kavachlisted

# Kavach: default-deny execution gates for AI agents > **Next step, pick your language and load that doc immediately:** > - **Python**: read [python/README.md](python/README.md), then [python/sdk.md](python/sdk.md). > - **Node / TypeScript**: read [node/README.md](node/README.md), then [node/sdk.md](node/sdk.md). > > The rest of this file is the conceptual overview. Code, install commands, and full API surface live in the language folder you just picked. Kavach is a Rust-core library, bound to both Python and Node / TypeScript, that puts a deny-by-default gate in front of every action an agent or service tries to execute. Both bindings ship the same surface: a policy gate, four built-in drift detectors, post-quantum signed permit tokens, a tamper-evident audit chain, and a secure channel primitive. The behaviour is identical across languages because every cryptographic primitive and every evaluator runs in the same compiled Rust core. ## What it does Every call passes through three evaluators in order: 1. **Policy** decides whether the action matches a permit rule. Identity checks (`identity_kind`, `identity_role`, `identity_id`) run inside this phase. No matching permit means Refuse. 2. **Drift** (optional, on by default) checks four signals about the principal's runtime context: device fingerprint, geo / IP, session age, and action-rate. Any violation can Refuse or Invalidate. 3. **Invariants** (optional, present when configured) enforce hard numeric caps that beat any