JamJet

The action-control plane for AI agents. One policy file. One audit trail. Across hooks, guardrails, MCP gateways, SDKs, and custom runtimes.

jamjet.dev · Quickstart · Docs · Examples · Blog · Discord

Write the safety policy once. Run it everywhere your agents can act.

JamJet sits underneath your agent — Claude Code, OpenAI Agents SDK, MCP clients, LangChain, CrewAI, ADK, custom code — and enforces what prompts cannot:

• 🛡️ Block unsafe tool calls at runtime (database deletes, payments, file writes)

• ✋ Pause for human approval on risky actions, durably

• 💸 Cap cost per agent, per run, per project

• 📒 Record an audit trail that survives a regulator's review

• ⏪ Replay or resume crashed runs from the last checkpoint

Keep your agent framework. Add JamJet where tool calls need control.

See it in 60 seconds

pip install jamjet
jamjet demo unsafe-tool-call

No API key. No Docker. No cloud account. The model is mocked; the enforcement path is real. Three more demos run the same way:

jamjet demo approval        # pause-for-approval flow
jamjet demo budget-cap      # $0.05 cost cap
jamjet demo mcp-tool-policy # MCP-shaped policy (preview of JamJet Gateway)

Works alongside Claude Code · OpenAI Agents SDK · MCP clients · LangChain · CrewAI · ADK · Spring AI · LangChain4j.

The same policy, everywhere

Every agent toolchain is inventing its own safety layer. JamJet gives you one policy file and one audit trail across all of them.

All adapters load the same policy.yaml. All emit conformant audit JSONL to ~/.jamjet/audit/. Run jamjet audit show to tail every decision across every adapter in one chronological view.

Respect the platforms you plug into. Claude Code gave developers a hook point — JamJet gives that hook point a real policy engine, approval flow, and audit trail, and the same rules carry to OpenAI Agents SDK, MCP, and your own Python/TS code. OpenAI Agents SDK has guardrails — JamJet lets you express the policy once and reuse it elsewhere. If your MCP gateway supports plugins, JamJet can be the policy brain; if not, the @jamjet/mcp-shim proxy fills the gap.

One policy, every adapter

# ~/.jamjet/policy.yaml
version: 1
rules:
  - { match: "*delete*", action: block }
  - { match: "payments.*", action: require_approval }
  - { match: "shell.exec", action: block }

Drop this file in ~/.jamjet/. Every adapter listed above uses it automatically.

Prompts are not a security boundary. The runtime is.

→ Read When AI Deletes the Database for why this is a runtime architecture problem, not a model problem. → See the deeper durability demo at jamjet.dev/demo for what happens when an agent crashes mid-tool-call.

Policy in your own code

Drop a policy beside your agent code. The runtime intercepts any matching tool call before it leaves the agent's process — blocked_tools are refused outright, require_approval_for pauses execution durably and waits for an out-of-band decision (crashes don't lose the approval; execution resumes when it arrives).

# workflow.yaml
policy:
  blocked_tools:
    - "*delete*"
    - "payments.refund"
  require_approval_for:
    - "database.*"
    - "payment.transfer"
    - "user.suspend"

Python, with the hosted control plane:

import jamjet
jamjet.cloud.configure(api_key="jj_...", project="my-agent")
jamjet.cloud.policy("block", "*delete*")
jamjet.cloud.policy("require_approval", "database.*")
# Every OpenAI / Anthropic call in this process is now policy-gated.

→ Runnable approval workflow in examples/hitl-approval · Cloud Quickstart

Where JamJet sits

            Your Agent / Framework
   (LangChain · CrewAI · ADK · custom · MCP client)
                     │
                     ▼
  ┌───────────────────────────────────────────────┐
  │            JamJet Safety Layer                │
  │   policy · approval · budget · audit · replay  │
  └───────────────────────────────────────────────┘
                     │
                     ▼
        Tools · MCP servers · APIs · DBs · Agents

Use JamJet when your agent can…

• call MCP servers or arbitrary tools

• write to a database

• send emails or Slack messages

• trigger payments or external API calls

• access customer data or PII

• run for minutes/hours and needs to survive crashes

• spend real model budget at scale

• delegate to other agents

What JamJet adds

Works with your stack — not a replacement

JamJet does not replace LangChain, LangGraph, CrewAI, Google ADK, Spring AI, or your custom agent code. Use those to build agent behavior. Use JamJet to control what happens at runtime.

Community-built integrations for LangChain, LlamaIndex, CrewAI, AutoGen, Pydantic-AI, DSPy, Spring AI, and LangChain4j live in jamjet-labs/jamjet-examples/integrations. Want to build the official integration for your framework? Claim a slot — first 10 merged contributors get JamJet swag.

Examples

→ All 19 examples · Community integrations · Build your own

Sub-products

Engram — the JamJet ecosystem's memory layer for agents. Where JamJet provides durable execution (process can crash and resume), Engram provides durable memory (facts persist across runs and version cleanly via supersede()). Temporal knowledge graph, hybrid retrieval, conflict detection. Ships as a Rust crate (also bundled into the Rust runtime above), an MCP server (Docker · GHCR), a standalone Python library (github.com/jamjet-labs/engram, 71% on LongMemEval-S), a Python client for the MCP server, and a Spring AI ChatMemoryRepository. Comparison with Mem0/Zep → java-ai-memory.dev.

JamJet Java Runtime — embeds durable execution directly in your JVM, no Docker or sidecar, 8.9× faster than calling out to one. Works with Spring AI, LangChain4j, and Google ADK. → Launch post.

Architecture

┌──────────────────────────────────────────────────────────┐
│                     Authoring Layer                       │
│     Python SDK  |  Java SDK  |  Go SDK (planned)  |  YAML  │
├──────────────────────────────────────────────────────────┤
│                 Compilation / Validation                   │
│           Graph IR  |  Schema  |  Policy lint             │
├────────────────────────────┬─────────────────────────────┤
│      Rust Runtime Core     │      Protocol Layer          │
│  Scheduler  |  State SM    │  MCP Client  |  MCP Server   │
│  Event log  |  Snapshots   │  A2A Client  |  A2A Server   │
│  Workers    |  Timers      │                              │
├────────────────────────────┴─────────────────────────────┤
│                    Enterprise Services                     │
│  Policy  |  Audit  |  PII Redaction  |  OAuth  |  mTLS     │
├──────────────────────────────────────────────────────────┤
│                      Runtime Services                      │
│  Model Adapters  |  Tool Execution  |  Engram Memory      │
├──────────────────────────────────────────────────────────┤
│                         Storage                           │
│           Postgres (production)  |  SQLite (local)        │
└──────────────────────────────────────────────────────────┘

"Engram Memory" here is the in-process distribution bundled with the Rust runtime. Engram also ships standalone — see Sub-products.

Documentation

Full docs at jamjet.dev

Quickstart · Concepts · Python SDK · Java SDK · YAML Workflows · REST API · MCP · A2A · Eval · Enterprise · Observability · CLI · Deployment

Contributing

Contributions welcome — see CONTRIBUTING.md.

Looking for a starter task?

• Build a framework integration — 8 slots open, first 10 contributors get JamJet swag

• Browse good first issues

• Join the conversation in Discord

Community

GitHub Discussions · Issues · Discord

License

Apache 2.0 — see LICENSE.

Hosted control plane available at app.jamjet.dev — traces, approval queue, audit retention, team projects. Optional. The runtime, both SDKs, and Engram are Apache-2.0 with no usage limits.

⭐ Star JamJet if you believe agents need a runtime safety layer

Built by Sunil Prakash · © 2026 JamJet Labs · jamjet.dev · Apache 2.0