The Agent Contract Layer

Policies. Contracts. Checkpoints.
One format, enforced at runtime.

Prompts are not permissions. Plans are not contracts.

Get StartedPolicy FilesView on GitHub

How It Works

aex draft

aex review

aex run

checkpoint

resume

The model drafts. The human reviews. AEX enforces. Sessions persist.

Without AEX

User: "Fix the failing test in src/foo.ts"

Agent: reads src/foo.ts                    ✓
Agent: reads .env (has DB credentials)     ✓
Agent: edits src/auth.ts (unrelated)       ✓
Agent: runs `curl` to post diagnostics     ✓

Without constraints, the agent can read secrets, modify unrelated files, and make network calls — all to "help" with a test fix.

With AEX

aex draft "fix the failing test in src/foo.ts"
aex review .aex/runs/fix-test.aex --run

{"event":"tool.allowed","tool":"tests.run"}
{"event":"tool.allowed","tool":"file.read"}
{"event":"check.passed","condition":"patch touches only target_files"}
{"event":"confirm.approved","tool":"file.write"}
{"event":"check.passed","condition":"final.passed"}
{"event":"run.finished","status":"success"}

Every tool call is gated. Every check is enforced. The contract defines the boundary.

Two Modes

AEX supports two modes of operation:

Prompt type	Mode	Enforcement
"Explain this code"	Exploratory	Policy via aex gate / aex proxy
"Help me debug"	Exploratory	Policy guards, no contract needed
"Fix the failing test"	Contract	aex draft → aex review → aex run
"Update dependency"	Contract	Full runtime enforcement
"Deploy to production"	Contract + approvals	Policy + task + confirmations + budget

Explore freely under policy. Execute changes through contracts.

Quick Start

npm install -g @aex-lang/cli

# Set up repo policy
aex init --policy

# Generate a contract from natural language
aex draft "fix the failing test in src/foo.ts" --model anthropic

# Review what it will do
aex review .aex/runs/20260502-fix-failing-test.aex

# Approve and execute
aex review .aex/runs/20260502-fix-failing-test.aex --run

Or write contracts by hand:

aex init --task fix-test                # scaffold a contract
aex check tasks/fix-test.aex           # validate it
aex effective --contract tasks/fix-test.aex  # preview permissions
aex run tasks/fix-test.aex --inputs inputs.json

Three Layers

repo/
  .aex/
    policy.aex          ← always-on repo guardrails
    runs/               ← generated one-off contracts
      fix-test.aex
      fix-test.audit.jsonl
  tasks/
    fix-test.aex        ← reusable checked-in workflows
    review-pr.aex

Policy (ambient boundary)

policy workspace v0

goal "Default security boundary."

allow file.read, file.write, tests.run, git.*
deny network.*, secrets.read

confirm before file.write

budget calls=100

Task Contract (specific job)

task fix_test v0

goal "Fix the failing test."

use file.read, file.write, tests.run
deny network.*, secrets.read

need test_cmd: str
need target_files: list[file]

do tests.run(cmd=test_cmd) -> failure
do file.read(paths=target_files) -> sources

make patch: diff from failure, sources with:
  - fix the failing test
  - preserve public behavior

check patch is valid diff
check patch touches only target_files
confirm before file.write

do file.write(diff=patch) -> result
do tests.run(cmd=test_cmd) -> final

check final.passed

return {
  status: "fixed",
  patch: patch
}

When both are active, effective permissions are the most restrictive combination:

Policy

allow file.*, tests.*, git.*deny network.*, secrets.*budget calls=100

+

Task

use file.read, file.write, tests.rundeny secrets.readbudget calls=20

=

Effective

allow file.read, file.write, tests.rundeny network.*, secrets.*budget calls=20

Allow is intersected. Deny is unioned. Budget takes the minimum.

Why AEX?

Draft → Review → Run

Generate contracts from natural language with aex draft. Review permissions before executing. The model proposes, AEX enforces.

Runtime Enforcement

Tool calls, file scopes, diff checks, confirmations, and budgets are enforced at runtime — not by asking the model nicely.

Readable & Diffable

Contracts are text files. Diff them, review them in PRs, reformat with aex fmt. Security policies that live with your code.

Works With Your Stack

Claude Code, Codex CLI, MCP servers, OpenAI Agents SDK, LangGraph, GitHub Actions. AEX wraps what you already use.

Audit Trail

Every tool call, check, confirmation, and budget decision is logged as structured JSON. Full observability for every execution.

Session Checkpoints

Save mid-session progress with aex.checkpoint. Resume in any MCP client with aex.resume. Cross-client, cross-session continuity.

Integrations

aex gate + aex proxy

Gate Claude Code built-in tools with hooks, MCP tools with the proxy — full coverage.

// .claude/settings.json
{
  "hooks": {
    "PreToolUse": [{ "matcher": ".*", "command": "aex gate" }]
  },
  "mcpServers": {
    "tools": {
      "command": "aex",
      "args": ["proxy", "--", "your-mcp-server"]
    }
  }
}

aex draft + aex review

Generate and review contracts from natural language. The model drafts, human reviews, AEX runs.

aex draft "fix the failing test" --model anthropic
aex review .aex/runs/fix-test.aex --run

@aex-lang/openai-agents

Wrap OpenAI Agents SDK workflows with an AEX guardrail.

import { AEXGuardedAgent } from "@aex-lang/openai-agents";

const agent = new AEXGuardedAgent({
  taskPath: "tasks/support-ticket.aex",
  tools: { "crm.lookup": crmLookup }
});

What's New

• Draft → Review → Run — aex draft generates contracts from prompts, aex review shows what a contract will do, aex review --run executes with approval.
• aex classify — classifies prompts as exploratory or contract-requiring.
• .aex/runs/ — generated contracts and audit logs stored alongside your policy.
• Claude Code hook — aex gate enforces policy on every built-in tool call.
• MCP Proxy — aex proxy sits between your client and upstream MCP servers.
• Session Checkpoints — aex.checkpoint and aex.resume meta-tools let agents save and reload sessions across conversations.
• Policy files — policy workspace v0 defines ambient security boundaries.
• Merge semantics — allow = intersection, deny = union, budget = min.

Track ongoing work in the Roadmap.

Learn More

• Quickstart for a five-minute walkthrough.
• Language Overview for every keyword.
• Examples for real-world task contracts.
• Claude Code Integration for hook and proxy setup.
• Policy Reference & Security Model for governance teams.
• CLI Reference for every command.