Introducing EnforceCore: Runtime Enforcement for AI Agents

Today we're open-sourcing EnforceCore, a runtime enforcement layer for agentic AI systems. It's a Python library — not a service — that wraps your agent's tool calls with deterministic policy enforcement, PII redaction, cost controls, and tamper-proof audit trails.

One decorator. Zero external dependencies at runtime. Sub-millisecond overhead.

from enforcecore import enforce

@enforce(policy="policy.yaml")
async def search_web(query: str) -> str:
    return await api.search(query)

The Problem

AI agents are non-deterministic. They can:

Call tools they shouldn't — executing shell commands, deleting files, sending emails
Leak sensitive data — PII in prompts, API keys in outputs, credentials in logs
Run away with costs — infinite loops, unbounded token usage, cascading API calls
Leave no audit trail — no way to prove what happened after the fact

Traditional "guardrails" try to solve this at the prompt level — asking another LLM to judge whether the output is safe. This is probabilistic, slow, and bypassable.

The Solution: Runtime Enforcement

EnforceCore operates at the function call boundary, not the prompt level. When your agent calls a tool, EnforceCore intercepts the call and runs it through a deterministic enforcement pipeline:

graph LR
    A[Agent Tool Call] --> B[Input Validation]
    B --> C[Policy Check]
    C --> D{Allowed?}
    D -->|Yes| E[PII Redaction]
    D -->|No| F[Block + Audit]
    E --> G[Execute Function]
    G --> H[Output Redaction]
    H --> I[Audit Trail]

Every step is deterministic (YAML policies, not vibes), fail-closed (enforcement failures block the call), and auditable (SHA-256 Merkle-chained logs).

What's in the Box

Policy Engine

Define what your agent can and can't do in YAML. Supports allow/deny tool lists, policy inheritance via extends, content rules for injection detection, network domain controls, and sliding-window rate limiting.

name: "production"
on_violation: "block"

rules:
  denied_tools: [execute_shell, delete_file, send_email]
  allowed_tools: [search_web, calculator, read_file]

  pii_redaction:
    enabled: true
    categories: [email, phone, ssn, credit_card]
    strategy: "placeholder"

  resource_limits:
    max_call_duration_seconds: 30
    max_cost_usd: 5.00

  network:
    enabled: true
    allowed_domains: ["api.openai.com", "*.wikipedia.org"]
    deny_all_other: true

PII Redaction + Secret Detection

Regex-based detection with validation (Luhn checks for credit cards, entropy filters for API keys). Catches 7 PII categories and 11 secret types including AWS keys, GitHub tokens, database connection strings, and private keys.

4 redaction strategies: placeholder ([EMAIL]), mask (****@***.com), hash ([sha256:...]), and remove.

Tamper-Proof Audit Trail

Every enforcement decision is recorded in a SHA-256 Merkle chain. Each entry's hash includes the previous entry's hash — any modification breaks the chain and is detectable via verify_trail().

Supports pluggable backends, external witnesses for independent tamper detection, and automatic file rotation.

Resource Guard

Hard limits on execution time, memory, API costs, and call depth. Sliding-window rate limits per tool and globally. Kill switch for runaway agents.

Framework Integrations

Native enforced_tool adapters for LangGraph, CrewAI, and AutoGen — no hard dependencies:

from enforcecore.integrations.langgraph import enforced_tool

@enforced_tool(policy="policy.yaml")
def search_web(query: str) -> str:
    """Search the web."""
    return api.search(query)

Evaluation Suite

26+ adversarial scenarios across 11 threat categories. Run them against your policy to verify enforcement before deployment:

enforcecore eval run policy.yaml

By the Numbers

Metric	Value
Tests	1,525 (+ 22 property-based)
Coverage	95%
P50 enforcement overhead	0.056 ms
P50 with PII redaction	0.093 ms
Runtime dependencies	4
License	Apache 2.0
Python	3.11, 3.12, 3.13

Get Started

pip install enforcecore

Quickstart Guide — Your first enforced agent in 5 minutes.
Documentation — Full reference.
GitHub — Star, fork, contribute.
Discord — Join the community.

What's Next

We're working on more framework adapters (LlamaIndex, Semantic Kernel), external audit anchoring for transparency logs, community policy templates, and a visual audit trail dashboard.

EnforceCore is Apache 2.0. No vendor lock-in, no external calls, no usage tracking. Your policies and logs stay on your infrastructure.

If you're building agentic systems, we'd love your feedback.