{"id":48220183,"url":"https://github.com/stateloom/stateloom","last_synced_at":"2026-04-12T07:01:32.165Z","repository":{"id":349158756,"uuid":"1195230855","full_name":"stateloom/stateloom","owner":"stateloom","description":"The control plane for AI agents. Track, secure, and optimize every agent run.","archived":false,"fork":false,"pushed_at":"2026-04-04T19:47:20.000Z","size":4456,"stargazers_count":11,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-04T20:10:09.013Z","etag":null,"topics":["ai-agents","anthropic","cost-tracking","developer-tools","gateway","gemini","guardrails","llm","middleware","observability","openai","pii-detection","python","security"],"latest_commit_sha":null,"homepage":"https://stateloom.dev","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stateloom.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-03-29T12:08:21.000Z","updated_at":"2026-04-04T20:01:38.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/stateloom/stateloom","commit_stats":null,"previous_names":["stateloom/stateloom"],"tags_count":6,"template":false,"template_full_name":null,"purl":"pkg:github/stateloom/stateloom","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stateloom%2Fstateloom","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stateloom%2Fstateloom/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stateloom%2Fstateloom/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stateloom%2Fstateloom/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stateloom","download_url":"https://codeload.github.com/stateloom/stateloom/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stateloom%2Fstateloom/sbom","scorecard":{"id":1245614,"data":{"date":"2026-04-04T19:47:19Z","repo":{"name":"github.com/stateloom/stateloom","commit":"b3dc737ee0cb38fcebbacb6fed5a7eacec9e0bb1"},"scorecard":{"version":"v5.0.0","commit":"ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4"},"score":4.6,"checks":[{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#binary-artifacts"}},{"name":"Branch-Protection","score":3,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: branch 'main' does not require approvers","Warn: codeowners review is not required on branch 'main'","Warn: no status checks found to merge onto branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#branch-protection"}},{"name":"CI-Tests","score":10,"reason":"5 out of 5 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#ci-tests"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#cii-best-practices"}},{"name":"Code-Review","score":0,"reason":"Found 0/22 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#code-review"}},{"name":"Contributors","score":3,"reason":"project has 1 contributing companies or organizations -- score normalized to 3","details":["Info: stateloom contributor org/company found, "],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#contributors"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dangerous-workflow"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#dependency-update-tool"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#fuzzing"}},{"name":"License","score":9,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Warn: project license file does not contain an FSF or OSI license."],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#license"}},{"name":"Maintained","score":0,"reason":"project was created in last 90 days. please review its contents carefully","details":["Warn: Repository was created in last 90 days."],"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#maintained"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/release.yml:35"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#packaging"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:24: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:48: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:70: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:74: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:76: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:107: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:111: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:113: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:160: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:164: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:166: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/ci.yml:186: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:190: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:192: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/ci.yml:208: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/ci.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/dependabot-auto-merge.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/dependabot-auto-merge.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/dependency-review.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/dependency-review.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:17: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:30: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:44: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:50: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:59: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/release.yml:62: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/release.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/release.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:21: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/scorecard.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/scorecard.yml:26: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/scorecard.yml:40: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/scorecard.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:20: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:31: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:41: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:43: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:65: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:68: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:73: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/security.yml:80: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/security.yml:85: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/security.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/version-bump.yml:23: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/version-bump.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/version-bump.yml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/stateloom/stateloom/version-bump.yml/main?enable=pin","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:32","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:56","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:82","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:119","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:172","Warn: pipCommand not pinned by hash: .github/workflows/ci.yml:198","Warn: pipCommand not pinned by hash: .github/workflows/release.yml:25","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:49","Warn: pipCommand not pinned by hash: .github/workflows/security.yml:26","Info:   0 out of  37 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  11 third-party GitHubAction dependencies pinned","Info:   1 out of  10 pipCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#pinned-dependencies"}},{"name":"SAST","score":7,"reason":"SAST tool detected but not run on all commits","details":["Info: SAST configuration detected: CodeQL","Warn: 0 commits out of 8 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#sast"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#security-policy"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.2.1 not signed: https://api.github.com/repos/stateloom/stateloom/releases/305308174","Warn: release artifact v0.2.0 not signed: https://api.github.com/repos/stateloom/stateloom/releases/305256469","Warn: release artifact v0.2.1 does not have provenance: https://api.github.com/repos/stateloom/stateloom/releases/305308174","Warn: release artifact v0.2.0 does not have provenance: https://api.github.com/repos/stateloom/stateloom/releases/305256469"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#signed-releases"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release.yml:57","Warn: no topLevel permission defined: .github/workflows/ci.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/dependabot-auto-merge.yml:7","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:5","Warn: topLevel 'contents' permission set to 'write': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yml:9","Warn: no topLevel permission defined: .github/workflows/security.yml:1","Warn: topLevel 'contents' permission set to 'write': .github/workflows/version-bump.yml:16"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#token-permissions"}},{"name":"Vulnerabilities","score":10,"reason":"0 existing vulnerabilities detected","details":null,"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ea7e27ed41b76ab879c862fa0ca4cc9c61764ee4/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2026-04-04T20:33:09.112Z","repository_id":349158756,"created_at":"2026-04-04T20:33:09.112Z","updated_at":"2026-04-04T20:33:09.112Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31706765,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-12T06:22:27.080Z","status":"ssl_error","status_checked_at":"2026-04-12T06:21:52.710Z","response_time":58,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ai-agents","anthropic","cost-tracking","developer-tools","gateway","gemini","guardrails","llm","middleware","observability","openai","pii-detection","python","security"],"created_at":"2026-04-04T19:08:53.228Z","updated_at":"2026-04-12T07:01:32.153Z","avatar_url":"https://github.com/stateloom.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://stateloom.dev\"\u003e\u003cimg src=\"assets/logo.svg\" alt=\"StateLoom\" height=\"48\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n\u003cp align=\"center\"\u003e\n  \u003ca href=\"https://pypi.org/project/stateloom/\"\u003e\u003cimg src=\"https://img.shields.io/pypi/v/stateloom.svg\" alt=\"PyPI\"\u003e\u003c/a\u003e\n  \u003ca href=\"LICENSE\"\u003e\u003cimg src=\"https://img.shields.io/badge/license-BSL%201.1-orange.svg\" alt=\"License\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://python.org\"\u003e\u003cimg src=\"https://img.shields.io/badge/python-3.10%2B-blue.svg\" alt=\"Python\"\u003e\u003c/a\u003e\n  \u003ca href=\"https://stateloom.dev\"\u003e\u003cimg src=\"https://img.shields.io/badge/website-stateloom.dev-6366f1\" alt=\"Website\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\n**The stateful control plane for AI agents.** Crash on step 47, resume from step 46. Budget the whole run at $2. Kill rogue agents instantly. All local, no SaaS, no framework lock-in.\n\nWorks with multiple LLM SDKs (Anthropic, Gemini, OpenAI, Cohere, Mistral, LiteLLM, etc.) and agent CLIs like Claude Code, Gemini CLI, and [OpenClaw](OPENCLAW.md).\n\n---\n\n## Why StateLoom?\n\nStateLoom is **session-aware**. Instead of seeing each API request in isolation, it sits in the request path and groups fragmented multi-step workflows into meaningful, stateful sessions. This lets you resume crashed scripts without re-paying for completed steps, enforce budgets across an entire agent run (not just a single call), contain blast radius when things go wrong, and get full visibility into what your models are actually doing.\n\nIt runs locally on your laptop or inside your VPC. Prompts never leave your network.\n\n---\n\n## Table of Contents\n\n- [Why StateLoom?](#why-stateloom)\n- [Quick Start](#quick-start)\n- [Providers](#providers)\n- [Core Features](#core-features)\n- [Advanced Features](#advanced-features)\n- [More Features](#more-features)\n- [Key Examples](#key-examples)\n- [Dashboard](#dashboard)\n- [For Teams \u0026 Enterprise](#for-teams--enterprise)\n- [Extras](#extras)\n- [Configuration](#configuration)\n- [Error Handling](#error-handling)\n- [Documentation](#documentation)\n- [Contributing](#contributing)\n- [License](#license)\n\n---\n\n## Quick Start\n\n### For CLI users (zero code changes)\n\n```bash\npip install stateloom\nstateloom start\n# Dashboard is live at http://localhost:4782\n```\n\n```bash\nexport ANTHROPIC_BASE_URL=http://localhost:4782\nclaude \"explain this codebase\"\n# → Dashboard at localhost:4782 shows cost, tokens, PII, session timeline\n```\n\nAlso works with Gemini CLI and Codex:\n\n```bash\nexport CODE_ASSIST_ENDPOINT=http://localhost:4782/code-assist\ngemini \"refactor the auth module\"\n```\n\n```bash\nexport OPENAI_BASE_URL=http://localhost:4782/v1\ncodex \"add unit tests for the auth module\"\n```\n\nYou already pay for Claude Pro or Gemini Ultra. Use your existing subscription through StateLoom — get cost tracking, PII scanning, budget enforcement, guardrails, and a session timeline for every agent run. No API key needed, no code changes. All CLIs connect to the same StateLoom instance.\n\n### For SDK users\n\n```bash\npip install stateloom\n```\n\n```python\nstateloom.init()\nclaude = anthropic.Anthropic()\n\nwith stateloom.session(\"customer-report\", budget=2.0, durable=True) as s:\n    # Crashes on Step 3? Restart skips Steps 1 \u0026 2 from cache.\n    research = claude.messages.create(\n        model=\"claude-sonnet-4-20250514\",\n        max_tokens=1024,\n        messages=[{\"role\": \"user\", \"content\": \"Key trends in AI governance 2025\"}],\n    )\n```\n\n**Requirements:** Python 3.10+ (tested on 3.10, 3.11, 3.12, 3.13). See [extras](#extras) for optional dependencies.\n\n## Providers\n\nAuto-detects and patches installed LLM clients:\n\n| Provider | Package | Auto-patched | Streaming |\n|----------|---------|:------------:|:---------:|\n| OpenAI | `openai` | Yes | `stream=True` |\n| Anthropic | `anthropic` | Yes | `stream=True` |\n| Google Gemini | `google-generativeai` or `google-genai` | Yes | `generate_content_stream()` |\n| Cohere | `cohere` | Yes | `chat_stream()` |\n| Mistral | `mistralai` | Yes | `chat.stream()` |\n| LiteLLM | `litellm` | Yes | `stream=True` |\n| Ollama (local) | — | Via `local_model=` | — |\n\n## Core Features\n\n### Durable Resumption\n\nTemporal-like checkpointing for LLM workflows. When an agent crashes mid-run, restart the same session and it resumes from cache — completed steps replay instantly, only new steps execute live. Works across providers, supports streaming, and handles tool calls. No framework lock-in required.\n\n```python\nimport stateloom\nimport anthropic\nimport google.genai as genai\n\nstateloom.init()\nclaude = anthropic.Anthropic()\ngemini = genai.Client()\n\nwith stateloom.session(\"customer-report\", budget=2.0, durable=True) as s:\n    # Step 1: Research (Claude)\n    research = claude.messages.create(\n        model=\"claude-sonnet-4-20250514\",\n        max_tokens=1024,\n        messages=[{\"role\": \"user\", \"content\": \"Key trends in AI governance 2025\"}],\n    )\n\n    # Step 2: Analyze (Gemini)\n    analysis = gemini.models.generate_content(\n        model=\"gemini-2.5-flash\",\n        contents=f\"Analyze: {research.content[0].text}\",\n    )\n\n    # Step 3: Synthesize (Claude)\n    report = claude.messages.create(\n        model=\"claude-sonnet-4-20250514\",\n        max_tokens=2048,\n        messages=[{\"role\": \"user\", \"content\": f\"Write report: {analysis.text}\"}],\n    )\n\n    print(f\"Total: ${s.total_cost:.2f} | {s.total_tokens} tokens | {s.call_count} calls\")\n\n# Mix providers freely — StateLoom tracks cost across all of them in one session.\n# If this script crashes on Step 3, restarting it skips Steps 1 \u0026 2 for free.\n# Budget enforcement stops the whole run if it exceeds $2.\n```\n\n### Session-Scoped Budgets\n\nHard stop or warn when an agent run exceeds its spend limit — not per-call rate limiting, but per-session enforcement across an entire multi-provider workflow. Budget tracking works with both API keys and subscriptions.\n\n```python\nwith stateloom.session(\"analysis\", budget=2.0) as s:\n    # StateLoom hard-stops this session if cumulative cost exceeds $2\n    ...\n```\n\n![Budget exceeded — session hard-stopped after $0.001 limit crossed](assets/session_budget.png)\n\n### Agent CLI Integration\n\nClaude Code, Gemini CLI, and Codex through StateLoom. Zero code changes — just set an environment variable and every CLI call flows through StateLoom's middleware pipeline. Works with subscriptions (Claude Max, Gemini Ultra, ChatGPT Pro) — OAuth tokens pass through to the upstream provider.\n\n### Cross-Provider Cost Tracking\n\nOne session spanning Claude + Gemini + GPT, with per-model cost breakdown. Every call within a session is tracked regardless of provider, giving you total cost, token counts, and per-model attribution in one place.\n\n### Local-First, Zero-Trust\n\nRuns on localhost or in your VPC. Prompts never leave your network. CPython audit hooks (PEP 578) intercept dangerous operations at the interpreter level. An in-memory secret vault scrubs API keys from `os.environ` so agent code can't exfiltrate credentials.\n\n## Advanced Features\n\nEach feature below is fully shipped. See the [full feature reference](docs/reference.md) for configuration details and examples.\n\n- **PII Detection** — detect emails, credit cards, SSNs, API keys in audit, redact, or block modes. Optional NER via GLiNER for zero-shot entity recognition.\n- **Guardrails** — prompt injection detection (32 heuristic patterns + NLI classifier + Llama-Guard), jailbreak prevention, system prompt leak protection. Audit or enforce modes.\n- **Secret Vault** — in-memory secret storage with `os.environ` scrubbing. CPython audit hooks block `subprocess.Popen`, `os.system`, and other exfiltration vectors.\n- **Exact-Match \u0026 Semantic Caching** — deduplication plus embedding-based similarity matching (sentence-transformers + FAISS). Error responses are excluded from cache.\n- **Kill Switch \u0026 Blast Radius** — global or granular emergency stop (by model, provider, environment, agent). Auto-pause on repeated failures per session or per agent identity.\n- **Auto-Routing** — route simple requests to local Ollama models based on semantic complexity scoring. Realtime data guard, inadequate response reroute, historical learning across restarts.\n- **Model Testing** — shadow traffic comparison with automated quality scoring, migration readiness reports, and similarity analysis. Fire-and-forget candidate calls.\n- **Semantic Retries** — automatic retries for bad JSON, hallucinated tool calls, and other LLM output failures. Combine with durable sessions for retry loops that don't re-pay for completed steps.\n- **Circuit Breaker** — per-provider failover with tier-based model alternatives and health probes for recovery detection.\n- **Time-Travel Debugging** — replay a failed agent run from any step with network safety (outbound HTTP blocked during replay).\n- **VCR-Cassette Mock** — record LLM calls once, replay forever for zero-cost testing. Network blocking prevents accidental live calls.\n- **Loop Detection** — catch agents spinning on the same query.\n- **Session Timeouts \u0026 Cancellation** — max duration, idle timeout, programmatic cancellation, and suspension with signal/wait for human-in-the-loop.\n- **Named Checkpoints** — mark milestones within a session for the dashboard waterfall timeline.\n\n## More Features\n\n- **Multi-agent consensus** — vote, debate, and self-consistency strategies with persona-driven debaters. Budget-constrained multi-round debate with model downgrade.\n- **A/B experiments** — test model variants with built-in assignment, metrics, and backtesting.\n- **File-based prompt versioning** — drop `.md`/`.yaml`/`.txt` files in a folder; auto-detect changes as new versions with content hash deduplication.\n- **Managed agents** — create versioned agents with system prompts, call via REST API. Slug-based routing, immutable versions, rollback support.\n- **Unified chat API** — provider-agnostic `stateloom.chat()` without importing any SDK. Routes by model name prefix.\n- **LangChain / LangGraph integration** — callback handlers for popular agent frameworks.\n- **Session export/import** — portable JSON bundles for sharing, archiving, and migration with optional PII scrubbing.\n- **Compliance profiles** — declarative GDPR/HIPAA/CCPA enforcement with tamper-proof SHA-256 audit trails and Right to Be Forgotten purge engine.\n\n## Key Examples\n\n![StateLoom Dashboard](assets/homescreen.png)\n\n[![Claude CLI through StateLoom](https://img.youtube.com/vi/ZGct2D3Bwb4/maxresdefault.jpg)](https://www.youtube.com/watch?v=ZGct2D3Bwb4)\n\n![Gemini CLI session in StateLoom dashboard](assets/gemini_cli.png)\n\n![PII blocked — SSN detected in Claude CLI tool-use flow](assets/ssn_block.png)\n\n![Guardrail detecting prompt injection — 3 heuristic matches logged](assets/guardrail.png)\n\n## Dashboard\n\nStarts automatically at `localhost:4782`. Live session viewer, REST API, and WebSocket event streaming.\n\n![Session detail with waterfall trace, child sessions, and org/team budgets](assets/session-example.png)\n\n![Full event detail — model, tokens, cost, latency, request messages](assets/full_prompt_preview.png)\n\n![Exact-match caching — duplicate calls served from cache with saved cost](assets/caching.png)\n\n![Session timeout — auto-terminated after 8s limit](assets/timeout.png)\n\nThe dashboard includes session waterfalls, cost breakdowns, experiment management, consensus runs, model testing, safety controls, security logs, compliance audit trails, and observability charts. See the [full dashboard guide](docs/reference.md#dashboard) for details.\n\n## For Teams \u0026 Enterprise\n\n**StateLoom Enterprise Edition (EE)** provides a centralized control plane to govern, secure, and optimize your entire AI workforce:\n\n- **Hierarchical billing** — org and team-level token billing with cost attribution and automated chargebacks\n- **Virtual Key management** — scoped permissions per model, per agent, with rate limiting per key\n- **SSO/OIDC with RBAC** — five roles (org admin, auditor, team admin, editor, viewer) with PKCE and JIT provisioning\n- **Centralized kill switch \u0026 blast radius** — global or granular emergency controls across all teams\n- **Advanced consensus** — \u003e3 models, judge synthesis, greedy model downgrade, durable replay\n- **A/B experiments with backtesting** — replay historical sessions with new model variants\n- **Compliance profiles** — GDPR/HIPAA/CCPA with tamper-proof audit trails and Right to Be Forgotten\n\n👉 **[Book an Enterprise Demo Today](mailto:aishvarya@stateloom.dev)**\n\n## Extras\n\n```bash\npip install stateloom[langchain]    # LangChain callback handler\npip install stateloom[ner]          # GLiNER NER-based PII detection\npip install stateloom[semantic]     # Semantic caching (FAISS + sentence-transformers)\npip install stateloom[prompts]      # File-based prompt versioning (watchdog)\npip install stateloom[auth]         # OAuth2/OIDC authentication (pyjwt + argon2-cffi)\npip install stateloom[redis]        # Redis cache/queue backend\npip install stateloom[metrics]      # Prometheus metrics\npip install stateloom[tracing]      # OpenTelemetry distributed tracing\npip install stateloom[all]          # Everything\n```\n\n## Configuration\n\n```python\nstateloom.init(\n    budget=10.0,              # Per-session budget (USD)\n    pii=True,                 # Enable PII scanning\n    guardrails_enabled=True,  # Prompt injection protection\n    local_model=\"llama3.2\",   # Enable local models + auto-routing\n    shadow=True,              # Model testing\n    circuit_breaker=True,     # Provider failover\n    compliance=\"gdpr\",        # GDPR/HIPAA/CCPA profiles\n)\n```\n\nYAML config is also supported:\n\n```python\nfrom stateloom.core.config import StateLoomConfig\nconfig = StateLoomConfig.from_yaml(\"stateloom.yaml\")\n```\n\nSee [full configuration reference](docs/reference.md#configuration) for all options.\n\n## Error Handling\n\nStateLoom is **fail-open by default** — observability middleware errors (cost tracking, latency, console output) never break your LLM calls. Security-critical middleware (PII blocking, budget hard-stop, guardrails in enforce mode) always fails closed.\n\nFor production security environments, set security middleware to enforce mode so violations block requests rather than just logging them:\n\n```python\nstateloom.init(\n    pii=True,\n    pii_rules=[PIIRule(pattern=\"credit_card\", mode=\"block\")],  # Fail closed: block on match\n    guardrails_enabled=True,\n    guardrails_mode=\"enforce\",          # Fail closed: block prompt injection\n    security_audit_hooks_enabled=True,\n    security_audit_hooks_mode=\"enforce\", # Fail closed: block dangerous operations\n)\n```\n\n```python\nfrom stateloom import (\n    StateLoomBudgetError,        # Budget exceeded\n    StateLoomPIIBlockedError,    # PII block rule triggered\n    StateLoomGuardrailError,     # Prompt injection / jailbreak\n    StateLoomKillSwitchError,    # Kill switch active\n    StateLoomRateLimitError,     # Rate limit exceeded\n    StateLoomRetryError,         # All retry attempts exhausted\n    StateLoomTimeoutError,       # Session timed out\n    StateLoomSecurityError,      # Security policy blocked operation\n)\n```\n\nSee [full error reference](docs/reference.md#error-handling) for all error types.\n\n## Documentation\n\n- **[Full Feature Reference](docs/reference.md)** — detailed docs for every feature with examples, config tables, and YAML snippets\n- **[API Reference](docs/api-reference.md)** — complete index of public functions, classes, and enums\n\n## Contributing\n\nWe welcome contributions! Here's how to get started:\n\n```bash\n# Clone the repo\ngit clone https://github.com/stateloom/stateloom.git\ncd stateloom\n\n# Install in development mode\npip install -e \".[all]\"\n\n# Run tests\npytest tests/ -v\n\n# Lint and format\nruff check src/\nruff format src/\n```\n\n**Guidelines:**\n- All changes need tests. Run `pytest tests/ -v` before submitting.\n- Follow existing code patterns — use `ruff` for formatting and linting.\n- Security-critical middleware must fail closed. Observability middleware must fail open.\n- Events must be typed dataclasses inheriting from `Event`.\n- Use `contextvars.ContextVar` for async/thread-safe state, not globals.\n\n**Reporting issues:** [GitHub Issues](https://github.com/stateloom/stateloom/issues)\n\n## License\n\n[BSL 1.1](LICENSE)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstateloom%2Fstateloom","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstateloom%2Fstateloom","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstateloom%2Fstateloom/lists"}