Siphrix — Documentation

Documentation

Siphrix in one paragraph

Siphrix is an AI Action Firewall & Policy Runtime. It sits between what an AI agent wants to do and what it is allowed to do: every action is evaluated against a policy before it executes, an auditable decision trail is emitted, and the system fails closed when in doubt.

Under the hood it is four coordinated layers — a policy decision layer, a runtime enforcement layer, a trust / audit / governance layer, and an operator readiness surface — but externally it is one product: the boundary between agent intent and real-world action.

◆

Local-first. Everything in the core runs offline on loopback — no API keys, no cloud, no Docker. Hosting and OS-level signing are explicit operator steps (see External handoffs).

Quickstart

The canonical first-run path is three commands — fully offline.

pip install siphrix
siphrix demo      # the block / allow / audit walkthrough
siphrix doctor    # human-readable launch-readiness report

siphrix demo is the golden path: it prints a blocked unsafe action, an allowed safe action under the shipped safe_defaults pack, and an auditable decision-trail recap.

▲

Fail-closed by default. The focused examples emit BLOCK (policy_empty_allowlist) when no policy is configured. That is Siphrix's expected posture, not a broken install. Set SIPHRIX_POLICY_FILE to bind a real policy.

Core concepts

Verdicts

Every evaluation returns exactly one outcome, a machine-readable reason code, and the material for an audit record.

✓ALLOW

The action conforms to policy and may execute. Recorded with its reason.

✕BLOCK

The action violates policy and is stopped before it runs. Nothing executes.

‖ABORT

Execution is halted pending a human decision — e.g. requires approval.

Fail-closed

When policy is missing, ambiguous, or evaluation cannot complete, Siphrix denies. An empty allowlist blocks everything (policy_empty_allowlist). Safety is the default state, not a configuration you must remember to switch on.

Policy packs

Policies ship as packs — versioned, optionally ED25519-signed bundles of rules. The shipped safe_defaults pack allows ordinary read/inert actions and blocks destructive, financial and exfiltration categories. You layer your own rules on top.

Reference

Policy schema

A policy is a declarative document of rules matched against an action and its context. Each rule yields an effect; the engine resolves them deterministically and fails closed.

Field	Type	Meaning
`version`	string	Schema version (policy schema v4).
`rules[]`	list	Ordered rules; each has a `match` and an `effect`.
`match.action`	glob/regex	Action name or family (e.g. `send_email`, `shell.*`).
`match.category`	enum	`read · write · network · destructive · exfiltration · financial`
`match.context`	object	Constraints on target, scope, sensitivity, recipient, etc.
`effect`	enum	`allow · block · abort · require_approval`
`reason_code`	string	Stable code attached to the verdict & audit record.

# _demo_policy.yaml — minimal example
version: "4"
rules:
  - match: { category: read }
    effect: allow
    reason_code: safe_defaults_allow
  - match: { category: destructive }
    effect: block
    reason_code: policy_block_destructive
  - match: { category: exfiltration }
    effect: block
    reason_code: policy_block_exfiltration

◆

Bind a policy at runtime with SIPHRIX_POLICY_FILE=./policy.yaml, or manage packs through the console / service tier.

CLI

The siphrix command is the front door to everything local.

Command	What it does
`siphrix demo`	Offline allow / block / audit walkthrough.
`siphrix evaluate`	Evaluate a single action against the active policy.
`siphrix simulate`	Dry-run a batch of actions, see the verdicts.
`siphrix replay`	Re-decide historic actions under a new policy.
`siphrix doctor`	Launch-readiness report (engine, packs, daemon).
`siphrix serve --foreground`	Run the local loopback daemon.
`siphrix console`	Launch the app (service + web UI) and open it in your browser.
`siphrix audit-*`	Inspect, export and bundle audit records.
`siphrix policy-builder`	Interactively author a policy pack.

Run siphrix --help to discover every subcommand and its flags.

Python SDK

Evaluate any action from your own code in two lines. The public surface is small and stable.

from siphrix import ActionEvaluator, PolicyManager

evaluator = ActionEvaluator()                  # loads active policy
verdict = evaluator.evaluate(action, context)  # → outcome, reason_code, …

if verdict.outcome != "ALLOW":
    raise Blocked(verdict.reason_code)        # do not run the action

For a full pipeline (normalize → evaluate → record), use run_pipeline(user_text). The repo walkthrough at examples/example_agent.py is a deeper integration tour.

Daemon API

The local loopback daemon (siphrix serve --foreground) exposes 20+ bearer-authed routes. The console, extensions and editors all talk to it. Highlights:

Route	Purpose
`POST /evaluate`	Decision-only simulation — never executes the action.
`GET /audit`	Audit records (filterable; JSON/CSV export).
`GET/PUT /rules`	Local block-rules overlay.
`GET/POST /approvals`	Approval requests & reconsideration.
`POST /replay`	Policy-impact replay.
`GET /analytics`	Time-series & top-rankings over the audit log.

▲

The token lives in page/process memory only. The console never writes it to localStorage or logs. Calls are loopback / same-origin.

Integrations

MCP server

A verdict-only Model Context Protocol server over stdio lets any MCP client ask Siphrix for a decision before acting.

python -m siphrix.mcp                         # start the stdio server
python -m siphrix.mcp.client_config --client codex   # wire into a client

Editors & agents

VS Code extension

Health, evaluate and audit with Allow / Block / Pause control over /rules, in the editor. Marketplace id siphrix.siphrix-vscode.

Claude Code plugin

A PreToolUse hook, block-only and fail-closed — every tool call is gated before it runs. Repo Ghengeaua/siphrix-claude-plugin.

Codex / generic agent bridge

Verdict tools via MCP plus a client-config generator: siphrix.console.ai_tool_bridge.

Browser extension

An MV3 extension and JS SDK gate uploads and secret-pastes into AI sites via the local daemon. It supports account login and a per-platform restriction choice (Off / Basic / Strict) from the popup. Dev-load today; store publishing is an operator step.

Service tier

A real, persistent local service: SQLite storage, hashed API keys (PBKDF2), RBAC, tenant isolation, a decision API, audit ingestion and approvals — loopback only.

python -m siphrix.service        # start the service tier

Endpoint	Auth
`POST /v1/login`	email + password → session token
`POST /v1/decisions/evaluate`	evaluate permission
`GET /v1/decisions` · `/v1/audit`	read permissions
`GET/PUT /v1/platforms` · `/v1/levels`	per-platform protection
`GET /v1/analytics`	per-org analytics
`… /v1/approvals`	create / read / decide

◆

Deploy it behind your own TLS/ingress, point --db at a managed volume, and front it with an IdP to add SSO. See External handoffs.

Operate

Console & dashboard

Siphrix ships three operator surfaces, all unified in the web console on this site:

Account console — pick a protection level (Off / Basic / Strict) per AI app in plain language; power users add scoped block-rules.
Operator dashboard — Overview, Readiness, Release state, Runtime, Policy Packs, Policy Check, Demo and Audit.
Web console — Simulator, Audit, Rules and Approvals against the local daemon.

The console talks only to the local daemon / service. The session token stays in page memory; nothing is persisted to browser storage.

Audit & replay

Every decision produces an audit record. Records are redactable and can be exported (JSON/CSV) or bundled into a portable evidence bundle. The trust layer adds ED25519 policy signing and an integrity-chained ledger.

Replay re-decides historic actions under a candidate policy, so you can measure the impact of a change before shipping it.

Posture

Capabilities — the honest table

Every surface is labelled by maturity, on purpose. See the interactive matrix on the home page. The three levels:

✓Shipping

Real, tested code that performs the behaviour for a user.

◐Contract

A deterministic, tested local model — but no real side effect yet.

⤓External

Needs credentials, hosting or OS signing that live with the operator.

Nothing is overclaimed. Where a surface is contract-only or external, the code and the table say so plainly.

Security posture

Fail-closed on missing/ambiguous policy and on evaluation failure.
No silent execution — /evaluate is decision-only; the broker is record-only by default and real backends are opt-in in code.
Token hygiene — bearer/session tokens stay in memory; never written to storage or logs.
Signed policy — ED25519 signing + verification and an integrity-chained ledger.
Tenant isolation in the service tier; hashed API keys (PBKDF2); RBAC.

External handoffs

Some capabilities cannot be made real inside the repository — they need credentials, hosting, store accounts or platform signing that live with the operator. Siphrix builds everything up to that boundary as real, tested code, then stops. It never simulates these as if done.

Boundary	Operator step
OS-level enforcement (kernel / seccomp / eBPF / WFP)	Build & sign a native component (WHQL / Apple entitlement / privileged install). Siphrix's decisions are its input.
Hosted cloud deployment	Deploy the service tier behind your TLS/ingress; point `--db` at a managed volume.
SSO / SAML / OIDC / SCIM	Put your IdP in front of the service and map groups to Siphrix roles.
Billing (Stripe / seats)	Requires live payment keys + a merchant account. Nothing pretends to bill.

Roadmap

Siphrix is at v1.0.2, a private-beta candidate. Direction of travel: hardening the enforcement bridges, expanding signed-policy distribution, deepening the governance models from contract toward shipping, and the operator-credentialed steps above. See ROADMAP.md in the repository for the ordered list.