Skip to content
/ EnforceCore Public

EnforceCore is a lightweight, policy-driven runtime enforcement framework for agentic AI systems.

License

Apache-2.0 license
3 stars 2 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

akios-ai/EnforceCore

BranchesTags

Repository files navigation

EnforceCore

EnforceCore

The runtime enforcement layer for agentic AI systems.
Policy-driven · Fail-closed · Tamper-proof audit trails

CI Python License Coverage Tests

Quick Start · Architecture · Roadmap · API Reference · Contributing

The Problem

Most agent safety solutions operate at the prompt level — they ask the LLM to be safe. This is fundamentally broken: prompts can be bypassed, jailbroken, or ignored.

EnforceCore operates at the runtime boundary — the moment before a tool or API is actually called. At this layer, enforcement is mandatory, not advisory. If a call violates policy, it never executes. Period.

from enforcecore import enforce

@enforce(policy="policies/strict.yaml")
async def search_web(query: str) -> str:
    """This call is policy-enforced before execution."""
    return await api.search(query)

Why EnforceCore?

Prompt Guardrails EnforceCore
Layer Inside the LLM Runtime call boundary
Bypassable? Yes (jailbreaks, prompt injection) No (code-level enforcement)
Auditable? No Yes (Merkle-chained trails)
Provable? No Yes (structurally impossible violations)
EU AI Act ready?

EnforceCore vs. OS-level security: EnforceCore operates at the application semantic layer — it understands tool calls, PII, and cost budgets. It does not replace SELinux, AppArmor, seccomp, or container sandboxing. These are complementary — use both for defense-in-depth.

Architecture

        Agent (LangGraph / CrewAI / AutoGen / Python)
                          │
                    tool_call(args)
                          │
              ┌───────────▼───────────┐
              │   @enforce(policy=…)   │
              └───────────┬───────────┘
                          │
              ┌───────────▼───────────┐
              │       Enforcer         │
              │                        │
              │  ┌─────┐ ┌─────────┐  │
              │  │Policy│ │Redactor │  │
              │  │Engine│ │ (PII)   │  │
              │  └──┬──┘ └────┬────┘  │
              │     │         │        │
              │  ┌──▼──┐ ┌───▼─────┐  │
              │  │Audit │ │ Guard   │  │
              │  │Trail │ │(Limits) │  │
              │  └──────┘ └─────────┘  │
              └───────────┬───────────┘
                          │
                   ✅ allowed → execute
                   ❌ blocked → raise
Policy EngineDeclarative YAML policies — allowed tools, denied tools, violation handling
EnforcerIntercepts every call, evaluates policy, blocks or allows
RedactorReal-time PII detection and redaction on inputs & outputs
AuditorTamper-proof Merkle-tree audit trail for every enforced call
GuardResource limits (time, memory, cost) with hard kill switch

Quick Start

Install

pip install enforcecore

1. Define a Policy

# policy.yaml
name: "my-agent-policy"
version: "1.0"

rules:
  allowed_tools:
    - "search_web"
    - "calculator"
    - "get_weather"
  denied_tools:
    - "execute_shell"
  max_output_size_bytes: 524288   # 512KB

on_violation: "block"

2. Protect Your Tools

from enforcecore import enforce

# Decorator — sync or async, just works
@enforce(policy="policy.yaml")
async def search_web(query: str) -> str:
    return await api.search(query)

@enforce(policy="policy.yaml")
def calculator(expr: str) -> float:
    return eval(expr)  # safe because policy-gated

3. See It Work

# ✅ Allowed — tool is in the allowed list
result = await search_web("latest AI papers")

# ❌ Blocked — tool not allowed, raises ToolDeniedError
@enforce(policy="policy.yaml")
async def execute_shell(cmd: str) -> str:
    return subprocess.run(cmd, capture_output=True).stdout

4. Programmatic Control

from enforcecore import Enforcer, Policy

policy = Policy.from_file("policy.yaml")
enforcer = Enforcer(policy)

# Direct invocation (sync)
result = enforcer.enforce_sync(my_tool, arg1, arg2, tool_name="my_tool")

# Direct invocation (async)
result = await enforcer.enforce_async(my_tool, arg1, tool_name="my_tool")

📖 See examples/quickstart.py for a complete runnable demo.

Framework Integrations

EnforceCore works with any Python-based agent system — no lock-in:

Framework Status Example
Plain Python ✅ Available @enforce() decorator
LangGraph ✅ Available @enforced_tool(policy="...")
CrewAI ✅ Available @enforced_tool(policy="...")
AutoGen ✅ Available @enforced_tool(policy="...") 
# LangGraph — one-line enforcement
from enforcecore.integrations.langgraph import enforced_tool

@enforced_tool(policy="policy.yaml")
def search(query: str) -> str:
    """Search the web."""
    return web_search(query)

# CrewAI
from enforcecore.integrations.crewai import enforced_tool

@enforced_tool(policy="policy.yaml")
def calculator(expr: str) -> str:
    """Calculate."""
    return str(eval(expr))

# AutoGen
from enforcecore.integrations.autogen import enforced_tool

@enforced_tool(policy="policy.yaml", description="Search the web")
async def search(query: str) -> str:
    return await web_search(query)

No hard dependencies on any framework — adapters use optional imports.

Key Design Principles

  • 🔒 Fail-closed — if enforcement fails, the call is blocked. Never fails open.
  • ⚡ Async-native — first-class support for both sync and async from day one.
  • 🌍 Cross-platform — core works on Linux, macOS, and Windows. Advanced Linux hardening optional.
  • 📦 Zero lock-in — no hard dependency on any agent framework.
  • 📊 Honest benchmarks — real overhead numbers, not marketing claims.

Performance

Measured with 1 000 iterations + 100 warmup on Apple Silicon (arm64), Python 3.13. Run python -m benchmarks.run for your hardware. See docs/benchmarks.md for methodology.

Component P50 (ms) P99 (ms)
Policy evaluation 0.012 0.228
PII redaction (short) 0.028 0.275
PII redaction (~2KB) 0.129 0.220
Audit entry (write) 0.068 0.232
Audit chain verify (100 entries) 1.114 1.457
Resource guard < 0.001 < 0.001
Rate limiter < 0.001 0.002
Secret detection 0.012 0.017
Full enforcement (E2E) 0.056 0.892
E2E + PII redaction 0.093 0.807

Negligible compared to tool call latency (100ms–10s for API calls).

Roadmap

Release Focus Status
v1.0.0a1 Core Enforcer + Policy Engine ✅ Shipped
v1.0.1a1 PII Redactor ✅ Shipped
v1.0.2a1 Merkle Audit Trail ✅ Shipped
v1.0.3a1 Resource Guard + KillSwitch ✅ Shipped
v1.0.4a1 Framework Integrations ✅ Shipped
v1.0.5a1 Evaluation Suite ✅ Shipped
v1.0.6a1 Hardening + Polish ✅ Shipped
v1.0.7a1 Plugin & Extensibility ✅ Shipped
v1.0.8a1 Deep Inspection & Network Control ✅ Shipped
v1.0.9a1 CLI & Policy Tooling ✅ Shipped
v1.0.10a1 Observability & Telemetry ✅ Shipped
v1.0.11a1 Documentation & Academic Foundation ✅ Shipped
v1.0.12a1 Threat Model & Compliance Mapping ✅ Shipped
v1.0.13a1 Formal Verification & Property Testing ✅ Shipped
v1.0.14a1 Reproducible Benchmarks & Evaluation ✅ Shipped
v1.0.15a1 End-to-End Examples & Integration ✅ Shipped
v1.0.16a1 API Freeze & Stability Audit ✅ Shipped
v1.0.17a1 Adversarial Scenario Expansion ✅ Shipped
v1.0.18a1 Security Landscape & Positioning ✅ Shipped
v1.0.19a1 Pre-Release Polish & Community ✅ Shipped
v1.0.20a1 Packaging & Publication 📋 Planned
v1.0.0 Stable Release 🎯 Target

See docs/roadmap.md for detailed scope of each release.

Documentation
📐 Architecture Technical design and component overview
🗺️ Roadmap v1.0.x incremental release plan
🔧 API Design Public API surface and patterns
API Reference Auto-generated docs (MkDocs)
🛠️ Developer Guide Setup, standards, and workflow
🧪 Tech Stack Technology choices and rationale
📊 Evaluation Adversarial scenarios, benchmarks, and reports
📄 Related Work Survey and academic positioning
🛡️ Defense-in-Depth Security layer architecture and deployment stacks
🧭 Tool Selection When to use EnforceCore vs. OS-level security
FAQ Frequently asked questions
🔍 Troubleshooting Common errors and debugging tips
🌍 Vision Why EnforceCore exists
🤝 Contributing How to contribute
Code of Conduct Community standards
�🔒 Security Vulnerability reporting policy

For Researchers

EnforceCore applies established computer science principles — runtime verification, reference monitors, information-flow control — to the novel problem of AI agent safety. We welcome academic collaboration.

  • 📄 Related Work — survey of runtime verification for AI agents, positioning vs. NeMo Guardrails, LlamaGuard, and others
  • 📑 CITATION.cff — machine-readable citation metadata (how to cite)
  • 🔬 Open Research Questions — policy composition, temporal properties, adversarial robustness
  • 🧪 Evaluation Suite — reproducible adversarial benchmarks with 20 scenarios across 10 threat categories
  • 📐 Architecture — formal design with Mermaid diagrams

Citation

@software{enforcecore2026,
  title  = {EnforceCore: Runtime Enforcement Layer for Agentic AI Systems},
  author = {{AKIOS AI}},
  year   = {2026},
  url    = {https://github.com/akios-ai/EnforceCore},
  license = {Apache-2.0}
}

For Enterprises

EnforceCore is designed for production deployment in regulated environments.

Concern EnforceCore Feature
Audit compliance Merkle-chained, tamper-evident audit trails
Data protection Real-time PII redaction (11 categories)
Cost control Per-call and cumulative cost budgets
Access governance Declarative tool allow/deny policies
Network control Domain allowlisting with wildcard support
Rate limiting Per-tool, per-window, global rate caps
Incident response Structured violation events + webhook alerts
EU AI Act Designed for Article 9, 13, 14, 15 alignment
  • 🔒 Fail-closed by default — if enforcement fails, the call is blocked
  • 📦 No vendor lock-in — Apache 2.0, works with any agent framework
  • 🌍 Cross-platform — Linux, macOS, Windows (advanced Linux hardening optional)
  • 📊 Observability — OpenTelemetry traces, Prometheus-compatible metrics

Development

# Clone
git clone https://github.com/akios-ai/EnforceCore.git
cd EnforceCore

# Setup
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"

# Test
pytest --cov=enforcecore

# Lint
ruff check . && ruff format --check .

Current stats: 1461 tests · 96% coverage · 0 lint errors

Acknowledgements

EnforceCore builds on a foundation of prior work in computer science and AI safety:

  • Runtime Verification — Leucker & Schallhart (2009), Havelund & Goldberg (2005)
  • Reference Monitors — Anderson (1972) for the tamperproof, always-invoked enforcement model
  • Information Flow Control — Sabelfeld & Myers (2003) for the PII boundary model
  • Audit Integrity — Merkle (1987), Crosby & Wallach (2009) for hash-chained tamper evidence
  • Agent Containment — Armstrong et al. (2012), Babcock et al. (2016) for the containment framing
  • Microsoft Presidio — for production-grade PII detection
  • EU AI Act (2024) — Articles 9, 13, 14, 15 directly shaped the design

See CONTRIBUTORS.md and docs/related-work.md for full citations.

Legal

EnforceCore is provided "as is", without warranty of any kind. See DISCLAIMER.md for full legal terms.

EnforceCore is a technical tool, not a compliance certification. Using EnforceCore does not guarantee regulatory compliance. Always consult qualified legal counsel for compliance requirements.

License

Apache 2.0 — free for open-source and commercial use.

Copyright 2025–2026 akios-ai. See LICENSE for details.

About

EnforceCore is a lightweight, policy-driven runtime enforcement framework for agentic AI systems.

Topics

sandboxing merkle-tree seccomp ai-safety policy-engine pii-redaction trustworthy-ai runtime-enforcement agentic-ai eu-ai-act

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity

Stars

3 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages