This repository ships the Sponsio OSS engine: the deterministic contract runtime, framework adapters, CLI, and the pattern library that powers it. Everything here is Apache 2.0 and deterministic. There is no LLM call on the enforcement path.
sponsio/formulas/: LTL AST, evaluator, DFA monitorsponsio/runtime/verifier.py,monitor.py,strategies.py,feedback.py,session_log.py,perf.py,evaluators.pysponsio/tracer/grounding.py,otel_writer.py,exporters.py,semconv.py
sponsio/patterns/library.py: every Tier 0 + Tier 1 deterministic pattern (must_precede,rate_limit,idempotent,arg_blacklist,arg_allowlist,no_data_leak,segregation_of_duty,cooldown,must_confirm,bounded_retry,loop_detection,scope_limit,arg_length_limit,data_intact,destructive_action_gate,tool_allowlist,redirect_to_safe, etc.)sponsio/runtime/strategies.py: every Tier 0 + Tier 1 deterministic enforcement strategy (DetBlock,EscalateToHumanwith notifier callbacks,WarnOnly,RedirectToSafe). The sto-pipelineRetryWithConstraintis an extension point not included here.sponsio/contracts/capability/*.yaml: shell, fs, http, db, credentials, self-modify, subagentsponsio/contracts/incident/*.yaml: public CVE / Reddit-incident replicas (Cursor Railway wipe, Claude Code secret bypass, OpenClaw, MCP composition, subagent escape)sponsio/contracts/core/*.yaml: universal core / runaway / llm safety
sponsio/integrations/{langgraph,openai,anthropic,crewai,claude_agent, vercel_ai,google_adk,mcp,cursor,openclaw,agents}.pyplus theBaseGuardcore- TypeScript SDK:
ts/packages/sdk/ - Static scanner:
ts/packages/sdk/ - IDE host plugin packaging:
plugins/sponsio-claude-code/,plugins/sponsio-openclaw/,sponsio/plugin/
sponsio init,onboard,scan,validate,check,reportsponsio eval: offline trace-replay, FPR/FNR scoringsponsio export: Sponsio dump → OTLP forevalsponsio export-sessions: session log → OTLP file or HTTP pushsponsio hostgroup. Install / status / list / trace / uninstall / guard for Cursor / Claude Code / OpenClawsponsio plugingroup. Init / install / scan / prompt / guardsponsio packs,patterns,prompt,mode,doctor,skill,demo
sponsio/discovery/extractors/code_analysis.py: single-project AST scan that backssponsio scansponsio/discovery/extractors/document.py: single-document NL parsing (policy.md → contracts)sponsio/discovery/extractors/tool_inventory.py: single-project tool detection that powersonboardsponsio/discovery/loaders.py: single-file / single-corpus loaderssponsio/discovery/starter_pack.py: static rule matching for starter-pack selectionsponsio/discovery/trace_replay.py:sponsio evalreplay engine
sponsio/generation/dsl_to_contract.py: text DSL → contract parser (deterministic patterns; free-form NL goes through the optional LLM extractor inparse_contract)sponsio/generation/structured_ir.py: IR for the deterministic pipeline
sponsio host trace --follow: live coloured streamsponsio report --since: session log summarysponsio replay <session>: re-render a recorded session viewsponsio explain <contract>: show source + compiled formula + last violation- Session log writer (
~/.sponsio/sessions/<agent>/*.jsonl) - Per-conversation trace state (
~/.sponsio/plugins/<bucket>/conv-*.shield-trace.jsonl)
The OSS engine evaluates deterministic LTL (linear temporal logic)
contracts. Coverage includes ordering, rate limits, retries/loops,
destructive-action gates, path/argument blacklists, exact PII regexes,
length, format, permissions, and allowlists. The deterministic patterns
no_pii / max_length / no_keywords run regex against llm_said and
remain available. There is no judge or LLM call on the enforcement
path.
sponsio export-sessions+sponsio.tracer.exporters: write your session log to your own collector.sponsio.tracer.exporters.OtlpHttpExporter: in-process OTel exporter that POSTs to your endpoint.
Apache 2.0 is our long-term commitment for the OSS scope. Anything in OSS stays in OSS; we do not plan to relicense or remove anything currently in the OSS tree. New work in OSS-scope directories ships under the same license.
The SCHEMA_VERSION in sponsio/tracer/semconv.py covers the
observability contract and follows semver: any rename of an existing
attribute key bumps MAJOR; new attributes bump MINOR; doc-only changes
bump PATCH.