Contract templates
One line to load.
Full enforcement in seconds.
Pre-built contract bundles for common agent patterns. Load a template, customize later.
Built-in templates
Ready to use. Zero config.
file-agent
3 contractsBlock sensitive file reads and destructive bash commands
guard = Edictum.from_template( "file-agent")- Block reads to /etc/passwd, /etc/shadow, .env
- Block destructive bash: rm -rf, sudo, curl|sh
- Sandbox file access to workspace directory
research-agent
3 contractsSession limits and PII detection for research workflows
guard = Edictum.from_template( "research-agent")- Session limit: 100 tool calls, 200 attempts
- PII detection in tool output (SSN, email, phone)
- Rate limit web_search to 20 calls per session
devops-agent
6 contractsProduction deploy gates, ticket requirements, role checks
guard = Edictum.from_template( "devops-agent")- Require ticket reference for production deploys
- Block kubectl delete in production namespace
- Role check: only SRE can run destructive ops
- Credential protection: redact AWS keys, tokens
nanobot-agent
5 contractsHITL approvals for shell exec, sub-agent spawning, MCP tools
guard = Edictum.from_template( "nanobot-agent")- Human-in-the-loop approval for shell_exec with dangerous patterns
- Block sub-agent spawning without contracts
- Human-in-the-loop approval for unknown MCP tool servers
- Secret redaction from all tool output
- Session limits: 10 shell, 5 spawn, 100 total
Industry scenarios
Real-world contract patterns.
Pharma
LangGraph + FastAPI
Clinical trial data management with AI agents
- Role-based access: researcher vs monitor vs admin
- PII redaction: patient IDs, names, DOBs
- Unblinding prevention: treatment arm access blocked
Fintech
CrewAI + FastAPI
Automated trading and portfolio management
- Trade amount limits ($50K threshold)
- Account access by role: trader vs analyst
- Mandatory compliance report generation
- 4 roles: trader, analyst, compliance, admin
DevOps
OpenAI Agents + MCP
Infrastructure automation with AI agents
- Block destructive: rm -rf, DROP TABLE
- Credential protection: redact AWS/GCP keys
- Production deploy gates with ticket refs
- Environment-aware: staging vs production rules
Customer Support
LangChain + Nanobot
AI-powered customer service agents
- PII redaction in all responses
- Refund limit: $100 auto, above needs approval
- Billing system access restricted by role
- Escalation rules for sensitive topics
apiVersion: edictum/v1
kind: ContractBundle
metadata:
name: my-agent
defaults:
mode: enforce
contracts:
- id: block-sensitive-files
type: pre
tool: read_file
when:
args.path:
matches_any:
- '\.env$'
- '/etc/passwd'
then:
effect: deny
message: "Access to sensitive file blocked."
tags: [security, files]
Custom contracts
Custom contracts in minutes.
apiVersion
Always edictum/v1. Versioned schema for forward compatibility.
kind
ContractBundle — one or more contracts in a single file.
defaults
Set enforce or audit mode for all contracts in the bundle.
contracts
Array of rules: type, tool, when conditions, then effects.
15 operators
equals, matches, contains, gt/lt, exists, regex, and more. Plus custom operators.
Boolean logic
Combine conditions with all, any, not. Nest them for complex rules.
Side-effect classification
Tools marked as PURE, READ, WRITE, or IRREVERSIBLE. Postconditions adapt accordingly.
Skills file
Coming soon — AI agents will generate contracts for your specific setup.