The open-source safety layer for AI agents.
jamjet.dev · Quickstart · Docs · Examples · Blog · Discord
JamJet sits underneath your agent — LangChain, CrewAI, ADK, MCP servers, custom code — and enforces what prompts cannot:
- 🛡️ Block unsafe tool calls at runtime (database deletes, payments, file writes)
- ✋ Pause for human approval on risky actions, durably
- 💸 Cap cost per agent, per run, per project
- 📒 Record an audit trail that survives a regulator's review
- ⏪ Replay or resume crashed runs from the last checkpoint
Keep your agent framework. Add JamJet when tool calls need control.
pip install jamjet
jamjet demo unsafe-tool-callNo API key. No Docker. No cloud account. The model is mocked; the enforcement path is real. Three more demos run the same way:
jamjet demo approval # pause-for-approval flow
jamjet demo budget-cap # $0.05 cost cap
jamjet demo mcp-tool-policy # MCP-shaped policy (preview of JamJet Gateway)Works alongside LangChain · CrewAI · ADK · OpenAI Agents SDK · MCP tools.
Prompts are not a security boundary. The runtime is.
→ Read When AI Deletes the Database for why this is a runtime architecture problem, not a model problem. → See the deeper durability demo at jamjet.dev/demo for what happens when an agent crashes mid-tool-call.
Drop a policy beside your agent code. The runtime intercepts any matching tool call before it leaves the agent's process — blocked_tools are refused outright, require_approval_for pauses execution durably and waits for an out-of-band decision (crashes don't lose the approval; execution resumes when it arrives).
# workflow.yaml
policy:
blocked_tools:
- "*delete*"
- "payments.refund"
require_approval_for:
- "database.*"
- "payment.transfer"
- "user.suspend"Python, with the hosted control plane:
import jamjet
jamjet.cloud.configure(api_key="jj_...", project="my-agent")
jamjet.cloud.policy("block", "*delete*")
jamjet.cloud.policy("require_approval", "database.*")
# Every OpenAI / Anthropic call in this process is now policy-gated.→ Runnable approval workflow in examples/hitl-approval · Cloud Quickstart
Your Agent / Framework
(LangChain · CrewAI · ADK · custom · MCP client)
│
▼
┌───────────────────────────────────────────────┐
│ JamJet Safety Layer │
│ policy · approval · budget · audit · replay │
└───────────────────────────────────────────────┘
│
▼
Tools · MCP servers · APIs · DBs · Agents
- call MCP servers or arbitrary tools
- write to a database
- send emails or Slack messages
- trigger payments or external API calls
- access customer data or PII
- run for minutes/hours and needs to survive crashes
- spend real model budget at scale
- delegate to other agents
| Without JamJet | With JamJet |
|---|---|
| Agent crashes lose progress | Resume from the last checkpoint |
| Tool calls rely on scattered app logic | Runtime policy blocks unsafe actions |
| Human approval is custom glue | Approval is a durable workflow step |
| Costs are discovered after the bill | Budgets enforced per agent / per run |
| Audit evidence is stitched from logs | Append-only event log, signed export |
| Memory is framework-specific | Pair with Engram for portable memory (MCP · REST · Python · Java) |
| Frameworks stay siloed | MCP + A2A connect tools and agents |
JamJet does not replace LangChain, LangGraph, CrewAI, Google ADK, Spring AI, or your custom agent code. Use those to build agent behavior. Use JamJet to control what happens at runtime.
| You're using | Keep it for | JamJet adds |
|---|---|---|
| LangChain · LangGraph · CrewAI · Google ADK · AutoGen | Authoring agent behavior | Runtime safety: policy, audit, replay, approvals |
| LangSmith · Arize · Weights & Biases | Observability and evaluation | Active enforcement (block at runtime) + durable recovery |
| Temporal · Orkes · DBOS | General durable workflows | Agent-native primitives: policy on tool calls, MCP/A2A, memory |
| Google · AWS · Azure agent platforms | Cloud-native ecosystems | Open-source, cloud-neutral governance — works on-prem |
Community-built integrations for LangChain, LlamaIndex, CrewAI, AutoGen, Pydantic-AI, DSPy, Spring AI, and LangChain4j live in jamjet-labs/jamjet-examples/integrations. Want to build the official integration for your framework? Claim a slot — first 10 merged contributors get JamJet swag.
| Example | What it shows |
|---|---|
hitl-approval |
Human approval as a first-class workflow primitive |
coordinator-routing |
Dynamic agent routing with structured scoring |
claims-processing |
Insurance pipeline — 4 specialist agents + HITL + audit |
eval-harness |
Batch evaluation with LLM judge scoring |
mcp-tool-consumer |
Connect to external MCP tool servers |
→ All 19 examples · Community integrations · Build your own
Engram — the JamJet ecosystem's memory layer for agents. Where JamJet provides durable execution (process can crash and resume), Engram provides durable memory (facts persist across runs and version cleanly via supersede()). Temporal knowledge graph, hybrid retrieval, conflict detection. Ships as a Rust crate (also bundled into the Rust runtime above), an MCP server (Docker · GHCR), a standalone Python library (github.com/jamjet-labs/engram, 71% on LongMemEval-S), a Python client for the MCP server, and a Spring AI ChatMemoryRepository. Comparison with Mem0/Zep → java-ai-memory.dev.
JamJet Java Runtime — embeds durable execution directly in your JVM, no Docker or sidecar, 8.9× faster than calling out to one. Works with Spring AI, LangChain4j, and Google ADK. → Launch post.
Stack diagram
┌──────────────────────────────────────────────────────────┐
│ Authoring Layer │
│ Python SDK | Java SDK | Go SDK (planned) | YAML │
├──────────────────────────────────────────────────────────┤
│ Compilation / Validation │
│ Graph IR | Schema | Policy lint │
├────────────────────────────┬─────────────────────────────┤
│ Rust Runtime Core │ Protocol Layer │
│ Scheduler | State SM │ MCP Client | MCP Server │
│ Event log | Snapshots │ A2A Client | A2A Server │
│ Workers | Timers │ │
├────────────────────────────┴─────────────────────────────┤
│ Enterprise Services │
│ Policy | Audit | PII Redaction | OAuth | mTLS │
├──────────────────────────────────────────────────────────┤
│ Runtime Services │
│ Model Adapters | Tool Execution | Engram Memory │
├──────────────────────────────────────────────────────────┤
│ Storage │
│ Postgres (production) | SQLite (local) │
└──────────────────────────────────────────────────────────┘
"Engram Memory" here is the in-process distribution bundled with the Rust runtime. Engram also ships standalone — see Sub-products.
Full docs at jamjet.dev
Quickstart · Concepts · Python SDK · Java SDK · YAML Workflows · REST API · MCP · A2A · Eval · Enterprise · Observability · CLI · Deployment
Contributions welcome — see CONTRIBUTING.md.
Looking for a starter task?
- Build a framework integration — 8 slots open, first 10 contributors get JamJet swag
- Browse good first issues
- Join the conversation in Discord
GitHub Discussions · Issues · Discord
Apache 2.0 — see LICENSE.
Hosted control plane available at app.jamjet.dev — traces, approval queue, audit retention, team projects. Optional. The runtime, both SDKs, and Engram are Apache-2.0 with no usage limits.
Built by Sunil Prakash · © 2026 JamJet Labs · jamjet.dev · Apache 2.0