Wardrail is the independent referee for AI-built code. It gives your coding agent the rules to follow, independently checks the code honoured them, and proves it: deterministic security checks plus an LLM verdict on whether the agent did what was asked and nothing it shouldn't, recorded as a trust score and a signed, verifiable proof.
Your agents move fast. Wardrail keeps them on the rails without slowing them down: it sets the rules they code against, checks every change independently, and turns the result into something you can actually show a customer or an auditor.
Compile a versioned project contract into a committable CLAUDE.md: the off-limits paths, the must-follow rules, the skills your repo ships. Your agent reads it while it writes.
A deterministic AST security scan plus an LLM verdict on whether the change did what was asked and nothing it shouldn't. It runs against your committed contract, not the agent's own say-so.
→Every verdict becomes a trust score and a signed attestation, independently verifiable and recorded in an append-only transparency log. Share a "Verified by Wardrail" badge and a public report.
Every turn, your agent re-reads its whole world — the conversation so far, and the files it needs to understand. That's where the token bill comes from. Wardrail attacks both: it lets the agent ask your codebase questions instead of reading it, and lets long sessions resume from a short, honest brief instead of replaying everything.
Spend fewer tokens. Stay on the rails.
A long agent session gets expensive because the entire transcript is sent again on every single turn — by hour two you're paying to re-read the same 150k tokens over and over. Compaction helps, but it's a lossy summary that can quietly drop a decision or claim work that never happened.
Wardrail replaces that with a checkpoint → clear → resume workflow. /checkpoint writes a small, honest task file — the objective, the decisions, the exact next step — so a fresh session rehydrates from roughly 3k tokens instead of a ~150k-token transcript. And the checkpoint can't lie: it's machine-verified against your git history, a real test run, a typecheck, and a diff scan before it's trusted. A checkpoint marked "done" whose checks fail gets downgraded to FAIL. It even makes /compact safe — capturing verified ground truth the moment before compaction and re-injecting it after, so the shrunken session trusts reality, not the summary.
Delivered by the free, MIT-licensed @wardrail/plugin.
To change code safely, an agent first has to understand it — and the naive way is to read file after file after file, burning tokens (and time) before it writes a line. Wardrail builds a code graph of your whole repo instead: every function, class, and type, and the calls and imports between them — across TypeScript/JavaScript, Python, PHP, and Go.
Now the agent asks instead of reads: "who calls this?", "what's the blast radius if I change it?", "what's the shape of this project?" — answered from the graph in a fraction of the tokens it would take to open all those files. And before any change lands, the blast radius shows exactly which files across the repo depend on what you touched, so risky edits can't hide.
Your agent queries your codebase's structure instead of reading it file by file — fewer tokens, and nothing breaks by surprise.
One edit to pricing.ts ripples through checkout, invoicing, and reporting. Every review shows you the reach before you merge.
Anyone can claim their code is clean. Wardrail records a trust score and a cryptographically signed attestation that a third party can check for themselves, with an append-only, hash-chained transparency log behind it.
The score moves with the evidence: contract adherence, open findings, and drift over time. It climbs as the agent honours the rules and drops the moment it doesn't.
Every verdict is signed with an Ed25519 key and published. Verify it yourself, or hand the link to an auditor.
The free tier is a complete safety cockpit for one developer or a small project: harden a contract, scan for the security mistakes agents make most, and run an independent verdict in your browser with your own key. Up to three connected repositories.
Catches hardcoded secrets, eval and dynamic code execution, unsafe outbound calls, and more, with file and line.
The rules your code must follow, compiled into a committable CLAUDE.md your agent reads as it writes.
Reads the skill files in your repo and tells you what your agents are actually equipped to do.
Bring your own Anthropic key. It's encrypted in your browser and never reaches Wardrail.
An independent check of your code or a pasted diff against your contract, run in your browser with your key.
Free includes up to 3 connected repositories. No inference charges, ever, because the model runs on your key.
Wardrail works wherever you build: in the browser, in CI, and inside the agent itself. Pick whichever fits your workflow, or use all four.
Connect a repo, scan it, harden and compile your contract, run verdicts, and get a trust score with a shareable badge.
An independent verdict on every pull request, running in your CI with your key. Wardrail's servers are never involved.
Gives coding agents (Claude Code, Cursor, Windsurf, Claude Desktop) your contract and code-graph tools while they write. Add it to your MCP config; it runs on demand via npx, with nothing to install.
claude mcp add wardrail -- npx -y @wardrail/mcpBundles the MCP tools plus a checkpoint, clear, and resume workflow that makes /compact safe, with machine-verified checkpoints against git, tests, typecheck, and a diff scan.
claude plugin marketplace add https://wardrail.ghostables.io/marketplace.jsonclaude plugin install wardrail@wardrailWardrail runs as an MCP server, so any MCP-capable agent can consult your contract, pull findings, get a verdict on a diff, and query the code graph — instead of reading files. Bring your own key; it never leaves your machine.
Add Wardrail as an MCP server in one command:
claude mcp add wardrail \
-e WARDRAIL_URL=https://wardrail.ghostables.io \
-e WARDRAIL_INGEST_TOKEN=your-project-ingest-token \
-- npx -y @wardrail/mcp
claude plugin marketplace add https://wardrail.ghostables.io/marketplace.json
claude plugin install wardrail@wardrail
Add Wardrail to your mcp.json:
{
"mcpServers": {
"wardrail": {
"command": "npx",
"args": ["-y", "@wardrail/mcp"],
"env": {
"WARDRAIL_URL": "https://wardrail.ghostables.io",
"WARDRAIL_INGEST_TOKEN": "your-project-ingest-token",
"ANTHROPIC_API_KEY": "sk-ant-..."
}
}
}
}
Hermes and Cursor and Claude Code write the code; Wardrail is the referee that verifies it — different layers, they compose.
Hermes (Nous Research) is an MCP host, so Wardrail plugs straight in — add a wardrail MCP server with command npx, args ["-y","@wardrail/mcp"], and the same env:
{
"command": "npx",
"args": ["-y", "@wardrail/mcp"],
"env": {
"WARDRAIL_URL": "https://wardrail.ghostables.io",
"WARDRAIL_INGEST_TOKEN": "your-project-ingest-token",
"ANTHROPIC_API_KEY": "sk-ant-..."
}
}
WARDRAIL_INGEST_TOKEN comes from Wardrail → Trust → Attest from CI, and scopes to a single project.ANTHROPIC_API_KEY is optional — only the diff-review tool uses it, and it goes straight to Anthropic. Wardrail never sees it.Everything to keep one project on the rails.
Billed monthly. Switch to annual for 2 months free.
One bill, every seat gets Pro. Annual = 2 months free.
No. You bring your own Anthropic key; it's encrypted in your browser, or it lives only in your CI. It never reaches Wardrail. We never see your key, and we never charge you for model inference, because the model runs on your key.
No. Repository access is read-only, through a GitHub App. Wardrail never writes to your code and never runs it.
Two checks, not one. A deterministic AST security scan finds concrete issues like hardcoded secrets and dynamic code execution. Then an LLM verdict judges the change against your committed contract: did it do what was asked, and nothing it shouldn't? The result is a trust score and a signed proof.
Every verdict is signed with an Ed25519 key and independently verifiable at /a/<id>, backed by an append-only, hash-chained transparency log at /log. You can share a "Verified by Wardrail" badge and a public report.
Free is the full safety cockpit for up to three repositories: linter, guardrails, skills, the key vault, and on-demand verdicts. Pro adds the things that only earn their keep once a project has history: drift monitoring, the code graph and blast radius, alerts, signed verification records, and unlimited repositories.
The native code knowledge graph spans TypeScript and JavaScript, Python, PHP, and Go. Every change review shows which files across the repo depend on what you touched.
Connect a repo, compile your contract, and run your first verdict in minutes. Free to start, your key, your code, your proof.