JamJet · Agent Action Control Prove what every agent was allowed to do

Prove every
agent action.

jamjet.recorder · research-pipeline 00:00 / 00:09
scheduler Plan Research Analyze Review Synthesize

ready

the tape · tool calls
  1. 14:22:01 fs.read_corpus ALLOW
  2. 14:22:02 web.fetch ALLOW
  3. 14:22:03 db.drop_user BLOCKED
  4. 14:22:06 github.merge REQUIRES APPROVAL

That's one agent run, played back. It read files. It tried to drop a users table — blocked. It crashed mid-analysis — recovered. It asked to merge to production — held for a human, then signed. Drag the scrubber: every call is policy-checked, recoverable, and written to a receipt anyone can verify, independent of your agent framework.

Not another agent framework. The action-control layer that sits underneath them. Keep LangGraph, CrewAI, Claude Code, MCP, OpenAI Agents SDK, or Spring AI — add JamJet where tool calls need policy, approval, and audit.

From the lab behind the Engram memory benchmarks and the AIP agent-identity work — see research.

Engram · 88.8% on LongMemEval-S (proxy benchmark) · AIP · agent identity + delegation chains (arXiv draft) · AgentBoundary v0.1 · open spec for AI action proof · public

See every adapter ↓ Get started in 60s Run conformance →

Already shipping in production? Try JamJet Cloud free.

$ pip install jamjet
What just happened

Three moments on that tape.
Three things JamJet did.

  1. blocked It tried to drop a users table.

    db.drop_user hit a destructive-data policy and never executed. The attempt is recorded, not lost.

  2. recovered The Analyze worker crashed.

    The scheduler reclaimed the lease and resumed from the last checkpoint. Completed steps stayed completed. Zero events lost.

  3. signed A merge to production waited for a human.

    github.merge required approval. Once a person said yes, the action ran and was sealed into a receipt anyone can verify.

How a call gets on the tape
merge.py 
from jamjet import gate

@gate("github.merge", require_approval=True)
def merge_pr(repo: str, pr: int) -> str:
    return github.merge(repo, pr)
pip install jamjet · one decorator puts the call on the tape, with the same policy across Claude Code, MCP, OpenAI Agents SDK, Spring AI
Why we built it

Most of what breaks an AI agent in the real world isn’t model quality. It’s the boring stuff: a worker dies, a tool gets called wrong, a budget runs out, an audit team asks what happened. We built JamJet to make those things controllable, recordable, and recoverable — without forcing you to abandon LangGraph or CrewAI or whatever’s already working.

The runtime sits between your agent and everything it touches. Models, tools, memory, other agents — every interaction passes through a layer that can block, wait, record, and resume. Open source. Apache 2.0. Cloud-neutral.

How it fits with what you use →

Every source the recorder captures

Every agent toolchain is inventing its own safety layer.
JamJet gives you one.

One policy.yaml in ~/.jamjet/. Every adapter below loads it and emits conformant audit JSONL. Run jamjet audit show to tail every decision, from every source, on one tape.

We respect the platforms we plug into. Claude Code gave developers a hook point — JamJet gives that hook point a policy engine, approval flow, and audit trail, and carries the same rules to OpenAI Agents SDK, MCP, and your own code.

What the recorder catches

Six failure modes.
Six gates.

Other tools observe what agents do. JamJet actively prevents unsafe behavior, recovers from failures, and creates audit evidence — at the runtime layer.

  1. 01
    Lost progress

    A worker dies mid-run. JamJet replays the event log and resumes at the failed node.

  2. 02
    Unsafe tool

    An agent reaches for a tool it shouldn’t. The 4-level policy hierarchy blocks the call before execution.

  3. 03
    Skipped approval

    A high-risk action waits for a human. The run survives restarts. The decision lands in audit.

  4. 04
    Runaway cost

    A reflection loop won’t stop spending. The runtime halts the loop before it crosses the cap.

  5. 05
    Missing audit

    Compliance asks what happened. Every decision is in a signed, exportable evidence package.

  6. 06
    Forgotten context

    The agent forgets across sessions. Engram surfaces durable facts — not raw chat history.

See each failure mode in action →
The difference

Why not just use logs?

Logs

  • what happened after the fact
  • unsigned
  • unstructured
  • agent-trusted

JamJet receipts

  • whether the action was allowed before it happened
  • signed, verifiable by anyone
  • conformant schema (AgentBoundary v0.1)
  • agent-independent

Tracing tools (LangSmith, Helicone, Langfuse) show you what your agent did. JamJet decides what it's allowed to do — and signs the receipt either way.

Production isn’t a milestone. It’s the moment your code has to defend itself.

— a thing every serious engineer has learned the hard way
Same runtime guarantees, two languages

Write Python or Java.
JamJet handles replay, policy, and recovery.

pipeline.py Python 
from jamjet import task, workflow, approval

@task(model="claude-sonnet-4-6", max_cost=0.50)
async def analyze(data: dict) -> Report:
    """checkpointed, cost-capped"""

@workflow
async def pipeline(raw):
    report = await analyze(raw)     # crash-safe
    await approval(report)          # durable pause
    return await publish(report)
Pipeline.java Java 
Agent analyst = Agent.builder()
    .name("analyst")
    .model("claude-sonnet-4-6")
    .strategy(Strategy.REFLECTION)
    .maxCost(0.50)                   // budget enforced
    .build();

WorkflowGraph pipeline = WorkflowGraph.builder()
    .node(analyst)                    // crash-safe
    .node(ApprovalGate.create())     // durable pause
    .node(publisher)
    .build();

Both compile to the same IR and run on the same Rust runtime. Java has its own native runtime too — zero sidecar, virtual threads, 8.9× faster than the REST sidecar in our benchmark.

When the team needs the cockpit

JamJet Cloud

The hosted control plane for agent runs. Trace timeline, policy violations, approval queue, cost guardrails, audit export, hosted Engram — across your team.

View Cloud Sign up free
Need memory first?

Start with Engram.

Open-source memory for MCP-native AI agents. Fact extraction, conflict detection, hybrid retrieval, consolidation. Use it standalone with Claude, Cursor, or any MCP client.

Add memory Source

We don’t replace your framework. We sit underneath it, like a seatbelt.

— the design intent, in one sentence
Running log

What we shipped lately.

  1. Models keep getting better and agents keep breaking in production. The bottleneck was never intelligence. It is execution reliability, and that is a runtime problem.

    read →

  2. AgentBoundary v0.1 conformance suite, 40 deterministic tests, four vendors. Per-vendor mapping and per-scenario verdicts in the public adapters/ tree. Run it yourself in 60 seconds.

    read →

  3. Curate a handful of traces, draft a policy, replay it against the curated set, and read a per-event verdict diff before any agent runs the rule in production.

    read →

  4. JamJet 0.8.1 (Python) and @jamjet/cloud 0.2.2 (TypeScript) ship a runtime safety layer that intercepts an agent's tool calls before the tool function is invoked — and the four zero-setup demos prove the path.

    read →

  5. JamJet shipped a portable policy layer that runs the same safety rules across Claude Code hooks, OpenAI Agents SDK guardrails, MCP stdio traffic, and the JamJet Python/TS SDKs. One policy file. One audit trail.

    read →

  6. From PocketOS to Replit, AI agents are wiping production databases. Why this is a runtime problem -- not a model problem -- and the architecture pattern that prevents it.

    read →

Full blog →

Compared with: Temporal · Microsoft AGT · all integrations

Make agent runs
replayable, auditable,
and controlled.

$ pip install jamjet
Run the quickstart View JamJet Cloud GitHub

Apache 2.0 · Cloud-neutral · Framework-neutral · Built in Rust, Python, and Java.