Back to Vault
MCP & Tooling
Tier 5

Rulebound

View on GitHub Fetched 2026-07-02 5 related flows

Summary

Deterministic guardrails for AI coding agents: policy-as-code that runs the deterministic part of code review (AST checks, regex, diff analysis) against agent plans, diffs, and evidence. Its .rulebound/rules/ and docs/threat-model/ are directly reusable for agent QA.

Key Takeaways

  • 'Do not trust the agent' - verify plan, diff, and evidence deterministically
  • Rule files as review gates make agent policy versionable
  • Ships an actual threat model for agentic coding

Reliability Note

Open-source project; threat-model docs are unusually rigorous for the space.

Flows informed by this source

5
Flows category icon
Harness Engineering

Rule-File Code Review Gates

Run deterministic policy checks on everything your agent produces: rule files reviewing plans, diffs, and evidence before anything merges.

01Write the initial rule set
02Build the evaluation engine
03Wire the gates into the loop

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Threat-Model Your MCP Server

Systematically threat-model an MCP server before it is exploited: assets, entry points, trust boundaries, and mitigations documented and tested.

01Inventory assets and entry points
02Map boundaries and enumerate threats
03Rank threats and assign mitigations

+1 more steps to Done

Best forproduction-grade builds with strict verification

4 steps90-120 minutesAdvanced
Flows category icon
Agent QA & Security

Release Gates for Agent-Generated Code

Put agent output through a real merge gate: automated review, tests, security scans, and human sign-off proportional to risk.

01Assemble the automated gate
02Classify change risk
03Label provenance and require sign-off

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Dependency and Supply-Chain Scanning for Agents

Guard against the dependencies your agent adds: vulnerability scanning, hallucinated-package detection, and gated installs.

01Intercept dependency additions
02Verify existence and reputation
03Scan for vulnerabilities

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate
Flows category icon
Agent QA & Security

Secrets Hygiene in Agent Logs

Keep credentials out of prompts, tool outputs, logs, and traces: detection, redaction, and safe handling across the whole agent pipeline.

01Build the secret detector
02Redact at every capture point
03Inject real secrets safely

+1 more steps to Done

Best forbuilders who have shipped a basic app before

4 steps60-90 minutesIntermediate

Made with Emergent