Cross-agent behavioral analysis and governance for multi-agent AI systems.
"Sverm" is Norwegian/Swedish for "swarm" — reflecting the product's focus on governing swarms of cooperating agents.
Faramesh Core provides L1 deterministic enforcement at the individual tool call level. This is correct and complete for single agents. It is insufficient for multi-agent systems.
Consider three agents: Agent A reads 50 customer records, Agent B sends those to an external API, Agent C deletes the originals. Each individual call passes policy. The sequence — data exfiltration and deletion — is invisible to any single agent's governance.
Sverm detects these cross-agent emergent patterns by consuming DPR streams from all Core-governed agents and correlating behavior across agent boundaries.
go get github.com/faramesh/svermimport "github.com/faramesh/sverm"
// 1. Create the analysis engine
engine := sverm.NewEngine(1000) // 1000-event sliding window
// 2. Define cross-agent sequence rules
engine.AddRule(sverm.SequenceRule{
ID: "detect-exfil",
Description: "Detect read-then-exfil across agents",
AgentChain: []string{"data-reader", "api-caller"},
ToolChain: []string{"db/query", "api/post"},
MaxDuration: 10 * time.Minute,
Action: "alert",
})
// 3. Process DPR events from your agents
engine.Process(sverm.DPREvent{
AgentID: "data-reader",
SessionID: "sess-001",
ToolID: "db/query",
Decision: "permit",
Timestamp: time.Now(),
})
// 4. Check for violations and anomalies
violations := engine.Violations()
anomalies := engine.Anomalies()Define patterns that span multiple agents and detect them in real-time:
sequence_rules:
- id: sverm-001
description: "Detect read-then-exfil pattern across agents"
pattern:
- agent_pattern: "*"
tool_pattern: "read_customer_*"
count_min: 20
window_minutes: 30
- agent_pattern: "*"
tool_pattern: "http/post"
within_minutes: 10
on_match:
effect: alert
severity: criticalAutomatic detection of:
- Cost spikes — agent costs exceeding 3x baseline
- Deny bursts — sudden increase in denied operations
- New agents — first-time agent observation
- Unusual hours — activity outside normal operating windows
- Rapid cross-references — suspicious cross-agent data access patterns
In-memory channel consumer for development, with interfaces for Kafka/NATS in production:
consumer := sverm.NewChannelConsumer(1000)
go consumer.Consume(func(ev sverm.DPREvent) {
engine.Process(ev)
})
consumer.Publish(event) // for testing- Sequential pipeline governance
- Parallel fan-out budget attribution
- Orchestrator routing manifest enforcement
┌─────────────────────────────────────────┐
│ Sverm Engine │
│ │
Agent A DPR ─────► Event Consumer (Kafka/NATS/Channel) │
Agent B DPR ─────► Cross-Agent Correlator │──► Alerts
Agent C DPR ─────► Sequence Pattern Evaluator │──► DEFER Triggers
Agent N DPR ─────► Behavioral Anomaly Detector │──► Dashboard
│ │
└─────────────────────────────────────────┘
| Product | Layer | Purpose |
|---|---|---|
| Core | L1 enforcement | Deterministic individual tool call governance |
| Tesseract | Pre-governance | Observe → generate policy |
| Sverm | L3 detection | Cross-agent behavioral analysis |
| Hub | Distribution | Policy pack registry |
| Horizon | Enterprise | Fleet management, compliance, SSO |
- Not a prevention system — it's detection + alerting (L3). Individual agent enforcement (L1) is Core's job.
- Not an agent runtime — it doesn't orchestrate agents or route messages. It observes and analyzes.
- Not a replacement for Core — every agent still needs its own Core enforcement.
Apache License 2.0 — see LICENSE.