ToolSchema(name="send_email", description="Send email", is_network_capable=True),
],
))- TypeScript SDK in
src/ - Python SDK in
sdk/python/ - test suites in
tests/ - minimal examples in
examples/
This repository is intentionally limited to the public Core SDK surface.
Enterprise gateway, monitoring, commercial deployment tooling, hosted product operations, deep validation trace corpora, and licensing infrastructure belong in separate private product infrastructure.
MIT. See LICENSE.