Skip to main content

Open spec and conformance suite for proving AI-initiated production actions

Project description

AgentBoundary

An open spec and conformance suite for proving AI-initiated production actions.

AgentBoundary v0.1 conformance suite — 40 scenarios frozen (W10)

npx agentboundary run scenarios/
# or
uvx agentboundary run scenarios/

40 scenarios, 60 seconds, no signup, no Docker.

v0.1 is the stable spec. v0.2-alpha (draft) adds three optional fields — provenance, completeness_score, prior_receipt — for self-honest emission reporting and singly-linked chain-of-custody. See docs/spec/v0.2-alpha.md.

The problem AgentBoundary solves

Every agent framework can tell you what an agent did. None of them lets a third party — auditor, regulator, insurer, the team in the next building — verify what the agent was allowed to do, by whom, against which policy, with which arguments, with what outcome, without trusting the framework or model provider.

AgentBoundary defines an Action Receipt: a portable, tamper-evident JSON document emitted at the production action boundary (the moment an agent calls a tool that touches reality — merging a PR, refunding a charge, mutating a service). Receipts are content-addressed (receipt_hash = sha256(canonical_json(receipt))), bound to the arguments the agent actually executed against (arguments_hash), and reference the policy decision (allow / require-approval / deny / escalate) that authorized the action.

The conformance suite in this repo runs 40 deterministic scenarios — every test is named for the failure it prevents — and grades the receipts they emit against the v0.1 spec at Levels 1 through 4.

What's in the receipt

{
  "version": "agentboundary/v0.1",
  "receipt_id": "0192c8d0-1f2a-7c3e-bf2a-1a4d3f5e6c7b",
  "issued_at": "2026-06-15T14:23:08Z",
  "actor":  { "type": "agent", "id": "agent:claude-code:session/789abc", "display_name": "Claude Code" },
  "agent":  { "framework": "claude-code", "framework_version": "2.4.1", "model": "claude-opus-4-7", "model_version": "20260101" },
  "tool":   { "name": "github-mcp", "version": "0.7.0", "capability": "github.merge" },
  "target": { "system": "github.com/jamjet-labs/agentboundary", "environment": "prod", "resource_id": "pull/14" },
  "arguments_hash": "9698adaf2dca5f26a4f9644a8d0f4f34b5558bce09961f94e810fe3aaa9071aa",
  "policy": { "name": "agentboundary.repo.merges", "version": "2", "decision": "allow" },
  "execution": { "status": "success", "completed_at": "2026-06-15T14:23:09Z", "result_ref": "sha:b1c2d3e4f5a6" },
  "receipt_hash": "4d905d5dbc9faa4dafcb2155da9c4d5e1052cb23c680f3754d4ebc5800a4bae7"
}

This is docs/receipts/github-merge.json verbatim. The receipt_hash is the canonical SHA-256 of the body with receipt_hash excluded — recompute it yourself and the value matches.

What's here today

  • docs/spec/v0.1.md — the v0.1 specification (definitions, lifecycle, receipt requirements, conformance levels, versioning)
  • docs/spec/threat-model.md — adversaries, threats, mitigations, and conformance-level mapping
  • docs/spec/owasp-mapping.md — OWASP LLM Top 10 risks mapped to AgentBoundary conformance levels
  • docs/schemas/action-receipt-v0.1.json — Action Receipt JSON Schema (normative source for receipt syntax)
  • docs/schemas/action-receipt-v0.2-alpha.json — draft v0.2-alpha schema with optional provenance + completeness_score + prior_receipt fields
  • docs/receipts/ — three worked example receipts (GitHub merge, Spring service mutation, Stripe refund); each one's receipt_hash verifies under the spec
  • scenarios/ — 40 deterministic conformance scenarios driven by agentboundary run (v0.1 spec freeze: lifecycle + adversarial + positive boundaries + v0.2-alpha extensions + canonical-JSON + environment + honest-failure paths)
  • docs/spec/v0.2-alpha.md — draft v0.2 delta: optional provenance + completeness_score + prior_receipt fields for self-honest emission reporting and singly-linked chain-of-custody
  • adapters/ — translation layers from existing agent-governance products to AgentBoundary v0.2-alpha receipts (Microsoft AGT, Anthropic permission_policy, LangSmith Gateway, Cloudflare HITL); each adapter ships its own mapping.md, results.md, and smoke tests
  • src/agentboundary/ — Python reference implementation (validator, hashing, runtime, CLI)
  • npm/ — thin Node wrapper that dispatches to uvx, pipx, or python3 -m agentboundary

Comparison with other agent-governance products

Cross-vendor conformance matrix — 40 scenarios × JamJet reference + Microsoft AGT, Anthropic permission_policy, LangSmith Gateway, Cloudflare HITL

Each vendor adapter in adapters/ translates that vendor's normative artifact (or, where there isn't one, the documented-recommended capture shape) into an AgentBoundary v0.2-alpha receipt, runs all 40 scenarios against the result, and records what survives. Per-vendor results.md files document every PASS / PARTIAL / DOCS-ONLY / NOT COVERED with structural reasoning. The data table that drives the matrix lives in scripts/generate-comparative-matrix.py; the SVG above is a deterministic function of that table.

The framing in the comparative report is that AGT and AgentBoundary are closest peers (both artifact formats); Cloudflare HITL is a workflow primitive (durable approval gates), not an emitted-artifact format; LangSmith is the richest observability platform but deliberately leaves the audit schema to team convention; Anthropic ships the most layered runtime permission primitive but does not publish a portable audit-log schema. Comparison reveals that none of the four exposes a single-artifact verification pattern a third party can run without trusting the vendor's runtime — which is the gap this spec fills.

Read the full report:

Run the tests

pip install hatch
hatch test

155 fast tests cover the schema loader, validator, hashing, conformance checks (Levels 1-4 including v0.2-alpha completeness + chain integrity), runtime, scenarios loader, and CLI. 8 additional slow tests verify the published wheel behaves correctly under a clean install.

License

Apache 2.0 — see LICENSE.

Contributing

See CONTRIBUTING.md. All commits require DCO sign-off (git commit -s).

The spec is open. Implementations welcome.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

agentboundary-0.2.0a0.tar.gz (191.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

agentboundary-0.2.0a0-py3-none-any.whl (72.4 kB view details)

Uploaded Python 3

File details

Details for the file agentboundary-0.2.0a0.tar.gz.

File metadata

  • Download URL: agentboundary-0.2.0a0.tar.gz
  • Upload date:
  • Size: 191.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for agentboundary-0.2.0a0.tar.gz
Algorithm Hash digest
SHA256 ba45f1503c6dab4c26d5ebba4de9e4037bd1fce78e2f597a9eb1958d38260af8
MD5 d190a324e8d6be85f96018be3f45088a
BLAKE2b-256 32155eb352e67aa7af98228e2ceca399d4aa47d26d5dc96ce75bcadb849c8095

See more details on using hashes here.

Provenance

The following attestation bundles were made for agentboundary-0.2.0a0.tar.gz:

Publisher: release.yml on jamjet-labs/agentboundary

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file agentboundary-0.2.0a0-py3-none-any.whl.

File metadata

  • Download URL: agentboundary-0.2.0a0-py3-none-any.whl
  • Upload date:
  • Size: 72.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for agentboundary-0.2.0a0-py3-none-any.whl
Algorithm Hash digest
SHA256 c9e241b39ad5991253cc1376e4ed7661301bb6b029520fd3503bef72ac8a4e7e
MD5 b760a73fae7a15039375fe3e71fa01eb
BLAKE2b-256 54e00a3c5a9ae88bf8258b6c2d1d1d73f074f6dbd64108e711fcc096072c02bb

See more details on using hashes here.

Provenance

The following attestation bundles were made for agentboundary-0.2.0a0-py3-none-any.whl:

Publisher: release.yml on jamjet-labs/agentboundary

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page