Hardrails
Guardrails ask. Hardrails enforce.
The open, vendor-neutral method for giving an AI agent real work on a production network without giving it the ability to take one down.
The idea in 60 seconds
An AI agent is a model plus a harness. The model half is genuinely useful now. It is also non-deterministic, and when it is wrong, it is wrong confidently, at machine speed.
A prompt is a request. The agent can misread it, forget it, or have it overridden by injected text in the data it reads. Every "you must never" in a system prompt is a behavior you are hoping for.
Hardrails puts the rules that matter in the tool layer instead, as running code that sits in the path of every action the agent takes:
- Tools are read-only by default, enforced per command.
- The one tool that can generate a change produces a dry-run diff and stops.
- Nothing reaches a device without an explicit, recorded human yes.
The agent can propose any change and can push none. Not because the model promised to behave, but because the capability to misbehave was never granted.
The contract: 7 components, 2 tiers
| # | Component | The question it answers | Lives in |
|---|---|---|---|
| 1 | Role | Who is the agent? | Prompt |
| 2 | Context | What does it know? | Prompt |
| 3 | Constraint | What are the rules of engagement? | Prompt |
| 4 | Output Format | What does done look like? | Prompt |
| 5 | Tools | What can it touch? | Code |
| 6 | Boundary | What can it never do, and what enforces that? | Code |
| 7 | Evaluation | How does its work get checked? | Code + human |
The full spec covers the 7 normative boundary principles, the conformance checklist, and the adoption path: hardrails-spec.md. The GitHub repo is the single source of truth. This page is the short version.
Where it stands
Specification. Versioned and stable. Read hardrails-spec.md in the repo.
Reference implementation. Shipped and public in the repo: the full bounded network agent, built as an MCP server. Read-only device access that refuses writes by construction, a server-side boundary with an append-only audit log, dry-run fixes behind a human approval gate, and a security posture sweep with a live Cisco PSIRT CVE lookup, an NTP hardening check, and NetBox intent drift. Unit-tested and validated against a live lab. Install with pip install hardrails[lab] or clone and run: see the run guide. The CML lab topology ships with the walkthrough.
Full build walkthrough. Coming on the G Talks Tech channel. This page gets the video when it ships.
Get the full walkthrough and the starter kit when they drop.
The build walkthrough and the Hardrails starter kit are in progress. Join the list and you'll get both when they land. You'll also get the Network Engineer's AI Prompt Pack right away.