Deterministic pre/post-condition guardrails for LLM agents. No model in the loop โ a contract either fires or it doesn't.
pip install "agent-contracts @ git+https://github.com/impartshadow/agent-contracts.git" ยท MIT ยท zero runtime deps
Every "guardrail" library asks another model to judge whether an action is safe. That's slow, non-deterministic, and unfalsifiable โ you can't unit-test a vibe. When an agent is about to write to /etc/passwd, leak an API key, or claim "done" with no work behind it, you don't want a second opinion. You want a hard stop.
We ran the scanner against the 27 most-used agent frameworks โ LangGraph, AutoGen, CrewAI, DSPy, llama_index, AutoGPT, OpenHands, aider and more. The single most common weakest dimension is secret handling: 12 of 27 score it lowest. Tests and CI are nearly universal; disciplined secret hygiene is not. See the full reliability leaderboard โ
# Wrap any agent action in a pre/post gate. The contracts are plain Python โ # no API call, no prompt, no latency tax. from agent_contracts import Registry, ActionContext, default_contracts reg = Registry(default_contracts()) ctx = ActionContext( action="tool_call", tool="write_file", params={"path": "/etc/passwd", "content": "x"}, ) result = reg.check_pre(ctx) print(result.blocked) # True print(result.violations[0].contract) # 'dangerous-path-guard' # โ the write never runs. Deterministic. Testable. Auditable.
Blocks writes to /etc, ~/, system paths.
Catches rm -rf / and destructive shell before it executes.
Stops AWS keys, tokens, and credentials in agent output.
Blocks "done โ shipped" with zero tool calls behind it.
Trips when an agent edits the same file 3+ times โ a flailing signal.
Replay a captured action log, emit SARIF for CI.
The real agent failures these contracts were built to catch.
Browser proof, local CLI block, and one CI-ready adoption test.
Honest comparison โ including when to use something else.
From install to first blocked action.
What this defends against, and what it explicitly doesn't.