Blog homeKYC for AI AgentsIntegration guideEU AI Act checklistCompare
← Back to blog
· By

Securing AI Coding Agents: A Cryptographic Guardrail with Kakunin

Learn how to implement cryptographic identity, X.509 certificates, and real-time behavioral guardrails for AI coding agents using Kakunin's SDKs and MCP.

Preferred source on Google
Securing AI Coding Agents: A Cryptographic Guardrail with Kakunin
Table of Contents

The Rise of Autonomous AI Coding Agents and the Trust Gap

The landscape of software engineering is undergoing a tectonic shift. We have transitioned from autocomplete utilities like GitHub Copilot to autonomous AI coding agents capable of planning, executing, and validating complete feature implementations. Using frameworks like Mastra, CrewAI, and the Vercel AI SDK, developers are deploying agentic loops that read repositories, write file modifications, interact with external databases, and deploy code to production.

However, as agents transition from sandboxed advisory systems to active system administrators and traders, they introduce unprecedented security risks. According to the OWASP Top 10 for LLM Applications, threats such as LLM01: Prompt Injection and LLM02: Insecure Output Handling are no longer theoretical. A single malformed payload or a malicious prompt embedded in an untrusted dependency can compromise an agent, causing it to exfiltrate database keys, issue unauthorized API calls, or trigger catastrophic financial transactions.

Furthermore, the legislative landscape is rapidly catching up with autonomous systems. The European Union's EU AI Act enforces strict obligations on high-risk AI applications. Specifically, Article 12 mandates detailed logging capabilities ("traceability") to monitor the AI system's operation throughout its lifecycle. For automated systems in regulated financial domains, the Markets in Crypto-Assets (MiCA) regulation demands rigorous compliance and auditing framework controls.

To bridge this trust gap, the industry requires Know Your Agent (KYA) infrastructure. Kakunin solves this by serving as an API-first compliance platform that issues X.509 certificates to AI agents, binds their identity cryptographically to specific model weights, monitors behavioral baselines in real time, and enforces runtime scopes at the tool layer.

In this comprehensive guide, we explore how Kakunin integrates with the leading AI agent frameworks via custom SDKs, the Model Context Protocol (MCP), and backend middleware to build secure, audit-compliant agentic architectures.

The Cryptographic Foundation: HSM-Bound Keys and X.509 Identity

Traditional authentication uses static API keys or JWTs. In agentic systems, this pattern fails. An API key does not verify which model executed a command, whether the prompt was tampered with, or if the agent’s behavior has drifted from its baseline.

Kakunin establishes trust through cryptographic attestation using standard X.509 certificates, the same standard backing the web's Public Key Infrastructure (PKI).

1. Model Configuration and Weights Hashing

Before an agent is certified, its configuration is hashed using Kakunin.computeModelHash(). This includes the LLM provider, model model, and exact system instructions or weights file (e.g., model.safetensors).

typescriptconst modelHash = await Kakunin.computeModelHash(JSON.stringify({ provider: 'openai', model: 'gpt-4o', version: '2024-08-06', system_prompt: 'You are a compliant system agent.'}));

This ensures that any change in the model’s instructions, provider, or weights invalidates its certificate, requiring a re-certification process.

2. Hardware Security Module (HSM) Isolation

When certify() is called, Kakunin provisions an asymmetric RSA_2048 key pair inside an AWS KMS Hardware Security Module (HSM) located in the eu-west-1 region. The private key material never leaves the HSM. Instead, any message signing or cryptographic handshakes are executed within the HSM boundary.

3. Non-Repudiable Event Logs

Every action logged to the Kakunin audit trail is cryptographically signed. If an agent performs an action, it cannot repudiate the activity, providing a legally binding, tamper-evident audit trail that complies with Article 12 of the EU AI Act.

Model Context Protocol (MCP) Server Integration

The Model Context Protocol (MCP) is an open standard designed by Anthropic to unify how LLMs connect to data sources and execution tools. Kakunin provides a native MCP server (@kakunin/mcp) that exposes compliance tools directly to the agent's reasoning loop.

By registering @kakunin/mcp as a server, agents can query their own authorization boundaries, check their risk band, and append events to their audit logs in real time.

Installing and Running the MCP Server

To boot the Kakunin MCP server via stdio, execute the following command:

bashKAKUNIN_API_KEY=kak_live_... KAKUNIN_AGENT_ID=agt_... npx -y @kakunin/mcp

Configuring Claude Desktop

For developers using Claude Desktop as their primary coding interface, adding Kakunin takes a few lines in the configuration file (~/Library/Application Support/Claude/claude_desktop_config.json):

json{ "mcpServers": { "kakunin": { "command": "npx", "args": ["-y", "@kakunin/mcp"], "env": { "KAKUNIN_API_KEY": "kak_live_your_api_key", "KAKUNIN_AGENT_ID": "agt_your_agent_id" } } }}

The Three Core MCP Tools

The @kakunin/mcp server exposes three primary tools:

  1. verify_agent_scope: Verifies whether an agent is authorized to perform a specific action based on its certified scope, financial boundaries, and current status.
  2. check_risk_score: Retrieves the agent's rolling 30-day risk profile, trend, and actionable recommendation (e.g., whether to throttle or notify a human operator).
  3. audit_log_append: Appends behavioral events directly to Kakunin's immutable ledger, returning the calculated risk score for the event.

Implement a Safe Agent Loop using MCP

A robust agent program enforces a check-execute-log sequence before executing privileged tools. Here is an implementation using the TypeScript MCP SDK:

typescriptimport { Client } from '@modelcontextprotocol/sdk/client/index.js';import { StdioClientTransport } from '@modelcontextprotocol/sdk/client/stdio.js';async function executeSecureAgentAction(actionName: string, amountUsd: number, venue: string) { const transport = new StdioClientTransport({ command: 'npx', args: ['-y', '@kakunin/mcp'], env: { KAKUNIN_API_KEY: process.env.KAKUNIN_API_KEY!, KAKUNIN_AGENT_ID: process.env.KAKUNIN_AGENT_ID!, }, }); const client = new Client({ name: 'mcp-secure-runner', version: '1.0.0' }); await client.connect(transport); // Step 1: Pre-flight Scope Check const scopeResponse = await client.callTool({ name: 'verify_agent_scope', arguments: { action: actionName, amount_usd: amountUsd, venue }, }) as { allowed: boolean; reason: string }; if (!scopeResponse.allowed) { throw new Error(`Execution Blocked by Kakunin: ${scopeResponse.reason}`); } // Step 2: Risk Profile Self-Verification const riskResponse = await client.callTool({ name: 'check_risk_score', arguments: {}, }) as { band: string; recommendation: string }; if (riskResponse.band === 'high' || riskResponse.band === 'critical') { console.warn(`[Suspended] High risk detected: ${riskResponse.recommendation}`); return; // Refuse to proceed } // Step 3: Action Execution const txResult = await executeTransaction(actionName, amountUsd, venue); // Step 4: Post-Action Immutable Audit Log Append await client.callTool({ name: 'audit_log_append', arguments: { event_type: 'transaction_initiated', metadata: { action: actionName, amountUsd, venue, transactionId: txResult.id }, }, });}

Python SDK and Framework Integrations

For Python-based AI agent frameworks, the official kakunin library offers first-class integrations with the primary orchestrators: Google Antigravity SDK, LangChain, LlamaIndex, CrewAI, AutoGen, LangGraph, and CAMEL-AI.

bashpip install kakunin

1. Google Antigravity SDK: Lifecycle Hooks

The Google Antigravity SDK features hook architectures that manage session-level variables and tool execution parameters. Kakunin integrates using get_kakunin_hooks, registering classes that intercept agent turns:

  • KakuninSessionStartHook / KakuninSessionEndHook: Registers session states and signs compliance handshakes.
  • KakuninPreTurnHook / KakuninPostTurnHook: Evaluates prompts and logs generated outputs to establish safety baselines.
  • KakuninPreToolCallDecideHook: Inspects tool names against tool_scopes_mapping. If the agent is missing the mapped scope, it raises ScopeViolationError and blocks tool call construction.

Here is an implementation example:

pythonfrom google.antigravity import Agent, LocalAgentConfigfrom kakunin import Kakuninfrom kakunin.integrations.google_antigravity import get_kakunin_hooksasync def run_antigravity_agent(): async with Kakunin(api_key=os.getenv("KAK_API_KEY")) as client: # Generate Antigravity hooks mapped to custom scopes kakunin_hooks = get_kakunin_hooks( kakunin=client, agent_id="agt-123", tool_scopes_mapping={ "execute_trade": ["trade.execute"], "read_database": ["data.read"], } ) config = LocalAgentConfig( model="gemini-3.5-flash", tools=[execute_trade, read_database], hooks=kakunin_hooks, ) async with Agent(config=config) as agent: # Under the hood, hooks verify scopes and log behaviors silently response = await agent.chat("Query database positions and execute trade.") print(response)

2. LangChain: KakuninToolGuard and Scope Callbacks

LangChain applications configure compliance policies either at the individual tool layer or at the chain callback layer.

  • Tool-Level Security: The KakuninToolGuard wraps any BaseTool subclass, intercepting _run() and _arun() execution paths to evaluate certificate validity.
  • Chain-Level Security: langchain_scope_callback acts as a global hook to block chain execution if the agent's certificate has been revoked.

pythonfrom langchain_core.tools import toolfrom kakunin import Kakuninfrom kakunin.integrations.langchain import KakuninToolGuard, langchain_scope_callbackclient = Kakunin(api_key="kak_live_...")@tooldef execute_order(order_details: str) -> str: """Execute order request.""" return f"Order processed: {order_details}"# Wrap LangChain Toolguarded_tool = KakuninToolGuard( kakunin=client, agent_id="agt-123", tool=execute_order, required_scopes=["trade.execute"],)# Apply global callback to chainguard_callback = langchain_scope_callback(client, agent_id="agt-123")secure_chain = my_chain.with_config(callbacks=[guard_callback])

3. LlamaIndex: KakuninFunctionToolGuard

LlamaIndex orchestrates tools through FunctionTool. Kakunin wraps these callables to verify active permissions prior to ingestion:

pythonfrom kakunin import Kakuninfrom kakunin.integrations.llamaindex import KakuninFunctionToolGuardfrom llama_index.core.agent import ReActAgentclient = Kakunin(api_key="kak_live_...")def read_portfolio(user_id: str): """Retrieve portfolio details.""" return get_db_portfolio(user_id)guarded_tool = KakuninFunctionToolGuard( kakunin=client, agent_id="agt-123", fn=read_portfolio, name="read_portfolio", description="Fetch portfolio data.", required_scopes=["data.read"],)agent = ReActAgent.from_tools([guarded_tool], llm=llm)

4. CrewAI: KakuninCrewAgent

In CrewAI, multi-agent squads execute tasks sequentially. By subclassing crewai.Agent, KakuninCrewAgent automatically:

  1. Performs pre-task scope validation.
  2. Ingests an api_call event upon task initialization.
  3. Records data_access or data_mutation events upon completion.
  4. Elevates failures to a transaction_anomaly event, preserving full stack trace logs for audit compliance.

pythonfrom kakunin.integrations.crewai import KakuninCrewAgentfrom crewai import Task, Crewcrew_agent = KakuninCrewAgent( kakunin=client, agent_id="agt-123", required_scopes=["compliance.verify"], role="Auditor", goal="Verify financial ledger integrity", backstory="Regulated system agent enforcing compliance rule mappings.")

5. AutoGen: Multi-Agent Dialog Isolation

AutoGen relies on conversations between ConversableAgent instances. The KakuninConversableAgent intercepts message receipts:

pythonfrom autogen import UserProxyAgentfrom kakunin.integrations.autogen import KakuninConversableAgent, KakuninHttpxMixinclass SecureAgent(KakuninHttpxMixin, KakuninConversableAgent): passagent = SecureAgent( kakunin=client, agent_id="agt-456", required_scopes=["chat.reply"], name="RiskEngine", llm_config={"model": "gpt-4o"},)

Using the KakuninHttpxMixin, outbound requests executed by the agent attach the X-Kakunin-Cert-Serial header, enabling downstream firewalls to perform zero-trust inspections.

TypeScript SDK, Vercel AI SDK, and Mastra Integrations

The Node.js and TypeScript ecosystems power the majority of web-facing AI agents. Kakunin provides native integration layers for modern client-side and server-side runtimes.

bashnpm install @kakunin/sdk @kakunin/ai-sdk @kakunin/mastra

1. Vercel AI SDK: createKakuninTools

The Vercel AI SDK is the standard for React, Next.js, and serverless AI applications. createKakuninTools provides a drop-in tool record that links your LLM generation steps directly to Kakunin:

typescriptimport { createKakuninTools } from '@kakunin/ai-sdk';import { generateText } from 'ai';import { openai } from '@ai-sdk/openai';const tools = createKakuninTools({ apiKey: process.env.KAK_API_KEY!, agentId: 'agt-123'});const { text } = await generateText({ model: openai('gpt-4o'), tools, maxSteps: 5, system: `You are a compliance supervisor. Before performing operations:1. Verify the client agent's certificate via verifyAgentCertificate.2. Verify the required scope using checkAgentScope.3. Append a behavior event via emitBehaviorEvent.`, prompt: 'Verify agt-123 has scope "trade.execute" and register an event.',});

2. Mastra Integration

Mastra is a lightweight, framework-agnostic agent runtime. @kakunin/mastra exposes the KakuninIntegration class to register tools inside agents or workflow nodes:

typescriptimport { KakuninIntegration } from '@kakunin/mastra';import { Agent } from '@mastra/core/agent';import { openai } from '@ai-sdk/openai';const kakunin = new KakuninIntegration({ apiKey: process.env.KAK_API_KEY! });const agent = new Agent({ name: 'ComplianceAgent', instructions: 'Verify client certificates and scopes before execution.', model: openai('gpt-4o'), tools: kakunin.getTools(),});

Gateway Enforcement and Database Isolation

Issuing certificates is only half the equation; target resources must enforce them. Kakunin provides middleware to protect API routes and database transactions.

1. HTTP Gateway Middlewares

Using @kakunin/middleware, you can protect Express, Fastify, and Next.js routes. The middleware reads the X-Kakunin-Cert-Serial header, verifies the certificate status, and caches the result locally (using a default 5-second cache) to reduce overhead:

typescript// middleware.ts (Next.js Edge Middleware)import { NextRequest, NextResponse } from 'next/server';import { withKakunin } from '@kakunin/middleware/next';export function middleware(req: NextRequest) { return withKakunin(req, { NextResponse, requiredScope: 'transactions:write', });}export const config = { matcher: ['/api/trade/:path*'] };

2. Supabase RLS AI Agent Database Protection

The most robust security measure for data protection is binding the agent's certificate directly to the database session. Through @kakunin/verify/supabase, Kakunin provides a helper that pushes the certificate's serial number into PostgreSQL transaction variables (request.jwt.claims or session settings).

This enables Row-Level Security (RLS) policies to enforce data isolation, ensuring the agent can only access rows explicitly assigned to its cryptographic identity:

typescriptimport { createClient } from '@supabase/supabase-js';import { bindAgentSession } from '@kakunin/verify/supabase';// Express controller handler:app.post('/api/data', async (req, res) => { const agentSerial = req.headers['x-kakunin-cert-serial'] as string; const supabase = createClient(SUPABASE_URL, SUPABASE_ANON_KEY); // Bind the connection session context to the current agent cert serial const secureSupabase = bindAgentSession(supabase, agentSerial); // Queries will now auto-filter rows based on the database RLS policies const { data, error } = await secureSupabase .from('agent_vault') .select('*'); res.json({ data });});

The database table has a corresponding policy:

sqlCREATE POLICY agent_vault_isolation ON agent_vault FOR ALL TO authenticated, anon USING (permitted_agent_serial = current_setting('request.jwt.claims', true)::json->>'kakunin_cert_serial');

Even if an agent exploits a prompt injection to construct a broad select * query, the database filters the output to only return rows matching that agent's certificate serial.

Real-Time Risk Profiling and Revocation Loops

Kakunin does not just monitor status; it acts as a dynamic firebreak. When agents stream events, Kakunin evaluates behavioral drift over a rolling 30-day window.

Event Type

Typical Default Risk Band

Impact Description

api_call

Low

Standard system interaction.

data_access

Low

Querying authenticated data layers.

data_mutation

Medium

Modifying configuration or record structures.

transaction_initiated

Medium

Initiating external transactions or trades.

unauthorized_access_attempt

High

Execution attempt outside scope limits.

transaction_anomaly

High

Transaction patterns deviating from the agent's baseline.

The Drift Engine and Risk Bands

  • Low (< 0.3): Normal operational state.
  • Medium (≥ 0.3): Behavior starts to drift (e.g., elevated request frequency). Kakunin recommends reducing transaction limits.
  • High (≥ 0.75): High-risk behavior detected. A revocation check is queued, and the system issues alert webhooks.
  • Critical (≥ 0.85): Immediate threat. Kakunin automatically revokes the agent's certificate within 60 seconds.

Autonomous Revocation Loop

When Kakunin triggers an auto-revocation, it updates the global Certificate Revocation List (CRL) and fires certificate.revoked webhooks. Edge gateways and middleware instances evict the agent's serial from their cache, immediately blocking the agent from accessing downstream APIs and databases:

python# python snippet: Manually halting an agent on the client sidefrom kakunin import Kakuninasync def emergency_halt(agent_id: str): async with Kakunin(api_key=os.getenv("KAK_API_KEY")) as client: # Halt returns a cryptographically signed receipt from the Kakunin CA receipt = await client.agents.halt( agent_id=agent_id, reason="Unusual transactional volatility detected by local guardrail." ) print(f"Agent halted. Signature receipt: {receipt.signature}")

Conclusion and Implementation Best Practices

Integrating Kakunin into your AI agent infrastructure establishes a cryptographic audit trail and run-time guardrail, preparing your application for strict regulatory environments like the EU AI Act.

To achieve maximum security, design your agent loops around these core best practices:

  1. Always Fail-Closed: Configure your middlewares and SDK integrations to fail closed if Kakunin's verify API becomes unreachable.
  2. Deterministic Hashing: Compute the model_hash of your agent configuration programmatically. If you deploy a new prompt or modify model weights, revoke the old certificate and issue a new one.
  3. Double-Fence Audits: Combine tool-level scope guards with database-level RLS policies. Even if an agent escapes its execution sandbox, the database will block unauthorized queries.
  4. Log Contextually: When invoking audit_log_append or events.ingest(), include rich, non-PII metadata (e.g., transaction volumes, file changes, decision tokens) to allow the drift engine to detect anomalies accurately.

By binding cryptographic identity to autonomous systems, Kakunin turns unpredictable AI agents into secure, compliance-ready enterprise actors.

Learn more about AI agents in regulated industries from high authority reference publications.

Palash Bagchi
Published June 14, 2026
All articles →
Read more from the blog
Documentation →
API reference and guides