The action-control plane for AI agents. One policy file. One audit trail. Across hooks, guardrails, MCP gateways, SDKs, and custom runtimes.
jamjet.dev · Quickstart · Docs · Examples · Blog · Discord
Write the safety policy once. Run it everywhere your agents can act.
JamJet sits underneath your agent (Claude Code, OpenAI Agents SDK, MCP clients, LangChain, CrewAI, ADK, Spring AI, custom code) and enforces what prompts cannot:
- 🛡️ Block unsafe tool calls at runtime: database deletes, payments, file writes
- ✋ Pause for human approval on risky actions, durably
- 💸 Cap cost per agent, per run, per project
- 📒 Record an audit trail that survives a regulator's review
- ⏪ Replay or resume crashed runs from the last checkpoint
Keep your agent framework. Add JamJet where tool calls need control.
pip install jamjet
jamjet demo unsafe-tool-callNo API key. No Docker. No cloud account. The model is mocked; the enforcement path is real. Three more demos run the same way:
jamjet demo approval # pause-for-approval flow
jamjet demo budget-cap # $0.05 cost cap
jamjet demo mcp-tool-policy # MCP-shaped policy (preview of JamJet Gateway)Works alongside Claude Code · OpenAI Agents SDK · MCP clients · LangChain · CrewAI · ADK · Spring AI · LangChain4j.
Spring AI and LangChain4j teams get the same layer without writing glue code. The Spring Boot starter auto-injects JamJet advisors into your ChatClient: every call becomes durable and audited, with no changes to your application code.
<dependency>
<groupId>dev.jamjet</groupId>
<artifactId>jamjet-spring-boot-starter</artifactId>
<version>0.1.0</version>
</dependency>spring.jamjet.runtime-url=http://localhost:7700
spring.jamjet.approval.enabled=true # opt-in human-in-the-loop approvalCrash recovery, event sourcing, and a REST endpoint to approve or reject held actions. Falls back gracefully if the runtime is unreachable.
Prefer no sidecar at all? JamJet Java Runtime embeds durable execution directly in your JVM process: Java 21, no Docker, 8.9× faster than calling out to a REST sidecar (benchmark and launch post). Works with Spring AI, LangChain4j, and Google ADK.
→ See a Spring Boot agent survive kill -9 mid-run in examples/loan-underwriter-agent: resumes from disk checkpoints, gates disbursement on human approval, emits a signed receipt bundle.
Every agent toolchain is inventing its own safety layer. JamJet gives you one policy file and one audit trail across all of them.
| Adapter | Install | Host |
|---|---|---|
@jamjet/claude-code-hook |
npm i -g @jamjet/claude-code-hook |
Claude Code PreToolUse hook |
@jamjet/mcp-shim |
npx -y @jamjet/mcp-shim ... |
Any MCP client (Claude Desktop, Cursor, …) |
@jamjet/openai-guardrail |
npm i @jamjet/openai-guardrail |
OpenAI Agents SDK tool guardrail (TS) |
jamjet.integrations.openai_guardrail |
pip install jamjet |
OpenAI Agents SDK tool guardrail (Python) |
jamjet |
pip install jamjet |
Python SDK + runtime |
dev.jamjet:jamjet-spring-boot-starter |
Maven / Gradle | Spring AI ChatClient advisors |
@jamjet/cloud |
npm i @jamjet/cloud |
TypeScript SDK + shared engine |
@jamjet/cli |
npm i -g @jamjet/cli |
Unified jamjet audit show / jamjet approve |
All adapters load the same policy.yaml. All emit conformant audit JSONL to ~/.jamjet/audit/. Run jamjet audit show to tail every decision across every adapter in one chronological view.
JamJet does not replace the hook points these platforms give you. It makes them do more: Claude Code's PreToolUse hook gets a real policy engine, approval flow, and audit trail, and the same rules carry unchanged to OpenAI Agents SDK, MCP clients, Spring AI, and your own Python or TypeScript code.
# ~/.jamjet/policy.yaml
version: 1
rules:
- { match: "*delete*", action: block }
- { match: "payments.*", action: require_approval }
- { match: "shell.exec", action: block }Drop this file in ~/.jamjet/. Every adapter listed above uses it automatically.
Prompts are not a security boundary. The runtime is.
→ Read When AI Deletes the Database for why this is a runtime architecture problem, not a model problem. → See the deeper durability demo at jamjet.dev/demo for what happens when an agent crashes mid-tool-call.
Drop a policy beside your agent code. The runtime intercepts any matching tool call before it leaves the agent's process: blocked_tools are refused outright, require_approval_for pauses execution durably and waits for an out-of-band decision. Crashes don't lose the approval; execution resumes when it arrives.
# workflow.yaml
policy:
blocked_tools:
- "*delete*"
- "payments.refund"
require_approval_for:
- "database.*"
- "payment.transfer"
- "user.suspend"Python, with the hosted control plane:
import jamjet
jamjet.cloud.configure(api_key="jj_...", project="my-agent")
jamjet.cloud.policy("block", "*delete*")
jamjet.cloud.policy("require_approval", "database.*")
# Every OpenAI / Anthropic call in this process is now policy-gated.→ Runnable approval workflow in examples/hitl-approval · Cloud Quickstart
Your Agent / Framework
(LangChain · CrewAI · ADK · custom · MCP client)
│
▼
┌───────────────────────────────────────────────┐
│ JamJet Safety Layer │
│ policy · approval · budget · audit · replay │
└───────────────────────────────────────────────┘
│
▼
Tools · MCP servers · APIs · DBs · Agents
- call MCP servers or arbitrary tools
- write to a database
- send emails or Slack messages
- trigger payments or external API calls
- access customer data or PII
- run for minutes/hours and needs to survive crashes
- spend real model budget at scale
- delegate to other agents
| Without JamJet | With JamJet |
|---|---|
| Agent crashes lose progress | Resume from the last checkpoint |
| Tool calls rely on scattered app logic | Runtime policy blocks unsafe actions |
| Human approval is custom glue | Approval is a durable workflow step |
| Costs are discovered after the bill | Budgets enforced per agent / per run |
| Audit evidence is stitched from logs | Append-only event log, signed export |
| Memory is framework-specific | Pair with Engram for portable memory (MCP · REST · Python · Java) |
| Frameworks stay siloed | MCP + A2A connect tools and agents |
The safety layer runs on a durable, event-sourced execution engine. When you want more than enforcement, it's already there:
- Durable execution. Event log, snapshots, crash recovery, deterministic replay.
agent.run_durable(...)inexamples/react-agent-durable. - Sessions and memory. Persistent
Sessionthreads across runs and restarts, with a governed Engram retrieve/record loop.examples/session-memory. - Multi-agent.
Sequential,Parallel, coordinatorTeam, andLoop; each sub-agent runs as its own governed durable execution.examples/team-multi-agent. Declare whole fleets in YAML with cron schedules:examples/fleet. - Evaluation. Batch eval with LLM-judge scoring (
examples/eval-harness) and trajectory regression diffs (examples/trajectory-eval). - Deploy.
agent.deploy(runtime="local" | "self-host" | "cloud")ships the same compiled IR to any runtime.examples/deploy-an-agent. - Dev loop.
jamjet createscaffolds a project;jamjet devruns the whole local stack with one command. - Web Companion. A UI embedded in the runtime binary: graph view, timeline, state inspector, replay and fork controls.
JamJet does not replace LangChain, LangGraph, CrewAI, Google ADK, Spring AI, or your custom agent code. Use those to build agent behavior. Use JamJet to control what happens at runtime.
| You're using | Keep it for | JamJet adds |
|---|---|---|
| LangChain · LangGraph · CrewAI · Google ADK · AutoGen | Authoring agent behavior | Runtime safety: policy, audit, replay, approvals |
| LangSmith · Arize · Weights & Biases | Observability and evaluation | Active enforcement (block at runtime) + durable recovery |
| Temporal · Orkes · DBOS | General durable workflows | Agent-native primitives: policy on tool calls, MCP/A2A, memory |
| Google · AWS · Azure agent platforms | Cloud-native ecosystems | Open-source, cloud-neutral governance that works on-prem |
Want to build the official integration for your framework? Claim a slot: 8 slots open, the first 10 merged contributors get JamJet swag.
| Example | What it shows |
|---|---|
01-block-unsafe-tool |
A destructive tool call blocked before execution |
hitl-approval |
Human approval as a first-class workflow primitive |
react-agent-durable |
A ReAct agent on the durable engine: event log, replay, park-on-429 |
team-multi-agent |
Multi-agent Teams, each sub-agent its own governed run |
loan-underwriter-agent |
Spring Boot agent that survives kill -9 and gates on human approval |
claims-processing |
Insurance pipeline: 4 specialist agents + HITL + audit |
eval-harness |
Batch evaluation with LLM judge scoring |
Engram is the JamJet ecosystem's memory layer for agents. Where JamJet provides durable execution (process can crash and resume), Engram provides durable memory (facts persist across runs and version cleanly via supersede()). Temporal knowledge graph, hybrid retrieval, conflict detection. Ships as a Rust crate (also bundled into the Rust runtime above), an MCP server (Docker · GHCR), a standalone Python library (github.com/jamjet-labs/engram, 71% on LongMemEval-S), a Python client for the MCP server, and a Spring AI ChatMemoryRepository. Comparison with Mem0/Zep → java-ai-memory.dev.
Stack diagram
┌──────────────────────────────────────────────────────────┐
│ Authoring Layer │
│ Python SDK | Java SDK | TypeScript SDK | YAML │
├──────────────────────────────────────────────────────────┤
│ Compilation / Validation │
│ Graph IR | Schema | Policy lint │
├────────────────────────────┬─────────────────────────────┤
│ Rust Runtime Core │ Protocol Layer │
│ Scheduler | State SM │ MCP Client | MCP Server │
│ Event log | Snapshots │ A2A Client | A2A Server │
│ Workers | Timers │ │
├────────────────────────────┴─────────────────────────────┤
│ Enterprise Services │
│ Policy | Audit | PII Redaction | OAuth | mTLS │
├──────────────────────────────────────────────────────────┤
│ Runtime Services │
│ Model Adapters | Tool Execution | Engram Memory │
├──────────────────────────────────────────────────────────┤
│ Storage │
│ Postgres (production) | SQLite (local) │
└──────────────────────────────────────────────────────────┘
"Engram Memory" here is the in-process distribution bundled with the Rust runtime. Engram also ships standalone; see Engram.
Full docs at jamjet.dev
Quickstart · Concepts · Python SDK · Java SDK · YAML Workflows · REST API · MCP · A2A · Eval · Enterprise · Observability · CLI · Deployment
Contributions welcome. See CONTRIBUTING.md.
Looking for a starter task?
- Build a framework integration: 8 slots open, first 10 contributors get JamJet swag
- Browse good first issues
- Join the conversation in Discord
GitHub Discussions · Issues · Discord
Apache 2.0. See LICENSE.
Hosted control plane available at app.jamjet.dev: traces, approval queue, audit retention, team projects. Optional. The runtime, all SDKs, and Engram are Apache-2.0 with no usage limits.
Built by Sunil Prakash · © 2026 JamJet Labs · jamjet.dev · Apache 2.0
