Open spec and conformance suite for proving AI-initiated production actions
Project description
AgentBoundary
An open spec and conformance suite for proving AI-initiated production actions.
npx agentboundary run scenarios/
# or
uvx agentboundary run scenarios/
40 scenarios, 60 seconds, no signup, no Docker.
v0.1 is the stable spec. v0.2-alpha (draft) adds three optional fields — provenance, completeness_score, prior_receipt — for self-honest emission reporting and singly-linked chain-of-custody. See docs/spec/v0.2-alpha.md.
The problem AgentBoundary solves
Every agent framework can tell you what an agent did. None of them lets a third party — auditor, regulator, insurer, the team in the next building — verify what the agent was allowed to do, by whom, against which policy, with which arguments, with what outcome, without trusting the framework or model provider.
AgentBoundary defines an Action Receipt: a portable, tamper-evident JSON document emitted at the production action boundary (the moment an agent calls a tool that touches reality — merging a PR, refunding a charge, mutating a service). Receipts are content-addressed (receipt_hash = sha256(canonical_json(receipt))), bound to the arguments the agent actually executed against (arguments_hash), and reference the policy decision (allow / require-approval / deny / escalate) that authorized the action.
The conformance suite in this repo runs 40 deterministic scenarios — every test is named for the failure it prevents — and grades the receipts they emit against the v0.1 spec at Levels 1 through 4.
What's in the receipt
{
"version": "agentboundary/v0.1",
"receipt_id": "0192c8d0-1f2a-7c3e-bf2a-1a4d3f5e6c7b",
"issued_at": "2026-06-15T14:23:08Z",
"actor": { "type": "agent", "id": "agent:claude-code:session/789abc", "display_name": "Claude Code" },
"agent": { "framework": "claude-code", "framework_version": "2.4.1", "model": "claude-opus-4-7", "model_version": "20260101" },
"tool": { "name": "github-mcp", "version": "0.7.0", "capability": "github.merge" },
"target": { "system": "github.com/jamjet-labs/agentboundary", "environment": "prod", "resource_id": "pull/14" },
"arguments_hash": "9698adaf2dca5f26a4f9644a8d0f4f34b5558bce09961f94e810fe3aaa9071aa",
"policy": { "name": "agentboundary.repo.merges", "version": "2", "decision": "allow" },
"execution": { "status": "success", "completed_at": "2026-06-15T14:23:09Z", "result_ref": "sha:b1c2d3e4f5a6" },
"receipt_hash": "4d905d5dbc9faa4dafcb2155da9c4d5e1052cb23c680f3754d4ebc5800a4bae7"
}
This is docs/receipts/github-merge.json verbatim. The receipt_hash is the canonical SHA-256 of the body with receipt_hash excluded — recompute it yourself and the value matches.
What's here today
docs/spec/v0.1.md— the v0.1 specification (definitions, lifecycle, receipt requirements, conformance levels, versioning)docs/spec/threat-model.md— adversaries, threats, mitigations, and conformance-level mappingdocs/spec/owasp-mapping.md— OWASP LLM Top 10 risks mapped to AgentBoundary conformance levelsdocs/schemas/action-receipt-v0.1.json— Action Receipt JSON Schema (normative source for receipt syntax)docs/schemas/action-receipt-v0.2-alpha.json— draft v0.2-alpha schema with optionalprovenance+completeness_score+prior_receiptfieldsdocs/receipts/— three worked example receipts (GitHub merge, Spring service mutation, Stripe refund); each one'sreceipt_hashverifies under the specscenarios/— 40 deterministic conformance scenarios driven byagentboundary run(v0.1 spec freeze: lifecycle + adversarial + positive boundaries + v0.2-alpha extensions + canonical-JSON + environment + honest-failure paths)docs/spec/v0.2-alpha.md— draft v0.2 delta: optionalprovenance+completeness_score+prior_receiptfields for self-honest emission reporting and singly-linked chain-of-custodyadapters/— translation layers from existing agent-governance products to AgentBoundary v0.2-alpha receipts (Microsoft AGT, Anthropic permission_policy, LangSmith Gateway, Cloudflare HITL); each adapter ships its ownmapping.md,results.md, and smoke testssrc/agentboundary/— Python reference implementation (validator, hashing, runtime, CLI)npm/— thin Node wrapper that dispatches touvx,pipx, orpython3 -m agentboundary
Comparison with other agent-governance products
Each vendor adapter in adapters/ translates that vendor's normative artifact (or, where there isn't one, the documented-recommended capture shape) into an AgentBoundary v0.2-alpha receipt, runs all 40 scenarios against the result, and records what survives. Per-vendor results.md files document every PASS / PARTIAL / DOCS-ONLY / NOT COVERED with structural reasoning. The data table that drives the matrix lives in scripts/generate-comparative-matrix.py; the SVG above is a deterministic function of that table.
The framing in the comparative report is that AGT and AgentBoundary are closest peers (both artifact formats); Cloudflare HITL is a workflow primitive (durable approval gates), not an emitted-artifact format; LangSmith is the richest observability platform but deliberately leaves the audit schema to team convention; Anthropic ships the most layered runtime permission primitive but does not publish a portable audit-log schema. Comparison reveals that none of the four exposes a single-artifact verification pattern a third party can run without trusting the vendor's runtime — which is the gap this spec fills.
Read the full report:
jamjet.dev/blog/agent-action-control-40-tests— long-form write-upagentboundary.jamjet.dev/reports/2026-05-comparative— canonical report archive
Run the tests
pip install hatch
hatch test
155 fast tests cover the schema loader, validator, hashing, conformance checks (Levels 1-4 including v0.2-alpha completeness + chain integrity), runtime, scenarios loader, and CLI. 8 additional slow tests verify the published wheel behaves correctly under a clean install.
License
Apache 2.0 — see LICENSE.
Contributing
See CONTRIBUTING.md. All commits require DCO sign-off (git commit -s).
The spec is open. Implementations welcome.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentboundary-0.2.0a1.tar.gz.
File metadata
- Download URL: agentboundary-0.2.0a1.tar.gz
- Upload date:
- Size: 205.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0b517e3cf255a040c09f5de9a085239318968d63fa3fdd026a3f872ee5c4b981
|
|
| MD5 |
4a6624d647e4fd9e127ed23695fb7525
|
|
| BLAKE2b-256 |
9edc5fff794b3bdac1a3b54f60f421d09ae2bcf82269224c140f1b02cbd51b53
|
Provenance
The following attestation bundles were made for agentboundary-0.2.0a1.tar.gz:
Publisher:
release.yml on jamjet-labs/agentboundary
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agentboundary-0.2.0a1.tar.gz -
Subject digest:
0b517e3cf255a040c09f5de9a085239318968d63fa3fdd026a3f872ee5c4b981 - Sigstore transparency entry: 1674917597
- Sigstore integration time:
-
Permalink:
jamjet-labs/agentboundary@758e925998d9f91d52ed669dc4f996c9c9889ab8 -
Branch / Tag:
refs/tags/v0.2.0-alpha.1 - Owner: https://github.com/jamjet-labs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@758e925998d9f91d52ed669dc4f996c9c9889ab8 -
Trigger Event:
push
-
Statement type:
File details
Details for the file agentboundary-0.2.0a1-py3-none-any.whl.
File metadata
- Download URL: agentboundary-0.2.0a1-py3-none-any.whl
- Upload date:
- Size: 72.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
25fb78fc6079cece125eb57809a82efe3a7a547b40636c36e18fd431e0d07d06
|
|
| MD5 |
fee097edb533c56629798df56fd01320
|
|
| BLAKE2b-256 |
9d33438d268f5ff97a6d12561846a1c3c2dac0a317e9c0e7e09af7995bbf4cc0
|
Provenance
The following attestation bundles were made for agentboundary-0.2.0a1-py3-none-any.whl:
Publisher:
release.yml on jamjet-labs/agentboundary
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agentboundary-0.2.0a1-py3-none-any.whl -
Subject digest:
25fb78fc6079cece125eb57809a82efe3a7a547b40636c36e18fd431e0d07d06 - Sigstore transparency entry: 1674917611
- Sigstore integration time:
-
Permalink:
jamjet-labs/agentboundary@758e925998d9f91d52ed669dc4f996c9c9889ab8 -
Branch / Tag:
refs/tags/v0.2.0-alpha.1 - Owner: https://github.com/jamjet-labs
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@758e925998d9f91d52ed669dc4f996c9c9889ab8 -
Trigger Event:
push
-
Statement type: