Introduction
The runtime enforcement layer for agentic AI systems.
EnforceCore provides mandatory, policy-driven enforcement at every external call boundary for any Python-based agentic system. It ensures that AI agents operate within defined safety constraints — tool access, PII redaction, secret detection, cost budgets, rate limits, content rules, and network controls — with cryptographically verifiable audit trails.
Info: Unlike traditional guardrails that operate on inputs/outputs (LLM-as-a-judge), EnforceCore operates at the runtime level, intercepting function calls to enforce deterministic policies. It's a library, not a service — zero external dependencies at runtime, sub-millisecond overhead.
Why EnforceCore?
Agentic systems are non-deterministic by nature. They can hallucinate, call tools with incorrect parameters, or attempt to access restricted resources. EnforceCore mitigates these risks by providing a hard boundary that the agent cannot cross.
- Deterministic Security: Policies are defined in YAML with inheritance and composition. No "vibes-based" safety.
- Fail-Closed Design: Enforcement failures block the call by default. Agents cannot bypass the boundary.
- Runtime Protection: Blocks malicious actions before they execute, not after.
- Auditability: Every action is logged in a tamper-proof Merkle chain with optional external witnesses.
Key Features
| Feature | Description |
|---|---|
| 🔒 Policy Enforcement | YAML-defined policies with allow/deny lists, tool gating, content rules, and policy inheritance via extends. |
| 🕵️ PII Redaction | Regex-based detection and redaction of 7 PII categories and 11 secret types (API keys, tokens, credentials). 4 redaction strategies: placeholder, mask, hash, remove. |
| 📜 Merkle Audit Trail | SHA-256 chained logs with pluggable backends, external witness support, immutable files, and automatic rotation. |
| 💰 Cost & Resource Guard | Enforce budgets on execution time, memory, and API costs. Kill switch for runaway agents. |
| 🌐 Network Control | Restrict agent network access to specific domains (allow/deny lists) with wildcard support. |
| ⚡ Rate Limiting | Sliding-window rate limits per tool and globally. |
| 🔌 Framework Integrations | Native enforced_tool adapters for LangGraph, CrewAI, and AutoGen — no hard dependencies. |
| 📊 OpenTelemetry | Built-in instrumentation for traces, metrics, and spans. |
| 🧪 Evaluation Suite | 26+ adversarial scenarios across 11 threat categories. Generate HTML security reports. |
| 🪝 Lifecycle Hooks | Register on_pre_call, on_post_call, on_violation, and on_redaction hooks. Webhook support for external alerting. |
| 🖥️ CLI Tools | Validate policies, verify audit trails, test redaction, and run evaluations from the command line. |
By the Numbers
| Metric | Value |
|---|---|
| Tests | 1,525 |
| Code coverage | 95% |
| Adversarial scenarios | 26+ across 11 threat categories |
| P50 enforcement overhead | 0.056 ms |
| P50 with PII redaction | 0.093 ms |
| Runtime dependencies | 4 (pydantic, PyYAML, typing-extensions, pydantic-settings) |
| License | Apache 2.0 |
Next Steps
Ready to secure your agents?
- Quickstart Guide: Install EnforceCore and write your first policy.
- Core Concepts: Understand the architecture and security model.
- API Reference: Deep dive into the Python API.
- Policy Schema: Learn the full YAML policy specification.