Rulebound
Deterministic guardrails for AI coding agents: policy-as-code that runs the deterministic part of code review (AST checks, regex, diff analysis) against agent plans, diffs, and evidence. Its .rulebound/rules/ and docs/threat-model/ are directly reusable for agent QA.
View source on GitHubKey takeaways
- 01
'Do not trust the agent' - verify plan, diff, and evidence deterministically
- 02
Rule files as review gates make agent policy versionable
- 03
Ships an actual threat model for agentic coding
Flows built on this research
Harness Engineering
Rule-File Code Review Gates
Run deterministic policy checks on everything your agent produces: rule files reviewing plans, diffs, and evidence before anything merges.
4 steps · 60-90 minutes
Agent QA & Security
Threat-Model Your MCP Server
Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.
4 steps · 90-120 minutes
Agent QA & Security
Release Gates for Agent-Generated Code
Put agent output through a real merge gate: automated review, tests, security scans, and human sign-off proportional to risk.
4 steps · 60-90 minutes
Agent QA & Security
Dependency and Supply-Chain Scanning for Agents
Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.
4 steps · 60-90 minutes
Agent QA & Security
Secrets Hygiene in Agent Logs
Keep credentials out of prompts, tool outputs, logs, and traces: detection, redaction, and safe handling across the whole agent pipeline.
4 steps · 60-90 minutes
From the archive
Verbatim excerpts mined from our local archive of this repository — the prompts, schemas, and patterns worth stealing.
NOT_APPLICABLE instead of silent pass in agent gates
Rulebound does NOT run analyzers by default unless --allow-commands is passed; otherwise it reads report files. When run: is set on an analyzer check and the flag is omitted, Rulebound returns NOT_APPLICABLE for that check - it does not silently pass and it does not invoke arbitrary commands behind your back. The default mode is "CI (or you) runs the analyzer, Rulebound reads its report".
Two safety principles in one paragraph: never let a skipped check read as a passed check, and never let a rules engine execute subprocesses without explicit opt-in.
docs/analyzer-orchestration.md
Deterministic MCP tools as the authoritative pass/fail surface
run_deterministic_checks: Run authoritative deterministic checks (file-exists, regex, diff-evidence, forbidden-import, ast, command, analyzer, agent-process) defined in rules' checks: blocks against the working tree. This is the source of truth for rule compliance - unlike validate_plan which is advisory. Returns rule statuses, blocking count, and the first 5 violations with file/line evidence. Use this after writing code, before committing, and inside a repair loop.
The verify-gate idea as an MCP tool: agents get a deterministic source of truth for 'did my code actually comply', separate from advisory LLM judgment.
apps/web/content/docs/mcp/deterministic-tools.ts