Skip to content
Flows
Tier 5 · MCP & tool frameworks MCP & tooling · fetched 2026-07-02

Rulebound

Deterministic guardrails for AI coding agents: policy-as-code that runs the deterministic part of code review (AST checks, regex, diff analysis) against agent plans, diffs, and evidence. Its .rulebound/rules/ and docs/threat-model/ are directly reusable for agent QA.

View source on GitHub

Key takeaways

  • 01

    'Do not trust the agent' - verify plan, diff, and evidence deterministically

  • 02

    Rule files as review gates make agent policy versionable

  • 03

    Ships an actual threat model for agentic coding

Flows built on this research

From the archive

Verbatim excerpts mined from our local archive of this repository — the prompts, schemas, and patterns worth stealing.

Agent pattern

NOT_APPLICABLE instead of silent pass in agent gates

Rulebound does NOT run analyzers by default unless --allow-commands is passed; otherwise it reads report files. When run: is set on an analyzer check and the flag is omitted, Rulebound returns NOT_APPLICABLE for that check - it does not silently pass and it does not invoke arbitrary commands behind your back. The default mode is "CI (or you) runs the analyzer, Rulebound reads its report".

Two safety principles in one paragraph: never let a skipped check read as a passed check, and never let a rules engine execute subprocesses without explicit opt-in.

docs/analyzer-orchestration.md

MCP & tools

Deterministic MCP tools as the authoritative pass/fail surface

run_deterministic_checks: Run authoritative deterministic checks (file-exists, regex, diff-evidence, forbidden-import, ast, command, analyzer, agent-process) defined in rules' checks: blocks against the working tree. This is the source of truth for rule compliance - unlike validate_plan which is advisory. Returns rule statuses, blocking count, and the first 5 violations with file/line evidence. Use this after writing code, before committing, and inside a repair loop.

The verify-gate idea as an MCP tool: agents get a deterministic source of truth for 'did my code actually comply', separate from advisory LLM judgment.

apps/web/content/docs/mcp/deterministic-tools.ts