an open framework for bounded AI agents

Hardrails

Guardrails ask. Hardrails enforce.

The open, vendor-neutral method for giving an AI agent real work on a production network without giving it the ability to take one down.

[01]

The idea in 60 seconds

An AI agent is a model plus a harness. The model half is genuinely useful now. It is also non-deterministic, and when it is wrong, it is wrong confidently, at machine speed.

A prompt is a request. The agent can misread it, forget it, or have it overridden by injected text in the data it reads. Every "you must never" in a system prompt is a behavior you are hoping for.

Hardrails puts the rules that matter in the tool layer instead, as running code that sits in the path of every action the agent takes:

  • Tools are read-only by default, enforced per command.
  • The one tool that can generate a change produces a dry-run diff and stops.
  • Nothing reaches a device without an explicit, recorded human yes.

The agent can propose any change and can push none. Not because the model promised to behave, but because the capability to misbehave was never granted.

[02]

The contract: 7 components, 2 tiers

# Component The question it answers Lives in
1 Role Who is the agent? Prompt
2 Context What does it know? Prompt
3 Constraint What are the rules of engagement? Prompt
4 Output Format What does done look like? Prompt
5 Tools What can it touch? Code
6 Boundary What can it never do, and what enforces that? Code
7 Evaluation How does its work get checked? Code + human

The full spec covers the 7 normative boundary principles, the conformance checklist, and the adoption path: hardrails-spec.md. The GitHub repo is the single source of truth. This page is the short version.

[03]

Where it stands

v1.0 stable

Specification. Versioned and stable. Read hardrails-spec.md in the repo.

shipped

Reference implementation. Shipped and public in the repo: the full bounded network agent, built as an MCP server. Read-only device access that refuses writes by construction, a server-side boundary with an append-only audit log, dry-run fixes behind a human approval gate, and a security posture sweep with a live Cisco PSIRT CVE lookup, an NTP hardening check, and NetBox intent drift. Unit-tested and validated against a live lab. Install with pip install hardrails[lab] or clone and run: see the run guide. The CML lab topology ships with the walkthrough.

coming

Full build walkthrough. Coming on the G Talks Tech channel. This page gets the video when it ships.