agent-contracts is a deterministic guardrail library for agent tool calls and
outgoing responses. It is not a sandbox. Security reports should focus on cases
where the package claims to block or warn but fails under a reasonable sanitized
input.
The project is pre-1.0. Security fixes target main first. Release tags will
define supported versions once the package is published.
Useful security reports include:
- Secret patterns that should be caught but are missed.
- Dangerous paths that the default path guard should block but allows.
- Inputs that cause a contract to crash instead of returning a violation/pass.
- Packaging issues that ship different code from the repository.
- Documentation that materially overstates the security boundary.
Not security issues for this package:
- A tool performs unsafe behavior after
Registry.enforce_pre()allowed it. - A host application ignores
BlockedAction. - An agent sees secrets before the contract receives an
ActionContext. - A custom contract written by an application author is incomplete.
Those belong in the host application's sandboxing, authorization, credential scoping, or custom policy layer.
Use a private channel if the issue includes a live credential, exploit path, or
non-public system detail. Otherwise, open a GitHub issue with a sanitized minimal
ActionContext, expected behavior, and actual behavior.
Never paste real secrets into an issue. Replace them with same-shape test values.
Security fixes should include:
- A regression test that fails before the fix.
- A narrow contract or pattern change.
- Documentation updates if the threat model or recovery guidance changed.