Wardrail · The independent trust layer for AI-written code

Verify the code
your agents write.

Wardrail is the independent referee for AI-built code. It gives your coding agent the rules to follow, independently checks the code honoured them, and proves it: deterministic security checks plus an LLM verdict on whether the agent did what was asked and nothing it shouldn't, recorded as a trust score and a signed, verifiable proof.

Zero-knowledge, bring your own key Read-only repo access Signed, verifiable proofs

Rules. Check. Proof.

Your agents move fast. Wardrail keeps them on the rails without slowing them down: it sets the rules they code against, checks every change independently, and turns the result into something you can actually show a customer or an auditor.

01 · Rules

Give the agent a contract

Compile a versioned project contract into a committable CLAUDE.md: the off-limits paths, the must-follow rules, the skills your repo ships. Your agent reads it while it writes.

02 · Check

Independently verify the result

A deterministic AST security scan plus an LLM verdict on whether the change did what was asked and nothing it shouldn't. It runs against your committed contract, not the agent's own say-so.

03 · Proof

Record a verifiable result

Every verdict becomes a trust score and a signed attestation, independently verifiable and recorded in an append-only transparency log. Share a "Verified by Wardrail" badge and a public report.

Fewer tokens. Same rails.

Every turn, your agent re-reads its whole world — the conversation so far, and the files it needs to understand. That's where the token bill comes from. Wardrail attacks both: it lets the agent ask your codebase questions instead of reading it, and lets long sessions resume from a short, honest brief instead of replaying everything.

Spend fewer tokens. Stay on the rails.

Long sessions, short briefs

A long agent session gets expensive because the entire transcript is sent again on every single turn — by hour two you're paying to re-read the same 150k tokens over and over. Compaction helps, but it's a lossy summary that can quietly drop a decision or claim work that never happened.

Wardrail replaces that with a checkpoint → clear → resume workflow. /checkpoint writes a small, honest task file — the objective, the decisions, the exact next step — so a fresh session rehydrates from roughly 3k tokens instead of a ~150k-token transcript. And the checkpoint can't lie: it's machine-verified against your git history, a real test run, a typecheck, and a diff scan before it's trusted. A checkpoint marked "done" whose checks fail gets downgraded to FAIL. It even makes /compact safe — capturing verified ground truth the moment before compaction and re-injecting it after, so the shrunken session trusts reality, not the summary.

Resume from a verified 3k-token brief, not a bloated transcript — long sessions stay cheap and honest.

Delivered by the free, MIT-licensed @wardrail/plugin.

Pro · Code graph & blast radius

Query your code, don't read it.

To change code safely, an agent first has to understand it — and the naive way is to read file after file after file, burning tokens (and time) before it writes a line. Wardrail builds a code graph of your whole repo instead: every function, class, and type, and the calls and imports between them — across TypeScript/JavaScript, Python, PHP, and Go.

Now the agent asks instead of reads: "who calls this?", "what's the blast radius if I change it?", "what's the shape of this project?" — answered from the graph in a fraction of the tokens it would take to open all those files. And before any change lands, the blast radius shows exactly which files across the repo depend on what you touched, so risky edits can't hide.

// code knowledge graph
Wardrail interactive code graph: dependencies and blast radius across the repo
Why it's cheaper

Your agent queries your codebase's structure instead of reading it file by file — fewer tokens, and nothing breaks by surprise.

Blast radius of this change
8 files affected

One edit to pricing.ts ripples through checkout, invoicing, and reporting. Every review shows you the reach before you merge.

TS / JSPythonPHPGo
Changed
Affected
Unaffected

A verdict you can show, not just trust.

Anyone can claim their code is clean. Wardrail records a trust score and a cryptographically signed attestation that a third party can check for themselves, with an append-only, hash-chained transparency log behind it.

// trust score
0/ 100

Earned, not asserted

The score moves with the evidence: contract adherence, open findings, and drift over time. It climbs as the agent honours the rules and drops the moment it doesn't.

// trust score, last 12 verdicts
// signed attestation

Independently verifiable

Every verdict is signed with an Ed25519 key and published. Verify it yourself, or hand the link to an auditor.

verdict✓ honoured
signatureEd25519 · valid

Compile the rules. Scan the code.

The free tier is a complete safety cockpit for one developer or a small project: harden a contract, scan for the security mistakes agents make most, and run an independent verdict in your browser with your own key. Up to three connected repositories.

Linter

AST security scan

Catches hardcoded secrets, eval and dynamic code execution, unsafe outbound calls, and more, with file and line.

Guardrails

A versioned contract

The rules your code must follow, compiled into a committable CLAUDE.md your agent reads as it writes.

Skills

SKILL.md analysis

Reads the skill files in your repo and tells you what your agents are actually equipped to do.

Keys

Zero-knowledge vault

Bring your own Anthropic key. It's encrypted in your browser and never reaches Wardrail.

Verdict

Check code or a diff

An independent check of your code or a pasted diff against your contract, run in your browser with your key.

Free includes up to 3 connected repositories. No inference charges, ever, because the model runs on your key.

Meet your agents where they live.

Wardrail works wherever you build: in the browser, in CI, and inside the agent itself. Pick whichever fits your workflow, or use all four.

01

The hosted app

Connect a repo, scan it, harden and compile your contract, run verdicts, and get a trust score with a shareable badge.

02

GitHub Action / CLI

An independent verdict on every pull request, running in your CI with your key. Wardrail's servers are never involved.

03

MCP server npm · MIT

Gives coding agents (Claude Code, Cursor, Windsurf, Claude Desktop) your contract and code-graph tools while they write. Add it to your MCP config; it runs on demand via npx, with nothing to install.

claude mcp add wardrail -- npx -y @wardrail/mcp
04

Claude Code plugin npm · MIT

Bundles the MCP tools plus a checkpoint, clear, and resume workflow that makes /compact safe, with machine-verified checkpoints against git, tests, typecheck, and a diff scan.

claude plugin marketplace add https://wardrail.ghostables.io/marketplace.json
claude plugin install wardrail@wardrail

Works with your agent

Wardrail runs as an MCP server, so any MCP-capable agent can consult your contract, pull findings, get a verdict on a diff, and query the code graph — instead of reading files. Bring your own key; it never leaves your machine.

Add Wardrail as an MCP server in one command:

// terminal
claude mcp add wardrail \
  -e WARDRAIL_URL=https://wardrail.ghostables.io \
  -e WARDRAIL_INGEST_TOKEN=your-project-ingest-token \
  -- npx -y @wardrail/mcp
// or install the full plugin
// terminal
claude plugin marketplace add https://wardrail.ghostables.io/marketplace.json
claude plugin install wardrail@wardrail

Add Wardrail to your mcp.json:

// mcp.json
{
  "mcpServers": {
    "wardrail": {
      "command": "npx",
      "args": ["-y", "@wardrail/mcp"],
      "env": {
        "WARDRAIL_URL": "https://wardrail.ghostables.io",
        "WARDRAIL_INGEST_TOKEN": "your-project-ingest-token",
        "ANTHROPIC_API_KEY": "sk-ant-..."
      }
    }
  }
}

Hermes and Cursor and Claude Code write the code; Wardrail is the referee that verifies it — different layers, they compose.

Hermes (Nous Research) is an MCP host, so Wardrail plugs straight in — add a wardrail MCP server with command npx, args ["-y","@wardrail/mcp"], and the same env:

// hermes · wardrail mcp server
{
  "command": "npx",
  "args": ["-y", "@wardrail/mcp"],
  "env": {
    "WARDRAIL_URL": "https://wardrail.ghostables.io",
    "WARDRAIL_INGEST_TOKEN": "your-project-ingest-token",
    "ANTHROPIC_API_KEY": "sk-ant-..."
  }
}
WARDRAIL_INGEST_TOKEN comes from Wardrail → Trust → Attest from CI, and scopes to a single project.
ANTHROPIC_API_KEY is optional — only the diff-review tool uses it, and it goes straight to Anthropic. Wardrail never sees it.

Start free. Scale when it earns its keep.

2 months free
Free
£0/ forever

Everything to keep one project on the rails.

  • AST security linter
  • Guardrails: versioned contract → CLAUDE.md
  • Skills: SKILL.md analysis
  • Keys: zero-knowledge BYOK vault
  • Verdict: check code or a pasted diff
  • Up to 3 connected repositories
Start free →
Teams
£30/ month

One bill, every seat gets Pro. Annual = 2 months free.

3 seats£30/mo£10 / seat
5 seats£45/mo£9 / seat
10 seats£80/mo£8 / seat
50 seats£300/mo£6 / seat
Set up a team →

FAQ

Does Wardrail ever see my API key?

No. You bring your own Anthropic key; it's encrypted in your browser, or it lives only in your CI. It never reaches Wardrail. We never see your key, and we never charge you for model inference, because the model runs on your key.

Can Wardrail change my code?

No. Repository access is read-only, through a GitHub App. Wardrail never writes to your code and never runs it.

What does "independent verdict" actually mean?

Two checks, not one. A deterministic AST security scan finds concrete issues like hardcoded secrets and dynamic code execution. Then an LLM verdict judges the change against your committed contract: did it do what was asked, and nothing it shouldn't? The result is a trust score and a signed proof.

How can someone else trust the result?

Every verdict is signed with an Ed25519 key and independently verifiable at /a/<id>, backed by an append-only, hash-chained transparency log at /log. You can share a "Verified by Wardrail" badge and a public report.

What's the difference between Free and Pro?

Free is the full safety cockpit for up to three repositories: linter, guardrails, skills, the key vault, and on-demand verdicts. Pro adds the things that only earn their keep once a project has history: drift monitoring, the code graph and blast radius, alerts, signed verification records, and unlimited repositories.

Which languages does the code graph cover?

The native code knowledge graph spans TypeScript and JavaScript, Python, PHP, and Go. Every change review shows which files across the repo depend on what you touched.

Let your agents move fast.
Without shipping slop.

Connect a repo, compile your contract, and run your first verdict in minutes. Free to start, your key, your code, your proof.