AKIOS
EnforceCore
Lightweight, open-source runtime enforcement for any Python-based AI agent.
Current release: v1.0.1 (stable) — Production-ready, first stable API, 1,510 tests, 22 formal invariants. Available on PyPI.
EnforceCore is a modular enforcement framework that intercepts every external call your agent makes — tool calls, API requests, file access — and applies mandatory policy checks, PII redaction, secret scanning, content rule enforcement, rate limiting, resource limits, and tamper-proof audit logging.
It operates at the runtime call boundary — the only layer that cannot be jailbroken, bypassed, or prompt-injected away. The @enforce() decorator acts as a runtime monitor in the tradition of runtime verification: an observer that intercepts system events, evaluates them against a specification, and emits a verdict before the action is allowed to proceed.
Why EnforceCore
The AI agent ecosystem is racing to build more capable autonomous systems. But almost nobody is building the control layer.
Most "safety" solutions are prompt-level guardrails — suggestions to the LLM that can be bypassed, ignored, or jailbroken. They operate at the wrong layer.
EnforceCore enforces at the code boundary. Policies are mandatory, not advisory. If a call violates policy, it is blocked — before it ever executes.
| Prompt Guardrails | EnforceCore | |
|---|---|---|
| Layer | Inside the LLM | Runtime call boundary |
| Bypassable? | Yes (jailbreaks, prompt injection) | No (code-level enforcement) |
| Auditable? | No | Yes (Merkle-chained trails) |
| Property-tested? | No | Yes (22 Hypothesis properties) |
| EU AI Act aligned? | No | Yes (see disclaimer) |
Enforce, don't suggest
Policies are mandatory. A denied tool call never executes. There is no "override" prompt.
Framework-agnostic
Works with LangGraph, CrewAI, AutoGen, or plain Python. No lock-in.
Verifiable
Every enforced call produces a SHA-256 Merkle-chained audit entry. The full trail is tamper-proof and cryptographically verifiable. 22 formal properties are verified via Hypothesis property-based testing on every CI run.
Lightweight
~0.056 ms E2E overhead (P50). Negligible compared to tool call latency (100 ms–10 s).
EnforceCore vs. OS-level security: EnforceCore operates at the application semantic layer — it understands tool calls, PII, and cost budgets. It does not replace SELinux, AppArmor, seccomp, or container sandboxing. These are complementary — use both for defense-in-depth.
Core Components
| Component | What it does |
|---|---|
| Policy Engine | Declarative YAML + Pydantic v2 policies. Allowed/denied tools, conditions, violation handling. Policy composition with extends: and Policy.merge(). |
| PII Redactor | Regex-based detection of 6 PII categories. Auto-redacts inputs and outputs. Unicode hardening (NFC, homoglyphs, URL/HTML decoding). ~0.1–0.5 ms per call. |
| Secret Scanner | 11 built-in secret categories (AWS keys, GitHub tokens, GCP service accounts, Azure connection strings, database URIs, SSH keys, and more). Custom patterns via PatternRegistry. Shannon entropy filtering for false-positive reduction. |
| Content Rules Engine | 4 built-in rule categories: shell injection, path traversal, SQL injection, code execution. Extensible via RuleEngine. |
| Rate Limiter | Per-tool and global sliding-window rate limiting. Prevents runaway agents from exceeding call budgets. |
| Network Enforcement | DomainChecker with wildcard allow/deny lists. Block unauthorized outbound connections at the policy level. |
| Merkle Auditor | SHA-256 chained audit trail. Every call logged. Tamper detection built in. 4 pluggable backends (JSONL, Null, Callback, Multi). OS-enforced append-only files (chattr +a / chflags uappend). 3 witness backends (Callback, File, Log) for hash-only remote tamper detection. Audit rotation with gzip compression. JSON-safety validation on every entry. |
| Resource Guard | Time limits, memory limits, cost tracking. Cross-platform (Linux, macOS, Windows). Shared thread pool, leak detection. |
| Hook System | 4 lifecycle hooks (pre-call, post-call, violation, redaction) with decorators and HookRegistry. Build custom observability pipelines. |
| CLI | 6 commands: info, validate, verify, eval, dry-run, inspect. Validate policies and audit trails from the terminal. |
| Observability | OpenTelemetry integration (EnforceCoreMetrics + EnforceCoreInstrumentor). Event webhooks for violation/cost/audit events. |
| Integration Adapters | Drop-in adapters for LangGraph, CrewAI, AutoGen. ~20–50 lines each. |
| Evaluation Suite | 20 adversarial scenarios across 10 threat categories. 15-benchmark suite with P50/P95/P99/P99.9 stats. |
Install
pip install enforcecore
Python 3.11+ required. No heavy dependencies — Pydantic v2, PyYAML, structlog, cryptography.
Note: EnforceCore is currently in beta (v1.0.0b5). The 30-symbol public API is frozen — no additions or removals until v2.0.0. All 110 original symbols remain importable for backwards compatibility, but the stable contract covers the 30 Tier 1 symbols.
Get Started
from enforcecore import enforce
@enforce(policy="policy.yaml")
async def search_web(query: str) -> str:
return await api.search(query)
# If "search_web" is not in allowed_tools -> blocked. Period.
# PII in query -> auto-redacted before the call.
# Every call -> cryptographic audit entry.
See the Quick Start guide for a full walkthrough — policy setup, lifecycle hooks, audit verification, and tamper-evidence hardening in under 5 minutes.
Who is this for?
- Agent developers who need production-grade safety without rewriting their stack
- Enterprises deploying AI agents in regulated environments (finance, healthcare, legal)
- Researchers studying runtime verification, sandboxing, and formal guarantees for agents
- Teams preparing for EU AI Act compliance requirements
Verified by Design
EnforceCore backs its guarantees with measurable evidence:
- 1,510 tests, 95% coverage, 22 formal invariants (Hypothesis property-based testing)
- Formal threat model — 4 adversary types, 4 security properties, tamper-proof audit trails with OS-enforced append-only + witness backends
- 20 adversarial scenarios across 10 threat categories, 15 performance benchmarks
- 0.056 ms full E2E overhead (P50) — negligible compared to tool call latency
See the Architecture page for formal invariants, threat model, and defense-in-depth. See the Evaluation Suite for reproducible adversarial benchmarks.
For Researchers
EnforceCore applies established computer science principles — runtime verification, reference monitors, information-flow control — to the novel problem of AI agent safety. We welcome academic collaboration and feedback.
The Architecture page documents the formal invariants (22 Hypothesis properties with $\forall$ notation), threat model (4 adversary types, 4 security properties), and defense-in-depth architecture. The Evaluation Suite provides reproducible adversarial benchmarks.
Prior work that informed the design:
- Runtime Verification — Leucker & Schallhart (2009), Havelund & Goldberg (2005)
- Reference Monitors — Anderson (1972)
- Information Flow Control — Sabelfeld & Myers (2003)
- Audit Integrity — Merkle (1987), Crosby & Wallach (2009)
- Tamper-Evidence — Wallach (2026, design feedback on append-only + witness mitigations)
- Agent Containment — Armstrong et al. (2012), Babcock et al. (2016)
Citation
@software{enforcecore2026,
title = {EnforceCore: Runtime Enforcement Layer for Agentic AI Systems},
author = {{AKIOUD AI}},
year = {2026},
url = {https://github.com/akios-ai/EnforceCore},
license = {Apache-2.0}
}
Open Source
EnforceCore is Apache 2.0 licensed. No hidden commercial agenda in the core.
Legal
EnforceCore is provided "as is", without warranty of any kind, express or implied. It is a technical enforcement tool — not a compliance certification. Using EnforceCore does not guarantee regulatory compliance with any standard or law. See DISCLAIMER and LICENSE for full legal terms.