Runtime enforcement for AI agents. Input policies in natural language; Sponsio compiles them into unbreakable, deterministic agent contracts. Enforced under 0.01ms, zero LLM runtime cost, covers all 10 OWASP Agentic risks. Works with LangChain, Claude Agent, OpenAI Agents, Google ADK, CrewAI, Vercel AI, MCP, or any custom tool-calling loop, in Python or TypeScript.
An agent contract is a runtime check at every agent action, backed by formal methods. It is NOT a system prompt your agent can ignore or jailbreak.
On ODCV-Bench (a third-party benchmark from McGill DMaS covering 12 frontier LLMs × 80 trajectories, Claude-Opus-4.6 included), unguarded models cheat in 11.5%–66.7% of runs. With Sponsio, 84.5% of misalignment is blocked on average, while the next-best publicly announced runtime guardrail (Salus, YC W26) reaches 52% on the same benchmark. On the Financial-Audit-Fraud-Finding scenario, frontier models commit fraud in 16/24 trials; Sponsio blocks 100%. On RedCode-Exec (1,410 cases), Sponsio reaches 92% combined (bash 95% · python 90%) with 0% utility FP across a 60-file clean-code audit.
Hot path p50 0.139 ms on the ODCV mandated workload, 5,000×–60,000× faster than any LLM-as-judge guardrail (gpt-4o-mini, Lakera Guard, OpenAI Moderation all run at 50–800 ms per check), with zero LLM cost in the hot path. p99 stays under 1.04 ms across every measured workload.
See the full benchmark methodology and per-model breakdown, how Sponsio compares against prompt filters, output validators, LLM-as-judge, and sandboxing, or dive into the architecture and formal methods primer.
A single prompt or a 2-line CLI command gets you onboarded.
Paste into Claude Code / Codex / Cursor. The agent walks the full onboarding flow:
Or run the CLI yourself:
pip install sponsio # or: npm install -D @sponsio/sdk
sponsio init . # interactive wizard: detects framework, IDE hosts, observe vs enforceThe wizard writes sponsio.yaml and prints a 2-line patch. For example, LangGraph:
from sponsio.langgraph import Sponsio
from langgraph.prebuilt import create_react_agent
guard = Sponsio(config="sponsio.yaml", agent_id="coding_agent")
agent = create_react_agent(model, guard.wrap(tools))sponsio init auto-detects your framework and prints the right wrap snippet. For manual wiring, see all supported integrations. OpenClaw users get bundled ClawHavoc and CVE-2026-25253 coverage out of the box. For config reference, observe → enforce flip, sponsio refresh, and CI wiring, see the full walkthrough.
Sixteen contract bundles ship out of the box, organized by tier (always-on / per-tool / per-incident). Each bundle is a YAML pack composed from Sponsio's 44 deterministic patterns (stochastic atoms ship in Sponsio Cloud). Drop one into sponsio.yaml and your agent is guarded against a known failure class in one line, with no per-contract authoring.
# sponsio.yaml: one-line bundle inclusion
agents:
my_agent:
workspace: "/srv/my-bot"
include:
- sponsio:core/runaway # always-on
- sponsio:core/universal # always-on
- sponsio:capability/shell # if your agent runs commands
- sponsio:capability/filesystem # if your agent touches filessponsio init auto-selects tier-0 bundles based on your detected tool inventory. You can disable or retune individual rules via customized: (targeting by desc, pack_source, or pattern) without forking the pack.
See the full bundle reference for all 16 bundles, or the 44 underlying patterns for the primitives they compose. Want a bundle for your agent type? That's currently the highest-leverage way to contribute. Open an issue with your incident, CVE, or pattern.
Patches, issue reports, and new pattern proposals are welcome. Start with CONTRIBUTING.md. Sponsio's threat model draws on public security research; e.g. Simon Willison's "Lethal Trifecta" shaped our multi-tool composition contracts. Have a threat model we should defend against? Open an issue.
Apache 2.0 (LICENSE). Sponsio Cloud (pip install sponsio[cloud]) opens mid-May 2026 with the managed LLM-judge pipeline, cross-customer pattern intelligence, and hosted multi-tenant dashboard; the OSS / Cloud boundary is documented.
AI agents reading this repo: llms.txt lists canonical doc paths; llms-full.txt is the concatenated full context dump.