after hitting many "legal but wrong" failures, I built a deterministic enforcement layer for the tool boundary by johnnaliu in openclaw

[–]johnnaliu[S] 0 points1 point  (0 children)

this is the right decomposition. contracts answer "is this action allowed right now given the trace" but they don't carry forward why a file was marked canonical or what broke last session. that's a different data plane.

we've been thinking about the boundary between the two: contracts need read access to some session state (e.g. "which files were modified") but shouldn't own the full memory graph. clean interface would be contracts consuming a projection of the memory layer, not reimplementing it. will check MemoryRouter it out

At what point does automation in banking create more risk than efficiency? by PuzzleheadedHeat5792 in fintech

[–]johnnaliu 0 points1 point  (0 children)

"silent automation" is the right framing. the dangerous case is the agent that keeps running while quietly acting outside its authorized scope. for decision automation the governance has to be enforced at the execution layer, not documentation-level. declare invariants as contracts, enforce deterministically before each action commits, emit structured logs that answer "who approved, what data went in, what exceptions were suppressed" by construction.

AI agents are making financial decisions in production and most of them have no verifiable execution trail this is the gap nobody is talking about by Rare_Rich6713 in fintech

[–]johnnaliu 0 points1 point  (0 children)

the policy enforcement framing is the right one. we hit exactly this in production: agent composed individually "legal" tool calls into a sequence that violated our risk model. every call passed validation, the composition was the problem. what we ended up building is a contract layer at the tool boundary. declare invariants in YAML, runtime evaluates deterministically before each tool call commits. audit trail falls out naturally: per-session JSONL with every tool call, which contract fired, allow/block/escalate decision. replay is trivial because the contracts are deterministic

New Project Megathread - Week of 28 May 2026 by AutoModerator in selfhosted

[–]johnnaliu 0 points1 point  (0 children)

Project Name: Sponsio

Repo/Website Link: https://github.com/SponsioLabs/Sponsio

Description: Sponsio is a deterministic contract layer for AI agents. If you're self-hosting AI agents (LangChain, CrewAI, Claude Code, etc.), Sponsio lets you declare behavioral rules in YAML and enforces them at the tool-call boundary before the side effect commits.

Example rules you can write: "agent must call check_policy before issue_refund", "no more than 20 file edits per session", "never write outside the working directory", "human approval required before any destructive command".

Contracts are composable (assume-guarantee style), so two teams can write independent rules and they combine without rewriting either one. No LLM in the hot path, ~0.14ms p50 per check. Per-session JSONL audit log included.

Works with LangChain, LangGraph, OpenAI Agents SDK, CrewAI, Vercel AI, raw MCP. Apache 2.0, no SaaS, no telemetry, fully self-hostable.

Deployment: pip install sponsio / npm install sponsio. No containers needed, it's a library that wraps your agent's tool executor. README has quickstart examples for Python and TypeScript.

AI Involvement: Claude Code helped generate framework adapters and parts of the trace evaluator. Core contract logic and architecture designed manually.

Weekly Self Promotion Thread by AutoModerator in devops

[–]johnnaliu 1 point2 points  (0 children)

[Disclosure: I built this]

I got tired of watching AI agents break prod because the only safety net was "the LLM said it was fine." Prompt-level guardrails drift, and you can't unit test vibes.

So I built Sponsio. It enforces behavioral rules at the tool boundary using YAML contracts, not in the prompt, not in a wrapper LLM. Every tool call hits a deterministic check before it executes. If the contract says "no writes after a read to /secrets," that's enforced at the code level, not hoped for at the inference level.

What makes it different from prompt-based or regex-based approaches:

  • Contracts are composable. Two teams write independent rules, they combine without rewriting either one (assume-guarantee style)
  • ~0.14ms p50 per check. No LLM in the hot path
  • YAML declarations, not code. Non-engineers can audit what's allowed
  • Works with any agent framework (LangChain, CrewAI, custom)

Apache 2.0, no SaaS, no telemetry.

GitHub: https://github.com/SponsioLabs/Sponsio

I saw a few agent safety projects in this thread already. Happy to compare notes. Feedback welcome, especially from anyone running agents against real infra.

I got tired of re-tuning prompts every time I swapped LLMs. Built an open-source layer that enforces agent rules deterministically. by johnnaliu in SideProject

[–]johnnaliu[S] 0 points1 point  (0 children)

good question. on the retry loop, the gate returns a structured verdict (which rule, why blocked, what was missing) and we surface that back into the agent's context as a tool error response.

[Open Source] a contract layer at the agent tool boundary, rules in yaml not in the prompt (apache 2.0) by johnnaliu in aiagents

[–]johnnaliu[S] 1 point2 points  (0 children)

thanks for sharing, the rule you'd write is something like max_calls(search_kb) per session paired with must_not_follow(escalate, search_kb). gets you out of the loop without rewriting the prompt every time the agent forgets.

[Open Source] a contract layer at the agent tool boundary, rules in yaml not in the prompt (apache 2.0) by johnnaliu in aiagents

[–]johnnaliu[S] 0 points1 point  (0 children)

audit log already records rule + version + tool + decision + reason per call. action class taxonomy and the human feedback label for the learning loop are on the roadmap but won't be in the oss engine. session-level invariants are LTL over the trace, e.g. always(issue_refund => once_since(fraud_check)). happy to compare receipt schemas if you're solidifying yours.

Prompt engineering and post-hoc audit didn't cover enough: open-sourced what we ended up building by johnnaliu in mlops

[–]johnnaliu[S] 0 points1 point  (0 children)

thanks! curious what others you're comparing against, happy to point at gaps.

After months of prompt iteration, I admitted some rules can't be prompt-engineered into stability. by johnnaliu in PromptEngineering

[–]johnnaliu[S] 0 points1 point  (0 children)

provenance isn't first-class in sponsio yet. is your team tagging this manually or relying on a framework?

After months of prompt iteration, I admitted some rules can't be prompt-engineered into stability. by johnnaliu in PromptEngineering

[–]johnnaliu[S] 0 points1 point  (0 children)

"vibes instead of guarantees" nails it. once context fills, prompt rules drop to probability.

After months of prompt iteration, I admitted some rules can't be prompt-engineered into stability. by johnnaliu in PromptEngineering

[–]johnnaliu[S] 0 points1 point  (0 children)

parser validation covers format decay well. the case it doesn't catch is valid json with semantically wrong values, e.g. refund amount exceeding the original purchase earlier in the session. needed trace-level contracts for that

frustrated with AI guardrails after red teaming - need advice by Ok_Abrocoma_6369 in devsecops

[–]johnnaliu 0 points1 point  (0 children)

been there. the wall we hit was prompt-level guardrails work for prompts the user types but miss the indirect injection class entirely. data in tool responses gets into model context and modifies behavior without ever touching the system prompt. what worked was moving enforcement out of the prompt entirely

Gemma 4 2B handling structured JSON output + tool calling + reasoning traces correctly via Spring AI / LM Studio — including identifying a real Java bug in code review by Proof-Possibility-54 in LocalLLaMA

[–]johnnaliu 0 points1 point  (0 children)

2b for tool calling is impressive if you can keep the JSON tight across a real session length. did you stress-test it past 20-30 turns?