Edictum
Concepts

How the Pipeline Works

Every tool call your agent makes passes through Edictum's pipeline before it executes.

AI Assistance

Right page if: you want to understand the full evaluation order of a tool call through Edictum's pipeline, or you need to debug why a call was denied or allowed. Wrong page if: you need the internal architecture details (YAML compilation, adapter pattern, storage model) -- see https://docs.edictum.ai/docs/architecture. Gotcha: the pipeline short-circuits on the first failure in steps 1-5 -- remaining checks are skipped. Postconditions only run if the tool actually executed.

Every tool call your agent makes passes through Edictum's pipeline before it executes. The pipeline evaluates YAML contracts against the call's arguments, principal, and session state. If any contract fails, the call is denied and never reaches the tool. This is a hard boundary -- the LLM cannot reason its way past it.

Agent Calls Tool
Adapter Builds ToolEnvelope
frozen snapshot of tool name, args, principal
pre_execute()
Check Attempt Limits
max_attempts (counts denials too)
Run Before-Hooks
first denial short-circuits
Evaluate Preconditions
YAML contracts · effect: deny | approve
Sandbox · Session · Limits
boundaries, cross-turn state, per-tool caps
DENY
Denial Message
returned to agent
CALL_DENIED
audit event emitted
PRE
DECISION
APPROVE
Wait for Human
approval_backend.wait_for_decision()
Approved → Execute
Denied / Timeout → EdictumDenied
ALLOW
Tool Executes
post_execute()
Postconditions
warn · redact · deny (READ/PURE only)
After-Hooks
fire-and-forget observation
CALL_EXECUTED
audit event emitted to all sinks

A Denied Call: Step by Step

An agent tries to read .env using the read_file tool. Here is what happens:

1. Agent decides to call read_file with {"path": ".env"}.

The framework adapter intercepts the call and builds a ToolEnvelope -- a frozen snapshot of the tool name, arguments, and principal.

2. Edictum evaluates preconditions.

Before preconditions run, the pipeline checks attempt limits and fires any registered before hooks. If the attempt limit is exceeded or a hook returns deny, the call is rejected before contracts are even evaluated.

The pipeline then checks the contract bundle. This contract matches:

- id: block-dotenv
  type: pre
  tool: read_file
  when:
    args.path: { contains: ".env" }
  then:
    effect: deny
    message: "Read of sensitive file denied: {args.path}"

The args.path value is ".env". The contains operator finds ".env" in the string. The contract fires. (If preconditions pass, the pipeline also evaluates any sandbox contracts -- allowlist boundaries for file paths, commands, and domains. If the call falls outside a sandbox boundary, it is denied before reaching session limits.)

3. The call is denied.

The pipeline returns a PreDecision with action: "deny". The tool function never executes. The agent receives the denial message: "Read of sensitive file denied: .env".

4. An audit event is emitted.

An AuditEvent with action: CALL_DENIED is written to all configured sinks (stdout, file, OpenTelemetry). The event records the tool name, arguments, principal, which contract fired, and the policy version hash.

The .env file was never read. The agent sees the denial message and can try a different approach. This is intentional -- a well-written denial message steers the agent toward safe alternatives instead of leaving it stuck. For example, "Read of sensitive file denied: .env — use environment variables instead" tells the agent exactly what to do next.

An Approval Gate: Step by Step

An agent calls delete_records with {"table": "users", "query": "WHERE inactive = true"}. A precondition with effect: approve is configured.

1. Agent decides to call delete_records.

The adapter intercepts the call and builds a ToolEnvelope.

2. Edictum evaluates preconditions.

The pipeline finds a matching contract with effect: approve. Instead of denying immediately, it returns PreDecision with action: "pending_approval".

3. The pipeline requests human approval.

The approval is routed through Edictum Console, which delivers it to a human reviewer via one of its notification channels (Slack, email, or the console dashboard). A CALL_APPROVAL_REQUESTED audit event is emitted. The pipeline blocks until a decision arrives or the timeout expires.

4a. If approved: The tool executes normally. A CALL_APPROVAL_GRANTED audit event is emitted and on_allow fires.

4b. If denied: EdictumDenied is raised. A CALL_APPROVAL_DENIED audit event is emitted and on_deny fires.

4c. If timeout: The timeout_effect determines the outcome. Default is deny (raises EdictumDenied). A CALL_APPROVAL_TIMEOUT audit event is emitted.

An Allowed Call: Step by Step

The same agent calls read_file with {"path": "config.txt"}.

1. Agent decides to call read_file with {"path": "config.txt"}.

The adapter intercepts and builds the envelope.

2. Edictum evaluates preconditions.

The block-dotenv contract checks args.path for ".env". The value is "config.txt" -- no match. All other preconditions pass.

3. Edictum evaluates sandbox contracts.

Any sandbox contracts are checked next. If a sandbox defines within: ["/workspace"] for read_file, the pipeline verifies that args.path falls within the allowed boundary. The path "config.txt" is within bounds, so the sandbox passes.

4. The call is allowed.

Session limits are within bounds. The pipeline returns PreDecision with action: "allow". The tool function executes and returns the file contents.

5. Edictum evaluates postconditions.

The pipeline checks the tool's output against postcondition contracts. For example, a PII detection contract scans the output for SSN patterns. If a pattern matches, the contract produces a finding. For READ/PURE tools, postconditions with effect: redact replace matched patterns in the output with [REDACTED], and effect: deny suppresses the output entirely. For WRITE/IRREVERSIBLE tools, effects fall back to warn because the action already happened. See postcondition effects.

6. An audit event is emitted.

An AuditEvent with action: CALL_EXECUTED is written. It includes the tool name, arguments, whether postconditions passed, any findings, and the policy version hash.

Why This Is Deterministic

Contracts are code evaluated against arguments. The expression grammar supports string matching, regex, numeric comparisons, and membership checks -- all evaluated by Python at runtime, outside the LLM.

A precondition like args.path: { contains: ".env" } will always deny when the path contains .env. It does not matter what the LLM was told in its system prompt, how long the conversation has been, or how creatively the agent argues. The check runs in Python, not in the model.

This is the difference between a prompt instruction ("do not read .env files") and a contract. The prompt is a suggestion. The contract is enforcement.

Dual-Mode Evaluation

When bundles are composed with observe_alongside: true, the pipeline evaluates observed contracts alongside enforced contracts. Observed contracts produce audit events but never affect allow/deny decisions.

After all enforced checks pass, the pipeline evaluates observed preconditions, sandbox contracts, and session contracts. Each observed result emits a separate audit event with mode: "observe" -- either CALL_WOULD_DENY or CALL_ALLOWED. This lets you compare the behavior of a candidate contract version against the currently enforced version. See observe mode for the full workflow.

What Happens at Each Stage

StageWhenCan Deny?Output
Attempt limitsFirst check in the pipelineYesCALL_DENIED if attempt cap exceeded
Before hooksBefore preconditionsYesCALL_DENIED if hook returns deny
PreconditionsBefore tool executesYesCALL_DENIED or pass
Approval gateWhen precondition or sandbox has effect: approveYes (on denial/timeout)CALL_APPROVAL_REQUESTED, then GRANTED/DENIED/TIMEOUT
Sandbox contractsBefore tool executesYesCALL_DENIED with decision_source: yaml_sandbox
Session contractsBefore tool executesYesCALL_DENIED if session limit exceeded
Execution limitsBefore tool executesYesCALL_DENIED if execution cap exceeded
Observed contractsAfter enforced checks passNeverAudit events with mode: "observe"
Tool executionOnly if all checks pass--Tool's return value
PostconditionsAfter tool executeswarn: findings only. redact/deny: enforced for READ/PURE toolsCALL_EXECUTED with warnings
After hooksAfter postconditionsNeverSide effects only (logging, metrics)
AuditAfter every evaluation--Structured event to all sinks

Next Steps

  • Contracts -- the four contract types and how to write them
  • Sandbox Contracts -- allowlist boundaries for file paths, commands, and domains
  • Principals -- attaching identity context to tool calls
  • Observe mode -- testing contracts in observe mode before enforcement
  • YAML reference -- full contract syntax and bundle composition

Last updated on

Contract Generator

Generate edictum contract bundles using AI. Copy the prompt, paste it into your AI assistant, describe your agent's tools and constraints, and get valid YAML.

Contract Types Overview

Four contract types cover every enforcement scenario -- preconditions deny before execution, postconditions scan output, session contracts cap usage, and sandbox contracts define allowlists.

On this page

A Denied Call: Step by StepAn Approval Gate: Step by StepAn Allowed Call: Step by StepWhy This Is DeterministicDual-Mode EvaluationWhat Happens at Each StageNext Steps