Enforra Core dropped on Hacker News this week as an open-source local action governance SDK specifically built for AI agent tool calls. The project targets developers building production agents that touch sensitive operations—refunds, command execution, data exports—and it puts a typed enforcement point immediately before those side effects happen. It's not an agent runtime, MCP proxy, or model firewall. It wraps your existing application callbacks and returns one of four decisions: allow, block, require_approval, or log_only.

The Core Problem Enforra Addresses

System prompts can guide behavior, but they are not a security boundary. When an AI agent has access to issue refunds, run terminal commands, send emails, or export customer data, that control point needs to sit before the tool action executes—not somewhere in the instruction layer where it can be overridden by manipulated context or unexpected agent reasoning. Enforra evaluates policy immediately before the tool callback runs, so even manipulated or unexpected agent behavior gets blocked, flagged for approval, or logged before side effects occur.

How Policy Enforcement Works

Developers define policies in YAML files that match on agent name, tool identifier, and condition expressions. The SDK supports operators like eq, neq, gt, gte, lt, lte, contains, and not_contains against dot-pathed fields rooted at args or context—think args.amount for a refund call or args.path for filesystem access. Conditions can be written as flat arrays where every condition must pass, or grouped with all and any logical operators. Policies optionally set priority; lower numbers evaluate first. The runtime loads policies from local YAML files so teams can inspect and version control enforcement logic without a hosted service dependency.

Audit Logging and Redaction

Every decision writes to .enforra/audit.jsonl in JSONL format. Arguments and context are recursively redacted for common secret fields before being written, which is critical when you're handling payment tool calls or database operations with credentials baked into the payload. For allow and log_only decisions, the runtime writes a pre-execution audit event before calling execute—if that write fails, the callback never runs. An optional hash-chain mode adds tamper-evident integrity metadata to detect modified, deleted, or reordered events during later verification.

What Enforra Does Not Include

The project makes deliberate scope choices here. This OSS core does not include a hosted API, cloud dashboard, team approval workflows, auth/RBAC/SSO, Slack or email approvals, compliance reports, remote tool execution, or MCP gateway behavior. Policy management, team workflows, and hosted audit retention are explicitly out of scope for the local runtime. The team is upfront that they view these as potential commercial layers on top, but keeping the core lightweight and auditable seems like the right call for security-sensitive use cases.

Technical Foundation

The SDK targets Node.js 20 or newer, uses pnpm via Corepack, and ships as a monorepo with packages for policy-core (loading, validation, evaluation), sdk-node (enforcement wrapper), cli (init, tests, audit verification), and local-audit (JSONL logging with redaction). Starter policies live in policies/starter as examples. The project includes runnable demos covering support refund flows, OpenAI-style wrappers, MCP-style tool patterns, approval evidence, audit integrity, database guard scenarios, and benchmarks.

Key Takeaways

  • Enforra evaluates policy immediately before tool callbacks execute, creating a real security boundary that system prompts cannot provide
  • Four possible decisions (allow, block, require_approval, log_only) give fine-grained control over agent actions without blocking useful work
  • Local-only execution with no network calls makes this suitable for air-gapped environments or compliance-sensitive deployments
  • YAML-based policy files can be version-controlled and tested in CI before deployment

The Bottom Line

This is exactly the kind of infrastructure that needs to exist as AI agents move from demos into production systems handling real money and customer data. The deliberate scope—local runtime only, no hosted dependencies—means security-conscious teams can actually audit what they're deploying. System prompts are not a security boundary, and Enforra finally gives developers an open-source way to enforce that distinction at the point where it matters.