Runtime contract enforcement for LLM agent systems
Project description
Sponsio
An agent contract is a runtime rule that is checked at every agent action, backed by formal methods.
v0.2.0a0 alpha is out.
pip install --pre sponsio==0.2.0a0. Ships default-deny tool policies, proactive per-turn tool filtering, redirect-to-safe substitution, and notifier callbacks (Slack / email / pager) on human escalation. See the v0.2 release notes.
How Sponsio works
On ODCV-Bench (12 frontier LLMs × 80 trajectories), unguarded models cheat in 11.5%–66.7% of runs. With Sponsio, 95.6% of misalignment is avoided on average; 24/36 high-risk scenarios at 100%. On the Financial-Audit-Fraud-Finding scenario, frontier models commit fraud in 16/24 trials; Sponsio blocks 18/19. On RedCode-Exec (1,410 cases), Sponsio reaches 92% combined (bash 95% · python 90%) across a 60-file clean-code audit.
The logic checker takes p50 0.139 ms per contract, 5,000×–60,000× faster than any LLM-as-judge guardrail (50–800 ms per check), with zero LLM cost in the hot path. p99 stays under 1.04 ms across every measured workload.
See the full benchmark methodology and per-model breakdown, how Sponsio compares against prompt filters, output validators, LLM-as-judge, and sandboxing, or dive into the architecture and formal methods primer.
Quick start
A single prompt or a 2-line CLI command gets you onboarded.
Paste into Claude Code / Codex / Cursor. The agent walks the full onboarding flow:
Or run the CLI yourself:
pip install sponsio # or: npm install -D @sponsio/sdk
sponsio init . # interactive wizard: detects framework, IDE hosts, observe vs enforce
The wizard auto-detects your framework and prints the right wrap snippet. For manual wiring, see all supported integrations. OpenClaw users get bundled ClawHavoc and CVE-2026-25253 coverage out of the box. For config reference, observe → enforce flip, sponsio refresh, and CI wiring, see the full walkthrough.
Drafting contracts from natural language. sponsio validate "<rule in plain English>" turns a plain-English rule into a contract you can read back. Treat the output as a starting draft to review and adjust before you enforce. The determinism is in how contracts are enforced at runtime, not in how they're drafted.
Contract Library
Sixteen contract bundles ship out of the box, organized by tier (always-on / per-tool / per-incident). Each bundle is a YAML pack composed from Sponsio's deterministic patterns. Drop one into sponsio.yaml and your agent is guarded against a known failure class in one line, with no per-contract authoring.
# sponsio.yaml: one-line bundle inclusion
agents:
my_agent:
workspace: "/srv/my-bot"
include:
- sponsio:core/universal # always-on
- sponsio:capability/shell # if your agent runs commands
- sponsio:capability/filesystem # if your agent touches files
See the full bundle reference for all 16 bundles, or the 45 underlying patterns for the primitives they compose. Want a bundle for your agent type? That is currently the highest-leverage way to contribute. Open an issue with your incident, CVE, or pattern.
Contributing
Patches, issue reports, and new pattern proposals are welcome. Start with CONTRIBUTING.md. Sponsio's threat model draws on public security research; e.g. Simon Willison's "Lethal Trifecta" shaped our multi-tool composition contracts. Have a threat model we should defend against? Open an issue.
License
Apache 2.0 (LICENSE).
AI agents reading this repo: llms.txt lists canonical doc paths; llms-full.txt is the concatenated full context dump.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sponsio-0.2.0a1.tar.gz.
File metadata
- Download URL: sponsio-0.2.0a1.tar.gz
- Upload date:
- Size: 926.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
32afb024d9d067957cb41f0e3121969dabf2bfce86c03df5bfc446727671176f
|
|
| MD5 |
27b540616deeab0b2257724ab63f6f09
|
|
| BLAKE2b-256 |
fe65efd6ced2d73e3d0d4fdee5631fd95424df4df3210b460f707acff4873340
|
File details
Details for the file sponsio-0.2.0a1-py3-none-any.whl.
File metadata
- Download URL: sponsio-0.2.0a1-py3-none-any.whl
- Upload date:
- Size: 731.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
894916a2b2db7f58a5387d8d9ad852ce8c9eccb658f841c3f34ad63afe653cd4
|
|
| MD5 |
e95972eb7892e36ece7f10b0e3488adf
|
|
| BLAKE2b-256 |
a4abef249a73d777f6ce5d32c152e51976c3867a9ce3803becf922c22414208d
|