Your AI agent has tool access. What enforces the boundaries?
Prompts are suggestions.
Rules are enforcement.
Runtime rule enforcement for AI agent tool calls.
Rules are evaluated in your runtime, not in the model's context window. No prompt injection or jailbreak can override them. Fail-closed by default.
pip install edictum[yaml]pnpm add @edictum/corego get github.com/edictum-ai/edictum-goGet started
See your first blocked call in 60 seconds.
The .env file was never read. The evaluation took 55us. The decision log recorded everything.
1. The block
result = guard.evaluate("read_file", {"path": ".env"})
print(result.decision) # → block
print(result.block_reasons[0]) # → "Sensitive file '.env' blocked."2. Three lines of code
from edictum import Edictum
guard = Edictum.from_template("file-agent")
# Done. Full enforcement.import { Edictum } from "@edictum/core"
const guard = Edictum.fromYaml("rules.yaml")
// Done. Full enforcement.import "github.com/edictum-ai/edictum-go/guard"
g, _ := guard.FromYAML("rules.yaml")
// Done. Full enforcement.3. Install
pip install edictum[yaml]pnpm add @edictum/corego get github.com/edictum-ai/edictum-gofile-agent
Block sensitive file reads and destructive bash commands
3 rulesresearch-agent
Session limits and PII detection for research workflows
3 rulesdevops-agent
Production deploy gates, ticket requirements, role checks
6 rulesnanobot-agent
HITL approvals for shell exec, sub-agent spawning, MCP tools
5 rulesFramework adapters
Same ruleset. Same effects. Zero lock-in.
Before
from langgraph.prebuilt import ToolNode, create_react_agent
tool_node = ToolNode(tools=tools)
agent = create_react_agent(model, tools=tool_node)
result = agent.invoke({"input": prompt})After — 3 lines added
from edictum import Edictum
from edictum.adapters.langchain import LangChainAdapter
from langgraph.prebuilt import ToolNode, create_react_agent
guard = Edictum.from_yaml("rules.yaml")
adapter = LangChainAdapter(guard)
tool_node = ToolNode(tools=tools, wrap_tool_call=adapter.as_tool_wrapper())
agent = create_react_agent(model, tools=tool_node)
result = agent.invoke({"input": prompt})as_tool_wrapper() — same ruleset, same effects
LangChain docsCanonical CLI
Validate rulesets in CI. Use the Go CLI for Gate and command-line workflows.
$ go install github.com/edictum-ai/edictum-go/cmd/edictum@latest
$ edictum validate rules/
$ edictum check rules.yaml --tool Read --args '{"path":"README.md"}'
$ edictum gate run --format raw -- ./tool-runnerEdictum Gate
Govern your coding assistant.
Pre-execution governance for AI coding assistants. Gate evaluates every tool call against local rules and optional workflow state before the runner executes it.
go install github.com/edictum-ai/edictum-go/cmd/edictum@latest
edictum gate init # configure rules, workflow, and assistant hooksSelf-protection
Rules prevent the assistant from editing Gate config, hook wiring, or protected policy files.
Scope enforcement
Write and edit operations outside the active project root are blocked or logged.
Secret redaction
API keys, SSH keys, and tokens are redacted from the local audit WAL before they hit disk.
Skill scanner
Scan SKILL.md content and helper code for dangerous patterns before you trust a plugin or registry entry.
Ed25519 signing
Verify signed rulesets before enforcement so pushed policy changes are tamper-evident.
Control Plane sync
Flush buffered audit events to the control plane when a server URL and API key are configured.
Governing OpenClaw
Edictum governs OpenClaw with a production ruleset covering exfiltration, tampering, destructive commands, and prompt injection across the real execution path.
Skill scanning flagged live C2 malware.
Deterministic scanning caught a backdoored MCP server before execution.
Multi-language
One ruleset. Every language.
Write YAML rules once. Enforce identically in Python, TypeScript, and Go. Full API parity across all three SDKs.
Python
v0.17.0pip install edictum[yaml]- 8 framework adapters
- Full ruleset parity
- MIT licensed
TypeScript
v0.4.2pnpm add @edictum/core- 5 framework adapters
- Full ruleset parity
- MIT licensed
Go
v0.4.0go get github.com/edictum-ai/edictum-go- 5 framework adapters
- Full ruleset parity
- MIT licensed
Adoption path
Deploy with zero risk. Enforce when ready.
System prompts
- Safety rules live in the prompt
- LLM self-policing
- No visibility
- No audit trail
Observe mode
- Full audit trail
- Zero enforcement risk
- CALL_WOULD_DENY logs
- See before you act
Enforce mode
- Deterministic decisions
- Fail-closed by default
- Full audit trail
- Full pipeline
Session limits
Cap total calls, per-tool calls, and attempts per session.
Sandbox enforcement
Restrict file access to allowed paths. Deny outside.
Principal identity
Role-based rules. Different principals, different permissions.
Pipeline architecture
Pre, post, session, sandbox — evaluated in order.
Hosted Control Plane
See everything. Control everything.
Hot-reload rulesets
Push new rulesets via SSE. No agent restarts.
Human-in-the-loop approvals
Approve or deny from Telegram or the hosted control plane.
Per-agent run detail
Inspect recent runs, health, workflow state, and pending approvals for one agent.
Ruleset replay
Compare saved ruleset versions against recent sessions before promoting a change.
Notification routing
Telegram, Slack, Discord, and generic webhook channels. Telegram is interactive today.
Audit and API keys
Review workspace audit history and issue or revoke workspace API keys from settings.
Mind the GAP: Text Safety Does Not Transfer to Tool-Call Safety
arXiv:2602.16943 — 6 frontier LLMs | 17,420 datapoints | 6 regulated domains
15 attack patterns. 1 real bypass.
Patched in 6 minutes.
We red-teamed Edictum with 15 adversarial
strategies. Only one got through — and we
fixed it with a 2-line YAML change.
OSS
MITFree
- Python, TypeScript, Go SDKs
- Framework adapters
- Go CLI + Gate runtime
- Ruleset templates
pip install edictum[yaml]pnpm add @edictum/corego get github.com/edictum-ai/edictum-goPython v0.17.0 · TypeScript v0.4.2 · Go v0.4.0 · MIT licensed · Zero runtime dependencies