{"id":50543295,"url":"https://github.com/contextforge-org/cpex","last_synced_at":"2026-06-27T06:00:54.531Z","repository":{"id":334287660,"uuid":"1118936644","full_name":"contextforge-org/cpex","owner":"contextforge-org","description":"A composable enforcement framework for AI agents and toolchains","archived":false,"fork":false,"pushed_at":"2026-06-25T06:57:43.000Z","size":17871,"stargazers_count":9,"open_issues_count":26,"forks_count":8,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-06-25T07:12:30.927Z","etag":null,"topics":["a2a","agents","ai","extensibility","framework","hooks","library","llm","mcp","plugins","safety","security","tools"],"latest_commit_sha":null,"homepage":"https://contextforge-org.github.io/cpex","language":"Rust","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/contextforge-org.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-12-18T13:54:14.000Z","updated_at":"2026-06-25T06:57:47.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/contextforge-org/cpex","commit_stats":null,"previous_names":["contextforge-org/contextforge-plugins-framework","contextforge-org/cpex"],"tags_count":40,"template":false,"template_full_name":null,"purl":"pkg:github/contextforge-org/cpex","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contextforge-org%2Fcpex","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contextforge-org%2Fcpex/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contextforge-org%2Fcpex/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contextforge-org%2Fcpex/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/contextforge-org","download_url":"https://codeload.github.com/contextforge-org/cpex/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/contextforge-org%2Fcpex/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":34801164,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-26T02:00:06.560Z","response_time":106,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","agents","ai","extensibility","framework","hooks","library","llm","mcp","plugins","safety","security","tools"],"created_at":"2026-06-03T22:00:21.924Z","updated_at":"2026-06-27T06:00:54.519Z","avatar_url":"https://github.com/contextforge-org.png","language":"Rust","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv\u003e\n  \u003cimg alt=\"CPEX logo\" src=\"https://github.com/contextforge-org/cpex/blob/main/docs/images/cpex_v1.png?raw=true\" height=100\"\u003e\n\u003c/div\u003e\n\n# CPEX\n\n\u003ci\u003eA policy enforcement runtime for AI agents.\u003c/i\u003e\n\n[![CI](https://github.com/contextforge-org/cpex/actions/workflows/ci.yml/badge.svg)](https://github.com/contextforge-org/cpex/actions/workflows/ci.yml)\n[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](LICENSE)\n[![crates.io](https://img.shields.io/crates/v/cpex.svg)](https://crates.io/crates/cpex)\n[![docs.rs](https://img.shields.io/docsrs/cpex)](https://docs.rs/cpex)\n[![MSRV](https://img.shields.io/badge/MSRV-1.96-blue.svg)](rust-toolchain.toml)\n\n\u003e [!NOTE]\n\u003e **Looking for CPEX Python?** It now lives on the [`0.1.x` branch](https://github.com/contextforge-org/cpex/tree/0.1.x), maintained for backwards compatibility. `main` (`0.2`+) is the **Rust** framework, re-architected around policy and authorization. Python bindings (PyO3) over the Rust core are coming.\n\n## What's CPEX?\n\nCPEX is a policy enforcement runtime for AI agents.\n\nIt acts as a deterministic reference monitor between an agent and every capability it invokes: tools, prompts, resources, inference providers, and A2A methods. Every operation is evaluated against security state the model cannot observe or influence, including identity, delegation and escalation chains, information-flow labels, and audit log.\n\nCPEX composes authorization, delegation, redaction, information-flow tracking, and auditing into a single policy-defined pipeline. Every operation executes the same deterministic sequence, from identity resolution and policy evaluation through credential delegation, data transformation, session updates, out-of-band approvals, and auditing.\n\n\u003cdiv\u003e\n  \u003cimg alt=\"CPEX mediates every operation an untrusted LLM triggers, evaluating APL policy against identity, delegation, taint, and audit state the model cannot forge\" src=\"https://github.com/contextforge-org/cpex/blob/main/docs/static/images/cpex_overview.png?raw=true\" /\u003e\n\u003c/div\u003e\n\n## Enforcement pipelines\n\nEach capability exposed to an agent defines its own enforcement pipeline, whether it's a tool, resource, prompt, or A2A method.\n\nAPL is the configuration that defines that pipeline. A _route_ identifies an entity and sequences the controls that protect it: resolve identity, consult an external PDP, exchange credentials, invoke plugins, redact results, propagate taint, and audit the operation. Each step executes deterministically, in order, with only the context it explicitly declares.\n\nPolicies execute in two phases—before the operation and after its result—making the complete enforcement pipeline easy to inspect and reason about.\n\n## Context-aware enforcement\n\nThe example below places CPEX between a single agent and three backends: HR records, source repositories, and email. The agent remains unchanged. Policy adapts each operation to the caller's identity, permissions, and session state.\n\n\u003cdiv\u003e\n  \u003cimg alt=\"One agent serves three users across HR, repo, and email backends; CPEX policy produces a different outcome per identity\" src=\"https://github.com/contextforge-org/cpex/blob/main/docs/static/images/demo_scenario.png?raw=true\" /\u003e\n\u003c/div\u003e\n\nOne policy defines three distinct enforcement pipelines, one for each entity.\n\n```yaml\nroutes:\n  # HR lookup: gate on role, scope a downstream token, redact by permission, taint the session.\n  - tool: get_compensation\n    policy:\n      - \"require(role.hr)\"\n      - \"delegate(workday-oauth, target: workday-api, permissions: [read_compensation])\"\n      - \"taint(secret, session)\"\n      - \"run(audit-log)\"\n    result:\n      ssn: \"str | redact(!perm.view_ssn)\"\n\n  # Repo search: gate on team, decide with CEL (or Cedar), require the scoped grant.\n  - tool: search_repos\n    policy:\n      - \"require(team.engineering | team.security)\"\n      - cel:\n          expr: \"(role.engineer \u0026\u0026 args.visibility == 'internal') || role.security\"\n          on_deny: [\"deny('engineers read internal only; security reads any', 'cel.policy_denied')\"]\n      - \"delegate(github-oauth, target: github-api, permissions: [repo:read:internal])\"\n      - \"run(audit-log)\"\n\n  # Outbound email: refuse if the session already touched secret data.\n  - tool: send_email\n    policy:\n      - \"require(perm.email_send)\"\n      - \"run(pii-scan)\"\n      - \"security.labels contains \\\"secret\\\": deny('write-down blocked', 'session_tainted')\"\n      - \"run(audit-log)\"\n```\n\nTwo examples illustrate the behavior:\n\n- **Same request, different result.** An HR analyst with `view_ssn` receives the full record. Without that permission, the SSN is redacted before the response leaves CPEX. Engineers never reach the backend because the request is rejected by `require(role.hr)`.\n\n- **Information follows the session.** Reading compensation data taints the session. Later attempts to send external email are blocked—even if the email itself contains no sensitive content.\n\nThe application stays the same. Only the policy changes.\n\n## Beyond request-level authorization\n\nRBAC, ABAC, Cedar, OPA, AuthZEN, and similar systems answer an important question:\n\n\u003e Should this request be allowed?\n\nCPEX answers a broader one:\n\n\u003e What security pipeline should execute for this agent operation?\n\nThat pipeline can combine request authorization with credential delegation, response transformation, information-flow tracking, auditing, and session state into a single deterministic policy.\n\nThree capabilities distinguish this model:\n\n- **Information flow across operations.** Policy can carry security state across an entire agent session, preventing write-down and other cross-call attacks rather than evaluating each request in isolation.\n\n- **Delegation as policy.** OAuth token exchange (RFC 8693), capability reduction, and downstream credential verification become ordinary policy steps instead of bespoke integration code.\n\n- **Decision orchestration.** Existing authorization systems remain the source of truth. APL invokes Cedar, CEL, OPA, AuthZEN, or custom resolvers wherever a decision is needed, while CPEX enforces the resulting security pipeline.\n\n## Where it runs\n\nCPEX enforces policy wherever an agent crosses a trust boundary.\n\nIt can run in front of tool servers, beside an agent as an egress sidecar, inside an agent framework, or as middleware between components. The enforcement point can move without changing policy, allowing the same APL configuration to span gateways, agents, and services.\n\n## Install\n\n```bash\n# Engine only (bring your own plugins):\ncargo add cpex\n\n# With the bundled builtin plugins/PDPs:\ncargo add cpex --features builtins\n```\n\nThe default `cpex = \"0.2\"` is the **engine alone**. Opt into the bundled extension set with the `builtins` feature, everything (incl. the Valkey session store) with `full`, or a granular subset: `jwt`, `oauth`, `pii`, `audit`, `cedar`, `cel`, `valkey`.\n\n```rust\nuse std::sync::Arc;\nuse cpex::PluginManager;\n\nlet mgr = Arc::new(PluginManager::default());\n\n// With a builtins feature enabled, register every enabled builtin factory\n// and install the APL config visitor in one call:\ncpex::install_builtins(\u0026mgr);\n// ... then load an APL config that references the enabled plugin `kind`s.\n```\n\nAuthoring plugins or PDP resolvers? Depend on the lean [`cpex-sdk`](crates/cpex-sdk) crate instead of the full runtime. See [`crates/cpex-core/examples`](crates/cpex-core/examples) for runnable examples.\n\n## Documentation\n\n- [**Vision**](https://contextforge-org.github.io/cpex/docs/vision/): the reference-monitor model and where CPEX sits.\n- [**Overview**](https://contextforge-org.github.io/cpex/docs/overview/): the model in motion, with the scenario above end to end.\n- [**APL**](https://contextforge-org.github.io/cpex/docs/apl/): the policy language: predicates, effects, sequencing, field pipelines.\n- [**Quick Start**](https://contextforge-org.github.io/cpex/docs/quickstart/): stand up CPEX as an enforcement point.\n\n## Workspace layout\n\nCPEX is a Cargo workspace of focused crates:\n\n| Crate | Description |\n|-------|-------------|\n| [`cpex`](crates/cpex) | Host facade, re-exports the runtime and (optionally) the builtins |\n| [`cpex-core`](crates/cpex-core) | Plugin runtime: `PluginManager`, executor, hooks, config |\n| [`cpex-sdk`](crates/cpex-sdk) | Plugin author SDK: `Plugin`/`HookHandler` traits, payloads, results |\n| [`cpex-orchestration`](crates/cpex-orchestration) | Async concurrency primitives shared by the runtime |\n| [`cpex-builtins`](crates/cpex-builtins) | Feature-gated bundle of builtin plugins, PDPs, session stores |\n| [`cpex-ffi`](crates/cpex-ffi) | C FFI (`cdylib`/`staticlib`) for Go / Python / WASM host bindings |\n| [`apl-core`](crates/apl-core) · [`apl-cmf`](crates/apl-cmf) · [`apl-cpex`](crates/apl-cpex) | APL (Authorization Policy Language): compiler/evaluator, CMF bridge, CPEX integration |\n| `builtins/*` | Bundled plugins (PII scanner, audit logger, JWT identity, OAuth/Biscuit delegation), PDPs (Cedar, CEL), and the Valkey session store |\n\nThe C FFI is distributed as signed prebuilt artifacts. See [`crates/cpex-ffi/RELEASE.md`](crates/cpex-ffi/RELEASE.md). Go bindings live in [`go/cpex`](go/cpex).\n\n## Development\n\nCPEX targets Rust **1.96** (pinned in [`rust-toolchain.toml`](rust-toolchain.toml)). Common tasks:\n\n```bash\nmake lint        # rustfmt --check + clippy -D warnings\nmake test        # cargo test --workspace\nmake audit       # cargo deny check (advisories, licenses, bans, sources)\nmake examples-build   # build all Rust + Go examples\nmake ci          # the full local gate (lint + test + examples)\n```\n\nSee [CONTRIBUTING.md](CONTRIBUTING.md) for the full workflow and [SECURITY.md](SECURITY.md) to report vulnerabilities.\n\n## Project Status\n\nCPEX is under active development as part of the ContextForge ecosystem.\n\nThe project is designed as a reusable enforcement layer for agentic systems, integrating with AI gateways, agent frameworks, LLM proxies, MCP servers, and other capability providers through a common policy model.\n\n## License\n\n[Apache 2.0](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontextforge-org%2Fcpex","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcontextforge-org%2Fcpex","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcontextforge-org%2Fcpex/lists"}