Haldir
Identity, secrets, and audit for AI agents. Proxy mode intercepts every MCP tool call.
Haldir — The Guardian Layer for AI Agents
The open-source governance layer for AI agents. Identity, secrets, audit, and policy enforcement — MIT licensed, self-host or use our cloud.
Haldir enforces governance on every AI agent tool call: scoped sessions with spend caps, encrypted secrets the model never sees, hash-chained tamper-evident audit trail, human-in-the-loop approvals, and a proxy that intercepts every MCP call before it reaches your tools. Native SDKs for LangChain, CrewAI, AutoGen, and Vercel AI SDK.
CLI
$ haldir overview
Haldir tenant overview
acct_xyz123 · tier pro · 2026-04-19T18:42:11+00:00
Status ● ok
Actions 4,217 / 50,000 ████░░░░░░░░░░░░░░░░ 8.4%
Spend $ 47.30 this month
Sessions 12 active · 3/10 agents
Vault 8 secrets · 62 accesses this month
Audit 1,847 entries · 0 flagged (7d) · chain ✓
Webhooks 2 registered · 541 deliveries (24h) · 99.82% success
Approvals 1 pending
Install once, drive the whole platform from the terminal:
pip install haldir
haldir login # one-time; stashes API key
haldir overview --watch # top-style live dashboard
haldir status # green/yellow/red component pills
haldir ready # exits 0/1, perfect for CI
haldir audit tail --agent my-bot # the last N entries
haldir audit export --format=jsonl --out audit-2026-04.jsonl
haldir audit verify # hash chain integrity check
haldir webhooks deliveries # last 20 retry attempts
haldir migrate up # apply pending schema migrations
Every command takes --json for scripts. haldir --help for the full surface.
Two ways to run Haldir
| Self-host | Cloud (haldir.xyz) | |
|---|---|---|
| Price | Free forever | Free tier + paid plans |
| Features | Everything | Everything — same API, same SDKs |
| You run | API + Postgres | Nothing |
| Best for | Regulated industries, air-gapped, "must own data" | "Just make it work" |
Self-host in 5 minutes
git clone https://github.com/ExposureGuard/haldir.git
cd haldir
cp .env.example .env
python3 -c 'import base64, os; print(base64.urlsafe_b64encode(os.urandom(32)).decode())'
# paste the output into .env as HALDIR_ENCRYPTION_KEY, then:
docker compose up -d
curl http://localhost:8000/health
Full self-hosting guide: SELF_HOSTING.md
Or use our cloud
pip install haldir
That's it — point at https://haldir.xyz, no signup, live API.
Live now: haldir.xyz · API Docs · OpenAPI Spec · Smithery
🧪 Now accepting 5 design partners. 30 days free, full access, direct line to the founder. If you're shipping AI agents to production, email [email protected].
Performance
Haldir is fast enough to sit in the hot path of every agent tool call without becoming the bottleneck.
Single-box HTTP throughput (gunicorn 4 workers, 32 concurrent clients, tuned SQLite backend, every request goes through the full middleware stack — auth, validation, idempotency, metrics, structured logging):
| Endpoint | RPS | p50 | p95 | p99 |
|---|---|---|---|---|
GET /healthz | 1,638 | 19.1 ms | 32.5 ms | 41.6 ms |
GET /v1/status | 1,382 | 22.2 ms | 30.8 ms | 45.4 ms |
GET /v1/sessions/:id | 903 | 29.2 ms | 95.5 ms | 172.1 ms |
POST /v1/sessions (create) | 1,142 | 27.7 ms | 35.2 ms | 39.9 ms |
POST /v1/audit (hash-chain write) | 1,092 | 28.7 ms | 37.6 ms | 52.6 ms |
Hardware: 12th-gen Intel Core i3-1215U (8 cores, 8 GB RAM). SQLite is configured with WAL + synchronous=NORMAL + 256 MiB mmap + in-memory temp store — the session-lookup p99 dropped by 52 % versus the untuned path. Postgres deployments (configurable pool via HALDIR_PG_POOL_MIN/MAX) flatten the p99 further still; enable via DATABASE_URL=postgresql://....
Primitive cost (pure-Python, no I/O):
| Primitive | p50 | Notes |
|---|---|---|
Vault.store_secret (AES-256-GCM encrypt + AAD binding) | < 10 µs | in-memory, no DB write |
Vault.get_secret (AES-256-GCM decrypt + AAD verify) | < 10 µs | in-memory |
AuditEntry.compute_hash (SHA-256 over canonical payload) | < 10 µs | |
Gate.check_permission over REST | ~50-120 ms | network + DB round-trip, Cloudflare-fronted |
Watch.log_action over REST | ~50-150 ms | includes chain lookup + DB write |
| Full governed-tool envelope (check + log) | ~100-250 ms |
Agents typically wait 500-3000 ms for an LLM completion and 100-1000 ms for an upstream API call, so Haldir's overhead sits inside the noise. Reproduce locally:
# Concurrent HTTP throughput (launches a local gunicorn, ~60s total)
python bench/bench_http.py --duration 10 --concurrency 32 --workers 4
# Primitive cost only (no API key needed)
python bench/bench_primitives.py --local
# End-to-end against the hosted service
export HALDIR_API_KEY=hld_...
python bench/bench_primitives.py
Compliance
One endpoint produces an auditor-ready proof-of-control pack covering eight sections, each anchored to a SOC2 trust services criterion:
haldir compliance evidence --since 2026-01-01 --out evidence-q1-2026.md
| # | Section | SOC2 |
|---|---|---|
| 1 | Identity (tenant, subscription, period) | — |
| 2 | Access control (API keys + per-key scopes) | CC6.1 |
| 3 | Encryption (AES-256-GCM, AAD binding) | CC6.7 |
| 4 | Audit trail (entry count, hash chain integrity) | CC7.2 |
| 5 | Spend governance (per-session caps, payment records) | CC5.2 |
| 6 | Human approvals (request/decision lifecycle) | CC8.1 |
| 7 | Outbound alerting (webhook delivery success rate) | CC7.3 |
| 8 | Document signature (SHA-256 self-hash) | — |
The pack signs itself: a SHA-256 over the canonical JSON of sections 1-7. An auditor receiving an archived pack can re-call /v1/compliance/evidence/manifest and confirm the digest matches — proof the document was not modified after issuance.
JSON for evidence-locker upload, Markdown for the "show this to the auditor" moment, both from the same /v1/compliance/evidence endpoint.
Why Haldir
AI agents are calling APIs, spending money, and accessing credentials with zero oversight. Haldir is the missing layer:
| Without Haldir | With Haldir |
|---|---|
| Agent has unlimited access | Scoped sessions with permissions |
| Secrets in plaintext env vars | AES-encrypted vault with access control |
| No spend limits | Per-session budget enforcement |
| No record of what happened | Immutable audit trail |
| No human oversight | Approval workflows with webhooks |
| Agent talks to tools directly | Proxy intercepts and enforces policies |
Quick Start
pip install haldir
from sdk.client import HaldirClient
h = HaldirClient(api_key="hld_xxx", base_url="https://haldir.xyz")
# Create a governed agent session
session = h.create_session("my-agent", scopes=["read", "spend:50"])
# Store secrets agents never see directly
h.store_secret("stripe_key", "sk_live_xxx")
# Retrieve with scope enforcement
key = h.get_secret("stripe_key", session_id=session["session_id"])
# Authorize payments against budget
h.authorize_payment(session["session_id"], 29.99)
# Every action is logged
h.log_action(session["session_id"], tool="stripe", action="charge", cost_usd=29.99)
# Revoke when done
h.revoke_session(session["session_id"])
Products
Gate — Agent Identity & Auth
Scoped sessions with permissions, spend limits, and TTL. No session = no access.
curl -X POST https://haldir.xyz/v1/sessions \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{"agent_id": "my-bot", "scopes": ["read", "browse", "spend:50"], "ttl": 3600}'
Vault — Encrypted Secrets & Payments
AES-encrypted storage. Agents request access; Vault checks session scope. Payment authorization with per-session budgets.
curl -X POST https://haldir.xyz/v1/secrets \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{"name": "api_key", "value": "sk_live_xxx", "scope_required": "read"}'
Watch — Audit Trail & Compliance
Immutable log for every action. Anomaly detection. Cost tracking. Compliance exports.
curl https://haldir.xyz/v1/audit?agent_id=my-bot \
-H "Authorization: Bearer hld_xxx"
Proxy — Enforcement Layer
Sits between agents and MCP servers. Every tool call is intercepted, authorized, and logged. Supports policy enforcement: allow lists, deny lists, spend limits, rate limits, time windows.
# Register an upstream MCP server
curl -X POST https://haldir.xyz/v1/proxy/upstreams \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{"name": "myserver", "url": "https://my-mcp-server.com/mcp"}'
# Call through the proxy — governance enforced
curl -X POST https://haldir.xyz/v1/proxy/call \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{"tool": "scan_domain", "arguments": {"domain": "example.com"}, "session_id": "ses_xxx"}'
Approvals — Human-in-the-Loop
Pause agent execution for human review. Webhook notifications. Approve or deny from dashboard or API.
# Require approval for spend over $100
curl -X POST https://haldir.xyz/v1/approvals/rules \
-H "Authorization: Bearer hld_xxx" \
-H "Content-Type: application/json" \
-d '{"type": "spend_over", "threshold": 100}'
MCP Server
Haldir is available as an MCP server with 10 tools for Claude, Cursor, Windsurf, and any MCP-compatible AI:
{
"mcpServers": {
"haldir": {
"command": "haldir-mcp",
"env": {
"HALDIR_API_KEY": "hld_xxx"
}
}
}
}
MCP Tools: createSession, getSession, revokeSession, checkPermission, storeSecret, getSecret, authorizePayment, logAction, getAuditTrail, getSpend
MCP HTTP Endpoint: POST https://haldir.xyz/mcp
Architecture
Agent (Claude, GPT, Cursor, etc.)
│
▼
┌─────────────────────────────┐
│ Haldir Proxy │ ← Intercepts every tool call
│ Policy enforcement layer │
└──────┬──────────┬───────────┘
│ │
┌────▼────┐ ┌───▼────┐
│ Gate │ │ Watch │
│identity │ │ audit │
│sessions │ │ costs │
└────┬────┘ └────────┘
│
┌────▼────┐
│ Vault │
│secrets │
│payments │
└────┬────┘
│
▼
Upstream MCP Servers
(your actual tools)
API Reference
Full docs at haldir.xyz/docs
| Endpoint | Method | Description |
|---|---|---|
/v1/keys | POST | Create API key |
/v1/sessions | POST | Create agent session |
/v1/sessions/:id | GET | Get session info |
/v1/sessions/:id | DELETE | Revoke session |
/v1/sessions/:id/check | POST | Check permission |
/v1/secrets | POST | Store secret |
/v1/secrets/:name | GET | Retrieve secret |
/v1/secrets | GET | List secrets |
/v1/secrets/:name | DELETE | Delete secret |
/v1/payments/authorize | POST | Authorize payment |
/v1/audit | POST | Log action |
/v1/audit | GET | Query audit trail |
/v1/audit/spend | GET | Spend summary |
/v1/approvals/rules | POST | Add approval rule |
/v1/approvals/request | POST | Request approval |
/v1/approvals/:id | GET | Check approval status |
/v1/approvals/:id/approve | POST | Approve |
/v1/approvals/:id/deny | POST | Deny |
/v1/approvals/pending | GET | List pending |
/v1/webhooks | POST | Register webhook |
/v1/webhooks | GET | List webhooks |
/v1/proxy/upstreams | POST | Register upstream |
/v1/proxy/tools | GET | List proxy tools |
/v1/proxy/call | POST | Call through proxy |
/v1/proxy/policies | POST | Add policy |
/v1/usage | GET | Usage stats |
/v1/metrics | GET | Platform metrics |
Agent Discovery
Haldir is discoverable through every major protocol:
| URL | Protocol |
|---|---|
haldir.xyz/openapi.json | OpenAPI 3.1 |
haldir.xyz/llms.txt | LLM-readable docs |
haldir.xyz/.well-known/ai-plugin.json | ChatGPT plugins |
haldir.xyz/.well-known/mcp/server-card.json | MCP discovery |
haldir.xyz/mcp | MCP JSON-RPC |
smithery.ai/server/haldir/haldir | Smithery registry |
pypi.org/project/haldir | PyPI |
License
MIT
Links
- Website: haldir.xyz
- API Docs: haldir.xyz/docs
- Smithery: View on Smithery
- PyPI: haldir
- OpenAPI: haldir.xyz/openapi.json
相关服务器
Alpha Vantage MCP Server
赞助Access financial market data: realtime & historical stock, ETF, options, forex, crypto, commodities, fundamentals, technical indicators, & more
WireMCP
Empowers LLMs with real-time network traffic analysis using tshark. Requires Wireshark's tshark to be installed.
Ralph Wiggum MCP
An enhanced Model Context Protocol (MCP) server implementing the Ralph Wiggum technique.
Python Weather Server
A FastAPI-based server that provides weather information from the National Weather Service API, secured with OAuth 2.1.
DreamFactory MCP
An MCP server for integrating with the DreamFactory API to manage and access data sources.
Authless Remote MCP Server
A remote MCP server deployable on Cloudflare Workers that does not require authentication.
MCP Expert Server
An MCP server for query generation and documentation assistance using Claude AI.
CCXT MCP Server
Integrate with cryptocurrency exchanges using the CCXT library.
PowerShell MCP Server
Automate Windows PowerShell tasks using Python. Execute scripts, manage the clipboard, and capture terminal output programmatically.
SheetsData
Instant access to electronic component datasheets for AI agents — specs, pinouts, package info, and absolute max ratings extracted from manufacturer PDFs on demand.
Cursor Chat History MCP
Provides local access to Cursor chat history for AI analysis and insights, with no external services or API keys required.