Skip to content

jamjet-labs/jamjet

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

548 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

⚡ JamJet

The action-control plane for AI agents. One policy file. One audit trail. Across hooks, guardrails, MCP gateways, SDKs, and custom runtimes.

jamjet MCP server CI PyPI Maven Central crates.io License Discord

jamjet.dev · Quickstart · Docs · Examples · Blog · Discord

Open in GitHub Codespaces Open in Gitpod


Write the safety policy once. Run it everywhere your agents can act.

JamJet sits underneath your agent (Claude Code, OpenAI Agents SDK, MCP clients, LangChain, CrewAI, ADK, Spring AI, custom code) and enforces what prompts cannot:

  • 🛡️ Block unsafe tool calls at runtime: database deletes, payments, file writes
  • Pause for human approval on risky actions, durably
  • 💸 Cap cost per agent, per run, per project
  • 📒 Record an audit trail that survives a regulator's review
  • Replay or resume crashed runs from the last checkpoint

Keep your agent framework. Add JamJet where tool calls need control.

JamJet safety demo

See it in 60 seconds

pip install jamjet
jamjet demo unsafe-tool-call

No API key. No Docker. No cloud account. The model is mocked; the enforcement path is real. Three more demos run the same way:

jamjet demo approval        # pause-for-approval flow
jamjet demo budget-cap      # $0.05 cost cap
jamjet demo mcp-tool-policy # MCP-shaped policy (preview of JamJet Gateway)

Works alongside Claude Code · OpenAI Agents SDK · MCP clients · LangChain · CrewAI · ADK · Spring AI · LangChain4j.

On the JVM: one dependency

Spring AI and LangChain4j teams get the same layer without writing glue code. The Spring Boot starter auto-injects JamJet advisors into your ChatClient: every call becomes durable and audited, with no changes to your application code.

<dependency>
    <groupId>dev.jamjet</groupId>
    <artifactId>jamjet-spring-boot-starter</artifactId>
    <version>0.1.0</version>
</dependency>
spring.jamjet.runtime-url=http://localhost:7700
spring.jamjet.approval.enabled=true   # opt-in human-in-the-loop approval

Crash recovery, event sourcing, and a REST endpoint to approve or reject held actions. Falls back gracefully if the runtime is unreachable.

Prefer no sidecar at all? JamJet Java Runtime embeds durable execution directly in your JVM process: Java 21, no Docker, 8.9× faster than calling out to a REST sidecar (benchmark and launch post). Works with Spring AI, LangChain4j, and Google ADK.

→ See a Spring Boot agent survive kill -9 mid-run in examples/loan-underwriter-agent: resumes from disk checkpoints, gates disbursement on human approval, emits a signed receipt bundle.

The same policy, everywhere

Every agent toolchain is inventing its own safety layer. JamJet gives you one policy file and one audit trail across all of them.

Adapter Install Host
@jamjet/claude-code-hook npm i -g @jamjet/claude-code-hook Claude Code PreToolUse hook
@jamjet/mcp-shim npx -y @jamjet/mcp-shim ... Any MCP client (Claude Desktop, Cursor, …)
@jamjet/openai-guardrail npm i @jamjet/openai-guardrail OpenAI Agents SDK tool guardrail (TS)
jamjet.integrations.openai_guardrail pip install jamjet OpenAI Agents SDK tool guardrail (Python)
jamjet pip install jamjet Python SDK + runtime
dev.jamjet:jamjet-spring-boot-starter Maven / Gradle Spring AI ChatClient advisors
@jamjet/cloud npm i @jamjet/cloud TypeScript SDK + shared engine
@jamjet/cli npm i -g @jamjet/cli Unified jamjet audit show / jamjet approve

All adapters load the same policy.yaml. All emit conformant audit JSONL to ~/.jamjet/audit/. Run jamjet audit show to tail every decision across every adapter in one chronological view.

JamJet does not replace the hook points these platforms give you. It makes them do more: Claude Code's PreToolUse hook gets a real policy engine, approval flow, and audit trail, and the same rules carry unchanged to OpenAI Agents SDK, MCP clients, Spring AI, and your own Python or TypeScript code.

One policy, every adapter

# ~/.jamjet/policy.yaml
version: 1
rules:
  - { match: "*delete*", action: block }
  - { match: "payments.*", action: require_approval }
  - { match: "shell.exec", action: block }

Drop this file in ~/.jamjet/. Every adapter listed above uses it automatically.

Prompts are not a security boundary. The runtime is.

→ Read When AI Deletes the Database for why this is a runtime architecture problem, not a model problem. → See the deeper durability demo at jamjet.dev/demo for what happens when an agent crashes mid-tool-call.

Policy in your own code

Drop a policy beside your agent code. The runtime intercepts any matching tool call before it leaves the agent's process: blocked_tools are refused outright, require_approval_for pauses execution durably and waits for an out-of-band decision. Crashes don't lose the approval; execution resumes when it arrives.

# workflow.yaml
policy:
  blocked_tools:
    - "*delete*"
    - "payments.refund"
  require_approval_for:
    - "database.*"
    - "payment.transfer"
    - "user.suspend"

Python, with the hosted control plane:

import jamjet
jamjet.cloud.configure(api_key="jj_...", project="my-agent")
jamjet.cloud.policy("block", "*delete*")
jamjet.cloud.policy("require_approval", "database.*")
# Every OpenAI / Anthropic call in this process is now policy-gated.

→ Runnable approval workflow in examples/hitl-approval · Cloud Quickstart

Where JamJet sits

            Your Agent / Framework
   (LangChain · CrewAI · ADK · custom · MCP client)
                     │
                     ▼
  ┌───────────────────────────────────────────────┐
  │            JamJet Safety Layer                │
  │   policy · approval · budget · audit · replay  │
  └───────────────────────────────────────────────┘
                     │
                     ▼
        Tools · MCP servers · APIs · DBs · Agents

Use JamJet when your agent can…

  • call MCP servers or arbitrary tools
  • write to a database
  • send emails or Slack messages
  • trigger payments or external API calls
  • access customer data or PII
  • run for minutes/hours and needs to survive crashes
  • spend real model budget at scale
  • delegate to other agents

What JamJet adds

Without JamJet With JamJet
Agent crashes lose progress Resume from the last checkpoint
Tool calls rely on scattered app logic Runtime policy blocks unsafe actions
Human approval is custom glue Approval is a durable workflow step
Costs are discovered after the bill Budgets enforced per agent / per run
Audit evidence is stitched from logs Append-only event log, signed export
Memory is framework-specific Pair with Engram for portable memory (MCP · REST · Python · Java)
Frameworks stay siloed MCP + A2A connect tools and agents

A full runtime underneath

The safety layer runs on a durable, event-sourced execution engine. When you want more than enforcement, it's already there:

  • Durable execution. Event log, snapshots, crash recovery, deterministic replay. agent.run_durable(...) in examples/react-agent-durable.
  • Sessions and memory. Persistent Session threads across runs and restarts, with a governed Engram retrieve/record loop. examples/session-memory.
  • Multi-agent. Sequential, Parallel, coordinator Team, and Loop; each sub-agent runs as its own governed durable execution. examples/team-multi-agent. Declare whole fleets in YAML with cron schedules: examples/fleet.
  • Evaluation. Batch eval with LLM-judge scoring (examples/eval-harness) and trajectory regression diffs (examples/trajectory-eval).
  • Deploy. agent.deploy(runtime="local" | "self-host" | "cloud") ships the same compiled IR to any runtime. examples/deploy-an-agent.
  • Dev loop. jamjet create scaffolds a project; jamjet dev runs the whole local stack with one command.
  • Web Companion. A UI embedded in the runtime binary: graph view, timeline, state inspector, replay and fork controls.

Works with your stack, not a replacement

JamJet does not replace LangChain, LangGraph, CrewAI, Google ADK, Spring AI, or your custom agent code. Use those to build agent behavior. Use JamJet to control what happens at runtime.

You're using Keep it for JamJet adds
LangChain · LangGraph · CrewAI · Google ADK · AutoGen Authoring agent behavior Runtime safety: policy, audit, replay, approvals
LangSmith · Arize · Weights & Biases Observability and evaluation Active enforcement (block at runtime) + durable recovery
Temporal · Orkes · DBOS General durable workflows Agent-native primitives: policy on tool calls, MCP/A2A, memory
Google · AWS · Azure agent platforms Cloud-native ecosystems Open-source, cloud-neutral governance that works on-prem

Want to build the official integration for your framework? Claim a slot: 8 slots open, the first 10 merged contributors get JamJet swag.

Examples

Example What it shows
01-block-unsafe-tool A destructive tool call blocked before execution
hitl-approval Human approval as a first-class workflow primitive
react-agent-durable A ReAct agent on the durable engine: event log, replay, park-on-429
team-multi-agent Multi-agent Teams, each sub-agent its own governed run
loan-underwriter-agent Spring Boot agent that survives kill -9 and gates on human approval
claims-processing Insurance pipeline: 4 specialist agents + HITL + audit
eval-harness Batch evaluation with LLM judge scoring

All 33 examples

Engram

Engram is the JamJet ecosystem's memory layer for agents. Where JamJet provides durable execution (process can crash and resume), Engram provides durable memory (facts persist across runs and version cleanly via supersede()). Temporal knowledge graph, hybrid retrieval, conflict detection. Ships as a Rust crate (also bundled into the Rust runtime above), an MCP server (Docker · GHCR), a standalone Python library (github.com/jamjet-labs/engram, 71% on LongMemEval-S), a Python client for the MCP server, and a Spring AI ChatMemoryRepository. Comparison with Mem0/Zep → java-ai-memory.dev.

Architecture

Stack diagram
┌──────────────────────────────────────────────────────────┐
│                     Authoring Layer                       │
│    Python SDK  |  Java SDK  |  TypeScript SDK  |  YAML     │
├──────────────────────────────────────────────────────────┤
│                 Compilation / Validation                   │
│           Graph IR  |  Schema  |  Policy lint             │
├────────────────────────────┬─────────────────────────────┤
│      Rust Runtime Core     │      Protocol Layer          │
│  Scheduler  |  State SM    │  MCP Client  |  MCP Server   │
│  Event log  |  Snapshots   │  A2A Client  |  A2A Server   │
│  Workers    |  Timers      │                              │
├────────────────────────────┴─────────────────────────────┤
│                    Enterprise Services                     │
│  Policy  |  Audit  |  PII Redaction  |  OAuth  |  mTLS     │
├──────────────────────────────────────────────────────────┤
│                      Runtime Services                      │
│  Model Adapters  |  Tool Execution  |  Engram Memory      │
├──────────────────────────────────────────────────────────┤
│                         Storage                           │
│           Postgres (production)  |  SQLite (local)        │
└──────────────────────────────────────────────────────────┘

"Engram Memory" here is the in-process distribution bundled with the Rust runtime. Engram also ships standalone; see Engram.

Documentation

Full docs at jamjet.dev

Quickstart · Concepts · Python SDK · Java SDK · YAML Workflows · REST API · MCP · A2A · Eval · Enterprise · Observability · CLI · Deployment

Contributing

Contributions welcome. See CONTRIBUTING.md.

Looking for a starter task?

Community

GitHub Discussions · Issues · Discord

License

Apache 2.0. See LICENSE.


Hosted control plane available at app.jamjet.dev: traces, approval queue, audit retention, team projects. Optional. The runtime, all SDKs, and Engram are Apache-2.0 with no usage limits.

⭐ Star JamJet if you believe agents need a runtime safety layer

Built by Sunil Prakash · © 2026 JamJet Labs · jamjet.dev · Apache 2.0