Roadmap

EnforceCore ships incrementally. Each release adds one well-tested, well-documented component. No release ships without full test coverage, updated documentation, and passing CI.

Released Versions

v1.0.0 — Core Enforcer + Policy Engine

The foundation. Minimal viable enforcement framework.

@enforce(policy=...) decorator (sync + async)
enforce() context manager
Policy Engine with Pydantic v2 models + YAML loading
Pre-call rule evaluation (allowed/denied tools)
EnforcementViolation exception hierarchy
Configuration via pydantic-settings
Structured logging via structlog
94 tests, 97% coverage

v1.0.1 — PII Redactor

Real-time PII detection and redaction.

Regex-based detection — no heavy deps (no spaCy, no Presidio)
5 PII categories: email, phone, SSN, credit card, IP address
4 strategies: placeholder, mask, hash, remove
Auto-wired into enforce pipeline (input + output)
~0.1–0.5ms per call
161 tests, 97% coverage

v1.0.2 — Merkle Auditor

Tamper-proof, cryptographically verifiable audit trails.

SHA-256 Merkle chain linking entries
14-field AuditEntry with timing and redaction stats
Cross-session chain continuity
verify_trail() with tamper detection
JSONL format with thread-safe append
213 tests, 96% coverage

v1.0.3 — Resource Guard

Cross-platform resource limits and hard termination.

Time limits (all platforms)
Memory limits (Linux strict, macOS advisory)
Cumulative cost tracking with configurable budget
KillSwitch for hard termination
Platform detection abstraction
284 tests, 96% coverage

v1.0.4 — Framework Integrations

Drop-in adapters for popular agent frameworks.

LangGraph / LangChain adapter
CrewAI adapter
AutoGen adapter
No hard dependencies on any framework
wrap_with_policy() for custom adapters
334 tests, 96% coverage

v1.0.5 — Evaluation Suite

Adversarial testing framework for agent containment.

13 adversarial scenarios across 7 threat categories
ScenarioRunner with category/severity/tag filtering
BenchmarkRunner with 7 per-component benchmarks
Markdown report generation
CLI: enforcecore eval

v1.0.6 — Hardening + Polish

Production readiness and security hardening.

Tool name validation (charset, length)
Input size validation (10 MB default)
Enforcement scope tracking (contextvars, max depth 10)
Deep recursive PII redaction (nested data structures)
Unicode hardening (NFC, homoglyphs, URL/HTML decoding)
Dev-mode gating for fail_open
Thread-safe policy cache
Auditor: max_entries parameter, optimized resume
544 tests, 96% coverage
Stable public API (68 exports)

Alpha Releases (v1.0.7a1 – v1.0.22a1)

Starting with v1.0.7a1, EnforceCore moved to an alpha release cadence — shipping features faster with the a1 suffix. All alpha releases are available on PyPI:

pip install enforcecore==1.0.22a1

v1.0.7a1 — Secret Scanner

Credential and secret detection as a first-class feature.

11 built-in secret categories: AWS access keys, AWS secret keys, GitHub tokens, Google Cloud API keys, Azure connection strings, database URIs, SSH private keys, generic API keys, JWT tokens, Slack tokens, Stripe keys
SecretScanner class with batch and single-call APIs
Wired into the PII redaction pipeline automatically
DetectedSecret results with category, position, and confidence
623 tests

v1.0.8a1 — Content Rules Engine

Pattern-based detection for dangerous content in tool arguments and outputs.

4 built-in rule categories: shell injection, path traversal, SQL injection, code execution
RuleEngine with pattern matching and composable rules
ContentRule dataclass for custom domain-specific rules
get_builtin_rules() for easy loading
ContentViolationError exception
688 tests

v1.0.9a1 — Rate Limiter

Per-tool and global rate limiting with sliding window counters.

RateLimiter with global RPM and per-tool limits
RateLimit configuration dataclass
Thread-safe sliding window implementation
RateLimitError exception
Wired into the enforcement pipeline
742 tests

v1.0.10a1 — Network Enforcement

Domain-level allow/deny controls for outbound network calls.

DomainChecker with allow list and deny list
Wildcard support (*.malicious.io)
DomainDeniedError exception
Configurable via policy YAML network: section
803 tests

v1.0.11a1 — Pluggable Audit Backends

Swap audit storage backends without changing enforcement logic.

AuditBackend abstract base class
4 built-in backends: JsonlBackend, NullBackend, CallbackBackend, MultiBackend
MultiBackend for writing to multiple destinations simultaneously
Backwards-compatible — JSONL remains the default
867 tests

v1.0.12a1 — Audit Log Rotation

Size-based audit log rotation with compression.

AuditRotator with configurable max_bytes and max_files
Automatic gzip compression of rotated files
Background rotation (non-blocking)
921 tests

v1.0.13a1 — Hook System

Lifecycle hooks for extending the enforcement pipeline.

4 hook points: @on_pre_call, @on_post_call, @on_violation, @on_redaction
HookRegistry for managing registered callbacks
Async-compatible hooks (sync and async functions)
Priority ordering for hook execution
985 tests

v1.0.14a1 — Observability (OpenTelemetry)

First-class OpenTelemetry integration for production monitoring.

EnforceCoreMetrics — counters and histograms for enforcement events
EnforceCoreInstrumentor — span creation for tracing
Works with any OpenTelemetry-compatible backend (Jaeger, Prometheus, Datadog)
Optional dependency — no import overhead if not used
1,041 tests

v1.0.15a1 — Webhooks

HTTP webhook event dispatch for alerting and integrations.

WebhookDispatcher with configurable endpoints
WebhookEvent dataclass with event type, payload, and metadata
Retry logic with exponential backoff
Async dispatch (non-blocking)
1,098 tests

v1.0.16a1 — API Freeze + Breaking Changes

⚠️ Breaking: guard_sync() and guard_async() context managers removed. Use Enforcer.from_file() factory or @enforce() decorator instead.

Public API frozen at 110 exports — stability guarantee going forward
Enforcer.from_file() factory method for ergonomic initialization
PolicyEvaluationError added to exception hierarchy
Migration guide in changelog
1,152 tests

v1.0.17a1 — Guard Leak Detection

Thread safety improvements and resource leak tracking.

guard.leaked_thread_count property for orphaned thread detection
Shared thread pool in Resource Guard (eliminates per-call thread creation)
Thread-safe policy cache with mtime-based invalidation (security fix H-3)
1,198 tests

v1.0.18a1 — CLI Expansion

New CLI commands for policy inspection and dry-run evaluation.

enforcecore dry-run — simulate enforcement without executing tools
enforcecore inspect — display policy rules and effective configuration
CLI now has 6 commands: info, validate, verify, eval, dry-run, inspect
1,251 tests

v1.0.19a1 — Expanded Evaluation Suite

New adversarial scenarios and threat categories.

20 adversarial scenarios (up from 13)
10 threat categories (up from 7): added RANSOMWARE, SUPPLY_CHAIN, COLLUSION
Multi-stage scenario support with StageResult
New scenarios: ransomware campaign, supply-chain credential harvest, multi-agent collusion relay, privilege escalation chain, slow-burn exfiltration
1,312 tests

v1.0.20a1 — Expanded Benchmarks

Comprehensive performance benchmarking.

15 benchmarks (up from 7)
P50/P99/P99.9 percentile stats
New benchmarks: secret detection, content rules, rate limiter, domain checker, audit rotation, hook dispatch, audit verify (100 entries)
1,378 tests

v1.0.21a1 — Security Hardening

Critical security fixes and hardening.

H-1: PII leak in fail-open path — redaction now runs BEFORE fail-open decision
H-2: Thread leak in long-running enforcers — shared thread pool fix
H-3: Policy cache mtime race — thread-safe mtime checking
Improved error messages for all exception types
1,441 tests

v1.0.22a1 — Test & Documentation Blitz

Final alpha polish — documentation, tests, and stability.

1,503 tests, 96% coverage
110 public exports (API frozen since v1.0.16a1)
Documentation refresh across all modules
Cross-reference validation between docs and code
Ready for beta promotion

v1.0.23a1 — Release Infrastructure

Build and CI pipeline hardening for the beta transition.

Release automation fixes
CI pipeline reliability improvements
Pre-beta infrastructure readiness

v1.0.24a1 — Security Audit

Targeted security audit addressing five findings from formal review.

A-4: AuditEntry JSON-safety — all entries validated for JSON serialization before writing
M-4: Shannon entropy filter for secret detection — reduces false positives on high-entropy strings
A-5: Minimum input size floor — prevents degenerate zero-length input edge cases
M-5: Unicode normalization rewrite with offset mapping — correct redaction positions after NFC/homoglyph transforms
M-2: Enforcer internal refactoring — cleaner separation of pipeline stages

Beta Releases (v1.0.25a1 → v1.0.0b3)

v1.0.25a1 — API Surface Pruning

Major change: Public API surface pruned from 110 symbols to 30 Tier 1 symbols.

Tier 1 (30 symbols): The stable, frozen public contract — enforce, Enforcer, Policy, load_policy, Redactor, RedactionResult, RedactionStrategy, SecretScanner, Auditor, AuditEntry, VerificationResult, verify_trail, load_trail, ResourceGuard, CostTracker, KillSwitch, RateLimiter, Decision, EnforcementResult, EnforceCoreError, EnforcementViolation, ToolDeniedError, ContentViolationError, PolicyError, PolicyLoadError, CostLimitError, ResourceLimitError, Settings, settings, __version__
Tier 2 (80 symbols): Advanced/internal — still importable, but not part of the stability guarantee
All 110 original symbols remain importable for backwards compatibility

v1.0.0b1 — Beta Status

EnforceCore officially enters beta. Production-ready, actively hardened.

Beta status declaration
Deprecation warnings emitted for Tier 2 imports
Migration guide for Tier 1 adoption
30-symbol API frozen — no additions or removals until v2.0.0

v1.0.0b2 — Security Fix: Policy.from_dict()

Critical fix for silent rule drop in Policy.from_dict().

Bug: Flat dictionary keys passed to Policy.from_dict() were silently dropped instead of being auto-hoisted into the rules namespace
Fix: Flat dict keys are now auto-hoisted into rules: when the top-level key matches a known rule field
Prevents silent policy misconfiguration

v1.0.0b3 — Documentation Accuracy

Documentation audit — correcting inaccurate claims and outdated references.

Corrected false claim about Presidio dependency (EnforceCore has never used Presidio)
Removed deprecated context manager references (guard_sync(), guard_async())
Updated performance benchmarks from estimated ranges to measured values (~0.056 ms E2E P50)
Cross-referenced all documentation against actual code behavior

v1.0.0b4 — Tamper-Evidence: Append-Only + Witness

Two new hardening layers that close the last practical gap in audit trail integrity.

OS-enforced append-only audit files — Auditor(immutable=True) sets the OS-level append-only attribute (chattr +a on Linux, chflags uappend on macOS), preventing truncation or chain rebuild even by the file owner. Includes container detection and capability checking for Docker (CAP_LINUX_IMMUTABLE). Fails safely on unsupported platforms.
Hash-only remote witness — Auditor(witness=...) publishes entry hashes (~200 bytes each) to a witness backend, enabling tamper detection even if an attacker rebuilds the Merkle chain. Built-in witnesses: CallbackWitness (queues, HTTP, databases), FileWitness (separate JSONL file), LogWitness (syslog/journald via Python logging).
Witness verification — verify_with_witness() cross-checks audit trail hashes against witness records, detecting chain-rebuild attacks that verify_trail() alone cannot.
Platform introspection — platform_support_info() returns append-only support, container detection, and capability status for the current platform.
Threat model §5.3 updated — Audit trail storage section now documents both mitigations with platform requirements and container guidance.
CONTRIBUTORS.md — Added Prof. Dan S. Wallach (Rice University) under Design Feedback for direct guidance on tamper-evidence mitigations.
48 new tests — Full coverage for witness backends, append-only protection, platform detection, and cross-platform mocking.

v1.0.0b5 — Settings Integration + Edge-Case Tests

Settings-driven tamper-evidence — zero-code hardening via environment variables.

Settings-driven witness and immutable — ENFORCECORE_AUDIT_IMMUTABLE=true and ENFORCECORE_AUDIT_WITNESS_FILE=/path/to/witness.jsonl enable tamper-evidence hardening for @enforce() users without writing code.
Witness publish outside audit lock — _publish_to_witness() now runs after releasing self._lock, preventing slow witness backends (e.g. HTTP callbacks) from blocking subsequent audit writes.
Threat model expanded — §6 Assumption 6 references immutable=True mitigation; §7 Known Limitations cross-references witness + immutable; §8 Revision History updated for b4 and b5.
Release checklist expanded — Witness/immutable checks added to Audit Trail (4→10 checks), Config (→5 checks), Submodule Imports (→22 checks).
chflags sappend docstring fix — Corrected to chflags uappend (user-level) in all 3 occurrences.
CallbackWitness blocking-I/O warning — Prominent warning added to docstring explaining that slow callbacks block audit writes, with a queue-based workaround.
18 new edge-case tests — _has_linux_immutable_cap() multi-branch logic, is_append_only() mocked, verify_with_witness() empty trails, concurrent stress tests, settings env-var overrides.
1,510 tests, 95% coverage

v1.0.0b6 — Passport PII Fix + Framework Comparison

passport PII category added — ICAO Doc 9303 regex ([A-Z]{1,2}\d{6,9}), <PASSPORT> placeholder, **-******* mask. Fixes RedactionError: Unknown PII category: 'passport' that caused 19 eval errors.
Framework comparison module — enforcecore.eval.framework_comparison for side-by-side policy comparisons
3 new quickstart examples — quickstart_langgraph.py, quickstart_autogen.py, quickstart_crewai.py
Eval results refreshed — 20/20 adversarial scenarios contained, 0 errors (was 19 errors before passport fix)
1,510 tests

v1.0.0 — First Stable Release

First stable release. Promoted from v1.0.0b6 after CI green on Python 3.11, 3.12, and 3.13.

No new code — API surface frozen at 30 Tier 1 symbols
100% adversarial containment — 20/20 scenarios, 0 errors
Sub-millisecond overhead — policy_pre_call p99 = 0.021 ms, pii_redaction p99 = 0.035 ms

v1.0.1 — Patch

Fixed verify_with_witness crash on WitnessRecord objects — normalizes to .entry_hash before comparison
Fixed PolicyRules silently ignoring unknown YAML keys — added alias remapping (pii → pii_redaction, resources → resource_limits, network_policy → network) with deprecation warnings; truly unknown keys now raise a warning
14 documentation files updated — beta tags removed, corrected for stable status

Current Status

EnforceCore is stable at v1.0.1. The 30-symbol Tier 1 API is frozen. All 110 original symbols remain importable for backwards compatibility.

pip install enforcecore

Key numbers: 1,510 tests · 95% coverage · 22 formal invariants · 30 frozen Tier 1 symbols · 20 adversarial scenarios (20/20 contained, 0 errors) · 15 benchmarks · 6 PII categories · 4 dependencies.

See Architecture for technical details, Evaluation for benchmarks, or API Reference for the full symbol list.

Future Directions

These are potential future work — not committed:

v1.1 — Policy Hub

Community repository of reusable, audited policies with versioning and peer review.

v1.2 — Formal Verification

Integration with model checkers for mathematical policy guarantees.

v1.3 — Multi-Language Support

TypeScript and Go bindings for non-Python ecosystems.

v2.0 — Distributed Enforcement

Enforcement for multi-agent systems across processes and machines, with shared state and coordinated rate limiting. Tier 2 symbols may be removed in this version.

Contributions are welcome under Apache 2.0 — see the GitHub repository.