Prove every
agent action.

live intercept · click an action to watch JamJet decide

agent request

Merge PR #4218 github.merge · agent:claude-code

JAMJET policy + approval

REQUIRES APPROVAL

action_receipt.json · signed & verified

{
  "version": "agentboundary/v0.1",
  "receipt_id": "0192c8d0-1f2a-7c3e-bf2a-1a4d3f5e6c7b",
  "actor":  { "type": "agent", "id": "agent:claude-code:session/789abc" },
  "tool":   { "name": "github-mcp", "capability": "github.merge" },
  "target": { "system": "github.com/jamjet-labs/agentboundary", "environment": "prod" },
  "arguments_hash": "9698adaf2dca5f26a4f9644a8d0f4f34b5558bce09961f94e810fe3aaa9071aa",
  "policy": { "name": "agentboundary.repo.merges", "version": "2", "decision": "requires_approval" },
  "execution": { "status": "pending_approval", "result_ref": null },
  "receipt_hash": "4d905d5dbc9faa4dafcb2155da9c4d5e1052cb23c680f3754d4ebc5800a4bae7"
}

✓ verified · anyone can check

An AI agent is about to merge a pull request, refund a charge, or mutate production. JamJet checks your policy, asks for approval if needed, blocks the call when it can't, and writes the receipt above — verifiable by anyone, independent of your agent framework.

Not another agent framework. The action-control layer that sits underneath them. Keep LangGraph, CrewAI, Claude Code, MCP, OpenAI Agents SDK, or Spring AI — add JamJet where tool calls need policy, approval, and audit.

see the SDK · merge.py

from jamjet import gate

@gate("github.merge", require_approval=True)
def merge_pr(repo: str, pr: int) -> str:
    return github.merge(repo, pr)

pip install jamjet · same policy across Claude Code, MCP, OpenAI Agents SDK, Spring AI

From the lab behind the Engram memory benchmarks and the AIP agent-identity work — see research.

Engram · 88.8% on LongMemEval-S (proxy benchmark) · AIP · agent identity + delegation chains (arXiv draft) · AgentBoundary v0.1 · open spec for AI action proof · public

See every adapter ↓ Get started in 60s Run conformance →

Already shipping in production? Try JamJet Cloud free.

$ pip install jamjet

Why we built it

Most of what breaks an AI agent in the real world isn’t model quality. It’s the boring stuff: a worker dies, a tool gets called wrong, a budget runs out, an audit team asks what happened. We built JamJet to make those things controllable, recordable, and recoverable — without forcing you to abandon LangGraph or CrewAI or whatever’s already working.

The runtime sits between your agent and everything it touches. Models, tools, memory, other agents — every interaction passes through a layer that can block, wait, record, and resume. Open source. Apache 2.0. Cloud-neutral.

How it fits with what you use →

The same policy, everywhere

Every agent toolchain is inventing its own safety layer.
JamJet gives you one.

One policy.yaml in ~/.jamjet/. Every adapter below loads it. Every adapter emits conformant audit JSONL. Run jamjet audit show to tail every decision across every adapter in one chronological view.

We respect the platforms we plug into. Claude Code gave developers a hook point — JamJet gives that hook point a policy engine, approval flow, and audit trail, and carries the same rules to OpenAI Agents SDK, MCP, and your own code.

What goes wrong, and what stops it

Six failure modes.
Six gates.

Other tools observe what agents do. JamJet actively prevents unsafe behavior, recovers from failures, and creates audit evidence — at the runtime layer.

01
Lost progress
A worker dies mid-run. JamJet replays the event log and resumes at the failed node.
02
Unsafe tool
An agent reaches for a tool it shouldn’t. The 4-level policy hierarchy blocks the call before execution.
03
Skipped approval
A high-risk action waits for a human. The run survives restarts. The decision lands in audit.
04
Runaway cost
A reflection loop won’t stop spending. The runtime halts the loop before it crosses the cap.
05
Missing audit
Compliance asks what happened. Every decision is in a signed, exportable evidence package.
06
Forgotten context
The agent forgets across sessions. Engram surfaces durable facts — not raw chat history.

See each failure mode in action →

The difference

Why not just use logs?

Logs

what happened after the fact
unsigned
unstructured
agent-trusted

JamJet receipts

whether the action was allowed before it happened
signed, verifiable by anyone
conformant schema (AgentBoundary v0.1)
agent-independent

Tracing tools (LangSmith, Helicone, Langfuse) show you what your agent did. JamJet decides what it's allowed to do — and signs the receipt either way.

“

Production isn’t a milestone. It’s the moment your code has to defend itself.

— a thing every serious engineer has learned the hard way

Watch one survive

Your agents crash.
Ours recover.

Every step is checkpointed as it happens. When a worker dies mid-run, the scheduler reclaims the lease and resumes from exactly where it stopped. No reruns. No duplicate side effects. No lost events.

Worker crashes — the Analyze step fails unexpectedly.
Lease reclaimed — scheduler detects the failure.
Resume from checkpoint — completed steps stay completed.
Zero events lost — full execution integrity preserved.

Run this demo →

Same runtime guarantees, two languages

Write Python or Java.
JamJet handles replay, policy, and recovery.

pipeline.py Python

from jamjet import task, workflow, approval

@task(model="claude-sonnet-4-6", max_cost=0.50)
async def analyze(data: dict) -> Report:
    """checkpointed, cost-capped"""

@workflow
async def pipeline(raw):
    report = await analyze(raw)     # crash-safe
    await approval(report)          # durable pause
    return await publish(report)

Pipeline.java Java

Agent analyst = Agent.builder()
    .name("analyst")
    .model("claude-sonnet-4-6")
    .strategy(Strategy.REFLECTION)
    .maxCost(0.50)                   // budget enforced
    .build();

WorkflowGraph pipeline = WorkflowGraph.builder()
    .node(analyst)                    // crash-safe
    .node(ApprovalGate.create())     // durable pause
    .node(publisher)
    .build();

Both compile to the same IR and run on the same Rust runtime. Java has its own native runtime too — zero sidecar, virtual threads, 8.9× faster than the REST sidecar in our benchmark.

When the team needs the cockpit

JamJet Cloud

The hosted control plane for agent runs. Trace timeline, policy violations, approval queue, cost guardrails, audit export, hosted Engram — across your team.

View Cloud Sign up free

Need memory first?

Start with Engram.

Open-source memory for MCP-native AI agents. Fact extraction, conflict detection, hybrid retrieval, consolidation. Use it standalone with Claude, Cursor, or any MCP client.

Add memory Source

“

We don’t replace your framework. We sit underneath it, like a seatbelt.

— the design intent, in one sentence

Running log

What we shipped lately.

Full blog →

Compared with: Temporal · Microsoft AGT · all integrations

Make agent runs
replayable, auditable,
and controlled.

$ pip install jamjet

Run the quickstart View JamJet Cloud GitHub

Apache 2.0 · Cloud-neutral · Framework-neutral · Built in Rust, Python, and Java.

Prove every agent action.

Every agent toolchain is inventing its own safety layer. JamJet gives you one.

Six failure modes.Six gates.