README.md

May 11, 2026 · View on GitHub

⚡ JamJet

The action-control plane for AI agents. One policy file. One audit trail. Across hooks, guardrails, MCP gateways, SDKs, and custom runtimes.

jamjet.dev · Quickstart · Docs · Examples · Blog · Discord

Write the safety policy once. Run it everywhere your agents can act.

JamJet sits underneath your agent — Claude Code, OpenAI Agents SDK, MCP clients, LangChain, CrewAI, ADK, custom code — and enforces what prompts cannot:

🛡️ Block unsafe tool calls at runtime (database deletes, payments, file writes)
✋ Pause for human approval on risky actions, durably
💸 Cap cost per agent, per run, per project
📒 Record an audit trail that survives a regulator's review
⏪ Replay or resume crashed runs from the last checkpoint

Keep your agent framework. Add JamJet where tool calls need control.

JamJet safety demo

See it in 60 seconds

pip install jamjet
jamjet demo unsafe-tool-call

No API key. No Docker. No cloud account. The model is mocked; the enforcement path is real. Three more demos run the same way:

jamjet demo approval        # pause-for-approval flow
jamjet demo budget-cap      # \$0.05 cost cap
jamjet demo mcp-tool-policy # MCP-shaped policy (preview of JamJet Gateway)

Works alongside Claude Code · OpenAI Agents SDK · MCP clients · LangChain · CrewAI · ADK · Spring AI · LangChain4j.

The same policy, everywhere

Every agent toolchain is inventing its own safety layer. JamJet gives you one policy file and one audit trail across all of them.

Adapter	Install	Host
`@jamjet/claude-code-hook`	`npm i -g @jamjet/claude-code-hook`	Claude Code PreToolUse hook
`@jamjet/mcp-shim`	`npx -y @jamjet/mcp-shim ...`	Any MCP client (Claude Desktop, Cursor, …)
`@jamjet/openai-guardrail`	`npm i @jamjet/openai-guardrail`	OpenAI Agents SDK tool guardrail (TS)
`jamjet.integrations.openai_guardrail`	`pip install jamjet`	OpenAI Agents SDK tool guardrail (Python)
`jamjet`	`pip install jamjet`	Python SDK + runtime
`@jamjet/cloud`	`npm i @jamjet/cloud`	TypeScript SDK + shared engine
`@jamjet/cli`	`npm i -g @jamjet/cli`	Unified `jamjet audit show` / `jamjet approve`

All adapters load the same policy.yaml. All emit conformant audit JSONL to ~/.jamjet/audit/. Run jamjet audit show to tail every decision across every adapter in one chronological view.

Respect the platforms you plug into. Claude Code gave developers a hook point — JamJet gives that hook point a real policy engine, approval flow, and audit trail, and the same rules carry to OpenAI Agents SDK, MCP, and your own Python/TS code. OpenAI Agents SDK has guardrails — JamJet lets you express the policy once and reuse it elsewhere. If your MCP gateway supports plugins, JamJet can be the policy brain; if not, the @jamjet/mcp-shim proxy fills the gap.

One policy, every adapter

# ~/.jamjet/policy.yaml
version: 1
rules:
  - { match: "*delete*", action: block }
  - { match: "payments.*", action: require_approval }
  - { match: "shell.exec", action: block }

Drop this file in ~/.jamjet/. Every adapter listed above uses it automatically.

Prompts are not a security boundary. The runtime is.

→ Read When AI Deletes the Database for why this is a runtime architecture problem, not a model problem. → See the deeper durability demo at jamjet.dev/demo for what happens when an agent crashes mid-tool-call.

Policy in your own code

Drop a policy beside your agent code. The runtime intercepts any matching tool call before it leaves the agent's process — blocked_tools are refused outright, require_approval_for pauses execution durably and waits for an out-of-band decision (crashes don't lose the approval; execution resumes when it arrives).

# workflow.yaml
policy:
  blocked_tools:
    - "*delete*"
    - "payments.refund"
  require_approval_for:
    - "database.*"
    - "payment.transfer"
    - "user.suspend"

Python, with the hosted control plane:

import jamjet
jamjet.cloud.configure(api_key="jj_...", project="my-agent")
jamjet.cloud.policy("block", "*delete*")
jamjet.cloud.policy("require_approval", "database.*")
# Every OpenAI / Anthropic call in this process is now policy-gated.

→ Runnable approval workflow in examples/hitl-approval · Cloud Quickstart

Where JamJet sits

            Your Agent / Framework
   (LangChain · CrewAI · ADK · custom · MCP client)
                     │
                     ▼
  ┌───────────────────────────────────────────────┐
  │            JamJet Safety Layer                │
  │   policy · approval · budget · audit · replay  │
  └───────────────────────────────────────────────┘
                     │
                     ▼
        Tools · MCP servers · APIs · DBs · Agents

Use JamJet when your agent can…

call MCP servers or arbitrary tools
write to a database
send emails or Slack messages
trigger payments or external API calls
access customer data or PII
run for minutes/hours and needs to survive crashes
spend real model budget at scale
delegate to other agents

What JamJet adds

Without JamJet	With JamJet
Agent crashes lose progress	Resume from the last checkpoint
Tool calls rely on scattered app logic	Runtime policy blocks unsafe actions
Human approval is custom glue	Approval is a durable workflow step
Costs are discovered after the bill	Budgets enforced per agent / per run
Audit evidence is stitched from logs	Append-only event log, signed export
Memory is framework-specific	Pair with Engram for portable memory (MCP · REST · Python · Java)
Frameworks stay siloed	MCP + A2A connect tools and agents

Works with your stack — not a replacement

JamJet does not replace LangChain, LangGraph, CrewAI, Google ADK, Spring AI, or your custom agent code. Use those to build agent behavior. Use JamJet to control what happens at runtime.

You're using	Keep it for	JamJet adds
LangChain · LangGraph · CrewAI · Google ADK · AutoGen	Authoring agent behavior	Runtime safety: policy, audit, replay, approvals
LangSmith · Arize · Weights & Biases	Observability and evaluation	Active enforcement (block at runtime) + durable recovery
Temporal · Orkes · DBOS	General durable workflows	Agent-native primitives: policy on tool calls, MCP/A2A, memory
Google · AWS · Azure agent platforms	Cloud-native ecosystems	Open-source, cloud-neutral governance — works on-prem

Community-built integrations for LangChain, LlamaIndex, CrewAI, AutoGen, Pydantic-AI, DSPy, Spring AI, and LangChain4j live in jamjet-labs/jamjet-examples/integrations. Want to build the official integration for your framework? Claim a slot — first 10 merged contributors get JamJet swag.

Examples

Example	What it shows
`hitl-approval`	Human approval as a first-class workflow primitive
`coordinator-routing`	Dynamic agent routing with structured scoring
`claims-processing`	Insurance pipeline — 4 specialist agents + HITL + audit
`eval-harness`	Batch evaluation with LLM judge scoring
`mcp-tool-consumer`	Connect to external MCP tool servers

→ All 19 examples · Community integrations · Build your own

Sub-products

Engram — the JamJet ecosystem's memory layer for agents. Where JamJet provides durable execution (process can crash and resume), Engram provides durable memory (facts persist across runs and version cleanly via supersede()). Temporal knowledge graph, hybrid retrieval, conflict detection. Ships as a Rust crate (also bundled into the Rust runtime above), an MCP server (Docker · GHCR), a standalone Python library (github.com/jamjet-labs/engram, 71% on LongMemEval-S), a Python client for the MCP server, and a Spring AI ChatMemoryRepository. Comparison with Mem0/Zep → java-ai-memory.dev.

JamJet Java Runtime — embeds durable execution directly in your JVM, no Docker or sidecar, 8.9× faster than calling out to one. Works with Spring AI, LangChain4j, and Google ADK. → Launch post.

Architecture

Stack diagram

┌──────────────────────────────────────────────────────────┐
│                     Authoring Layer                       │
│     Python SDK  |  Java SDK  |  Go SDK (planned)  |  YAML  │
├──────────────────────────────────────────────────────────┤
│                 Compilation / Validation                   │
│           Graph IR  |  Schema  |  Policy lint             │
├────────────────────────────┬─────────────────────────────┤
│      Rust Runtime Core     │      Protocol Layer          │
│  Scheduler  |  State SM    │  MCP Client  |  MCP Server   │
│  Event log  |  Snapshots   │  A2A Client  |  A2A Server   │
│  Workers    |  Timers      │                              │
├────────────────────────────┴─────────────────────────────┤
│                    Enterprise Services                     │
│  Policy  |  Audit  |  PII Redaction  |  OAuth  |  mTLS     │
├──────────────────────────────────────────────────────────┤
│                      Runtime Services                      │
│  Model Adapters  |  Tool Execution  |  Engram Memory      │
├──────────────────────────────────────────────────────────┤
│                         Storage                           │
│           Postgres (production)  |  SQLite (local)        │
└──────────────────────────────────────────────────────────┘

"Engram Memory" here is the in-process distribution bundled with the Rust runtime. Engram also ships standalone — see Sub-products.

Documentation

Full docs at jamjet.dev

Quickstart · Concepts · Python SDK · Java SDK · YAML Workflows · REST API · MCP · A2A · Eval · Enterprise · Observability · CLI · Deployment

Contributing

Contributions welcome — see CONTRIBUTING.md.

Looking for a starter task?

Build a framework integration — 8 slots open, first 10 contributors get JamJet swag
Browse good first issues
Join the conversation in Discord