Wrap your OpenAI, Anthropic, LangChain, CrewAI, or Google ADK client with one function call. Every tool invocation goes through the Clampd gateway: 287 detection rules, scope tokens, a behavioural baseline, the kill switch. One import, no agent-loop rewrite.
pip install clampd
npm install @clampd/sdk
The whole pitch in five lines of Python.
import clampd
from openai import OpenAI
clampd.init() # reads CLAMPD_DSN, enrolls on first run
client = clampd.openai(OpenAI())
# All tool calls now go through the Clampd gateway. No other code change needed.
response = client.chat.completions.create(model="gpt-4o", messages=[...], tools=[...])The wrapper intercepts chat.completions.create, identifies tool-call blocks in the response, sends each call to the Clampd gateway, and either lets it through (with a scope-bound token) or raises ClampdBlockedError. No middleware to wire up, no proxy to configure beyond the gateway URL.
One line of code. We check the tool call before it runs and the response before it reaches your model.
Tool descriptor hashing uses byte-identical canonicalisation across all four languages. A tool registered from Python and invoked from TypeScript produces the same SHA-256 hash, so rug-pull detection works in mixed-language deployments.
# OpenAI
client = clampd.openai(OpenAI(), agent_id="my-agent")
# Anthropic / Claude
client = clampd.anthropic(Anthropic(), agent_id="my-agent")
# LangChain (callback handler, guards every tool)
agent.invoke(input, config={"callbacks": [clampd.langchain(agent_id="my-agent")]})
# Google ADK (before_tool_callback)
agent = Agent(tools=[search], before_tool_callback=clampd.adk(agent_id="my-agent"))
# CrewAI
guard = clampd.crewai(agent_id="my-agent")
agent = Agent(role="researcher", step_callback=guard.step_callback, tools=[search_tool])
# Generic decorator (any Python function)
@clampd.guard("database.query", agent_id="my-agent")
def run_query(sql): ...Every tool call evaluated against built-in rules: SQL injection, command injection, SSRF, prompt injection, PII leakage, path traversal, reverse shells, schema injection. Sub-50µs in-process eval.
Approved tool calls get a short-lived Ed25519-signed token bound to (tool, params). The agent never holds raw downstream credentials. Tools verify via JWKS.
SHA-256 over (name, description, parameters) sent with every call. If a tool's schema mutates between approval and call (MCP rug pull), the gateway returns a typed descriptor_hash_mismatch: denial.
Set check_response=True and the SDK scans tool responses for PII, secrets, and data anomalies before they enter the LLM context.
clampd.agent("orchestrator") as decorator/context manager. All @clampd.guard calls inside automatically inherit the delegation chain. Cycle detection + max-depth enforced.
Streaming responses (OpenAI, Anthropic) wrapped so tool-call blocks are intercepted as they emerge from the stream. No need to disable streaming for security.
# One connection string per agent process (all SDKs read it)
CLAMPD_DSN=clampd://ag_live_...@gateway.clampd.dev
CLAMPD_AGENT_NAME=orchestrator # optional label; defaults to the hostname
# In code: no agent IDs, no secrets. The SDK enrolls on first run.
clampd.init() # reads CLAMPD_DSN, generates an Ed25519 key, enrolls
# Multi-agent: each agent runs init() in its own process, then
# delegate by logical name. The SDK resolves the name to the
# enrolled identity and builds the delegation chain for you.
with clampd.agent("research-agent"):
run_research()Self-hosted gateway free for under 25 agents. Hosted gateway available. SDKs are Apache-2.0; the self-hosted gateway is source-available under BSL-1.1. No telemetry by default.
Get a gateway โ All products