agent-contracts.

Deterministic pre/post-condition guardrails for LLM agents. No model in the loop โ€” a contract either fires or it doesn't.

pip install "agent-contracts @ git+https://github.com/impartshadow/agent-contracts.git" ยท MIT ยท zero runtime deps

The problem

Every "guardrail" library asks another model to judge whether an action is safe. That's slow, non-deterministic, and unfalsifiable โ€” you can't unit-test a vibe. When an agent is about to write to /etc/passwd, leak an API key, or claim "done" with no work behind it, you don't want a second opinion. You want a hard stop.

The leaderboard

We ran the scanner against the 27 most-used agent frameworks โ€” LangGraph, AutoGen, CrewAI, DSPy, llama_index, AutoGPT, OpenHands, aider and more. The single most common weakest dimension is secret handling: 12 of 27 score it lowest. Tests and CI are nearly universal; disciplined secret hygiene is not. See the full reliability leaderboard โ†’

What it looks like

# Wrap any agent action in a pre/post gate. The contracts are plain Python โ€”
# no API call, no prompt, no latency tax.
from agent_contracts import Registry, ActionContext, default_contracts

reg = Registry(default_contracts())

ctx = ActionContext(
    action="tool_call", tool="write_file",
    params={"path": "/etc/passwd", "content": "x"},
)

result = reg.check_pre(ctx)
print(result.blocked)        # True
print(result.violations[0].contract)  # 'dangerous-path-guard'
# โ†’ the write never runs. Deterministic. Testable. Auditable.

What ships in the default pack

Dangerous path guard

Blocks writes to /etc, ~/, system paths.

Shell command guard

Catches rm -rf / and destructive shell before it executes.

Secret leak guard

Stops AWS keys, tokens, and credentials in agent output.

Unverified completion guard

Blocks "done โ€” shipped" with zero tool calls behind it.

Loop guard

Trips when an agent edits the same file 3+ times โ€” a flailing signal.

Action replay + SARIF

Replay a captured action log, emit SARIF for CI.

Dig deeper

Failure mode taxonomy โ†’

The real agent failures these contracts were built to catch.

First 10 minutes โ†’

Browser proof, local CLI block, and one CI-ready adoption test.

vs Guardrails AI / NeMo โ†’

Honest comparison โ€” including when to use something else.

60-second quickstart โ†’

From install to first blocked action.

Threat model โ†’

What this defends against, and what it explicitly doesn't.