> The ARX SDK. Routes every governed agent action through the ARX runtime > for credential issuance, manager approval, drift evaluation, and > hash-chained personnel-record append.

``bash pip install agentvault ``

Quick start

```python from agentvault import governed, Client

Configure once, typically at process start. Reads ARX_TOKEN from env if

arg is omitted.

arx = Client.from_env()

Decorate any function that talks to a system of record. The decorator

replaces the function's body at runtime with: credential issuance via

ARX → connector call → personnel-record append. If the decorated call

is declared high-risk, the runtime pauses until the named manager

approves it in the workforce console.

@governed(connector="salesforce", action="account.read", risk="low") async def fetch_account(account_id: str) -> dict:

The body executes only after the credential has been issued and

the policy gate has cleared. The credential is bound to *this*

call's scope — never accessible to the broader process.

import httpx async with httpx.AsyncClient() as h: r = await h.get(f"https://api.salesforce.com/v1/accounts/{account_id}", headers={"Authorization": f"Bearer {arx.credential}"}) return r.json() ```

What ARX gives you

• Per-call credentials. No long-lived tokens in agent code. The credential

exists only for this call's scope and is discarded after.

• Approval gating in the connector layer. High-risk calls pause for a

named human approver. The agent code can't route around it because the enforcement isn't in agent code.

• Hash-chained personnel record. Every call streams to the customer's

S3 bucket, witness-signed every five minutes. Auditor verifies without trusting ARX.

• Drift detection. Calls outside the agent's declared role manifest

surface as performance events, not security alerts.

• Defined termination. One-button revoke from the workforce console

fires across every connector atomically.

Governance posture (declared by the agent)

Every agent that uses this SDK MUST ship with a manifests/job_description.yaml declaring scope, approval policy, runtime budget, and termination procedure. See reference-agents/sales-research/manifests/job_description.yaml in the ARX repo for the canonical example.

The SDK refuses to issue a credential if the declared connector is not on the agent's manifest. That refusal is itself logged.

Configuration

| Env var | Purpose | | ---------------------- | ---------------------------------------- | | ARX_TOKEN | Bearer token issued at agent registration | | ARX_BASE_URL | Override default https://api.arxsec.io/v1 | | ARX_AGENT_ID | The hired agent's UUID (set by the runtime) | | ARX_LOCAL_RECORD_DIR | Local fallback dir for personnel records when offline |

Local-only mode

For development before an agent is hired through ARX, the decorator runs in local-stub mode — calls are recorded to a local JSONL file under arx-records/ instead of the real personnel-record bucket. Useful for testing manifest declarations against the agent's actual behavior before going live.

``bash export ARX_LOCAL_MODE=1 uvicorn app.main:app --reload ``

License

Apache 2.0. See LICENSE.