Skip to main content
Hexgate gates every tool call your AI agent makes through a typed Decision (allow / deny / approval-required) and threads per-request user identity through tracing and audit. Drop it in front of an OpenAI Agents / LangChain / Google ADK / Pydantic AI agent without rewriting the agent.

Quickstart

Install the SDK, run a chat REPL against the example agent in 60 seconds.

Two paths

Chat (single-process REPL) vs. serve (platform-backed) — pick the right one.

Framework adapters

OpenAI Agents, LangChain/LangGraph, Google ADK, Pydantic AI — same enforcement seam.

Policy bundles

Compile YAML to signed WASM, hot-reload on save, verify on every load.

What Hexgate is

Hexgate is two things that move together:
  • hexgate — the SDK. A Python runtime that gates every tool call through a typed Decision, wraps your existing agent without rewriting it, and threads per-request user identity through tracing + audit.
  • The Hexgate platform (optional) — a FastAPI control plane + React dashboard for editing policy in a browser, minting per-project tokens, watching live decisions stream from a serving agent, and shipping signed WASM policy bundles to production.
You can use the SDK with nothing else (single-process REPL, YAML on disk). Or plug in the platform when you want auditable decisions in ClickHouse, a shared Playground UI, and live policy edits.

The decision path

                      ┌─────────────────────────────────────────┐
   your code  ───►    │   create_agent / wrap_*_agent / Runner  │
                      │            ↓                            │
                      │     PolicyEnforcer.decide(role, tool)   │
                      │            ↓                            │
                      │   allow · deny · approval_required      │
                      └────────────────────┬────────────────────┘

                  ┌────────────────────────┼─────────────────────────┐
                  ▼                        ▼                         ▼
        ┌────────────────┐       ┌──────────────────┐       ┌────────────────┐
        │  Local policy  │       │ Signed WASM      │       │   Audit log    │
        │  (YAML / dir,  │       │ bundle from      │       │   (ClickHouse  │
        │  hot reload)   │       │ Hexgate cloud   │       │   via REST)    │
        └────────────────┘       └──────────────────┘       └────────────────┘
This documentation site is freshly scaffolded. Most page bodies are placeholders pointing back to the README until the migration completes.