⚠ Production Warning

YOUR AGENT
IS BLEEDING
MONEY.
RIGHT NOW.

$106,000 Reported Loss — AutoGen #7770 AutoGen #7770 — Agent destroyed AWS management account

SHACKLE is the runtime governance layer that catches autonomous agents in silent infinite loops and halts the run before the next call — capping the bleed instead of letting it run unbounded. It is also SP/1.0: the authored, verifiable conformance standard for agent mediation — live today, and its reference implementation provably passes its own conformance suite. Works with CrewAI, LangGraph, AutoGen (sync & async) — zero refactoring.

See How It Works ↓ View Source (AGPLv3) Pricing & Implementation ↓
$ python agent_kickoff.py
[Agent] Running research task...
[Tool] web_search("latest AI news") → 200 OK
[Tool] web_search("latest AI news") → 401 Unauthorized
[Tool] web_search("latest AI news") → 401 Unauthorized ⚠

⛓️ SHACKLE CIRCUIT BREAKER: REPETITIVE_TOOL_CALL

Agent: ResearchAgent
Tool: web_search
Input: {"query": "latest AI news", "error": "401 Unauthorized"}
Call Count: 3x → CIRCUIT OPEN

━━━ Session Stats ━━━
Tokens: In: 8,400 | Out: 1,200
Session Cost: $0.02850 (saved: ~$400.00)
Time Running: 47.2s

[R] Resume/Reset  [S] Skip  [A] Abort
▌
// The Crisis

Your Agent Is Bleeding Money. Right Now.

🔄 The Loop of Death

Agent hits an error. Retries same tool with same input. Burns tokens quadratically. You wake up to a $400 bill — or worse, a $106,000 AWS disaster — with no idea what happened.

💰 No Native Budget Enforcement

CrewAI, AutoGen, and LangGraph have zero built-in cost guardrails. Your agent runs until it runs out of your money. Framework developers admit this is unsolved.

⏱️ Hung Tools, Silent Failures

API hangs. Agent waits forever. No timeout. No alert. Just a frozen process burning compute budget. Across 20+ agents in production, this compounds exponentially.

📊 Cross-Framework Invisible

Production stacks run CrewAI + AutoGen + LangGraph simultaneously. Each framework has different failure modes. None has a unified circuit breaker. Until now.

// Case Study

This Actually Happened.

$106,000

An AutoGen agent managing 10,000+ AWS accounts destroyed the management account in a recursive cleanup loop. No circuit breaker. No budget guard. No kill switch.

Source: microsoft/autogen#7770 — @tzb1-ai, enterprise infrastructure operator

SHACKLE's repeat-call + error-cascade breaker is built to trip on exactly this recursive-loop pattern—before it compounds.

// Solution

One Decorator. Zero Refactoring.

$ cat agent.py

from shackle import Guard

@Guard(budget=0.25, max_repeat_calls=3, timeout_seconds=180)
def safe_kickoff():
    return crew.kickoff()

safe_kickoff()

$ pip install shackle && python agent.py
✅ SHACKLE active. Guards: budget=$0.25, repeat=3x, timeout=180s

SHACKLE hooks litellm.completion and BaseTool.run at the interpreter level. No framework source changes. No refactoring. Works across CrewAI, LangGraph, and AutoGen simultaneously.

🛑

Loop of Death Prevention

Detects identical sequential tool calls and error cascades. Trips circuit breaker before quadratic token burn.

💰

Budget Enforcement

Real-time token tracking against client-side pricing table. Hard freeze when budget is exhausted.

⏱️

Execution Timeouts

Kills hung threads on dead APIs. No more frozen processes burning compute.

🖥️

HITL Console

Interactive terminal with Resume / Skip / Abort. Human stays in the loop when it matters.

🔒

100% Client-Side

No telemetry. No phone-home. No hidden SaaS. Your agent data stays on your machine.

🔀

Cross-Framework

CrewAI ✅ LangGraph ✅ AutoGen ✅ Smolagents 🧪 — one decorator, all frameworks.

// Why SHACKLE Exists

Nothing Else Does This.

Every AI agent framework offers some safety mechanism — but none provide a dedicated pre-execution circuit breaker with mathematically verified decision logic. Here's the landscape:

Capability Prompt Guards Framework Limits LangSmith / Monitoring SHACKLE
Pre-execution interception ✗ In-band ✗ Post-hoc ✗ Observability only ✓ Process-level
Budget enforcement ✗ △ Token count only ✗ ✓ Per-session USD tracking
Loop-of-death detection ✗ △ Recursion limit △ After-the-fact ✓ 3-call repeat + error amplification
HITL (human-in-the-loop) ✗ △ Manual only ✗ ✓ CLI + WebSocket remote
Error signal detection ✗ ✗ ✗ ✓ 401/403/500/timeout cascade
Mathematical verification ✗ ✗ ✗ ✓ 9 invariants (Hypothesis-tested)
Cryptographic audit trail ✗ ✗ ✗ ✓ Ed25519-signed, immutable
Framework-agnostic ✗ ✗ Framework-locked △ LangChain only ✓ Works with ANY agent
Zero-refactor integration △ System prompt ✗ Requires config ✗ Requires SDK ✓ One decorator: @Guard
Open source △ Varies ✓ ✗ Proprietary SaaS ✓ AGPLv3 + commercial

The gap: Every framework has prompt guards, rate limits, and monitoring. Nobody has a pre-execution circuit breaker with mathematically verified decision logic. That's what SHACKLE is. One import. Zero refactoring. Works today.

// Architecture

Interpreter-Level Interception.

SHACKLE sits between your agent and the runtime — not as middleware, but as a runtime shim.

┌─────────────────────────────────────────────────────────┐ │ SHACKLE RUNTIME ENVELOPE │ │ │ │ ┌──────────┐ ┌──────────┐ ┌──────────┐ │ │ │ CrewAI │ │ AutoGen │ │LangGraph │ │ │ └────┬─────┘ └────┬─────┘ └────┬─────┘ │ │ │ │ │ │ │ └───────────────┬───────────────┘ │ │ │ │ │ ┌────────▼────────┐ │ │ │ SHACKLE │ ← litellm hook │ │ │ decide(state, │ ← BaseTool.run hook │ │ │ call) → Verdict│ ← Agent.execute_task │ │ └────────┬────────┘ │ │ │ │ │ ┌────────────┼────────────┐ │ │ │ │ │ │ │ ┌────▼───┐ ┌─────▼────┐ ┌────▼─────┐ │ │ │ ALLOW │ │ DENY │ │ HITL │ │ │ │ execute│ │ block + │ │ pause + │ │ │ │ tool │ │ log │ │ console │ │ │ └────────┘ └──────────┘ └──────────┘ │ │ │ │ V1 (Local): In-process, memory state, CLI HITL │ │ V2 (Sovereign): Sidecar daemon, Redis, Postgres, WSS │ └─────────────────────────────────────────────────────────┘
// Deployment

Two Paradigms. One Protocol.

🖥️ LOCAL HITL (V1)

  • In-process decorator — zero infrastructure
  • Terminal-based HITL console
  • Memory-only state (lost on crash)
  • Perfect for development & debugging
  • pip install shackle
  • Free — AGPLv3
View on GitHub →

🏰 ENTERPRISE SOVEREIGN (V2)

  • Sidecar daemon — persistent state
  • Web/mobile remote HITL console
  • Redis + Postgres — state survives crashes
  • Distributed budget across serverless/K8s
  • SOC2 audit logs (cryptographically signed)
  • Commercial license available
Contact for Pricing →

From Circuit Breaker to Standard.

SHACKLE started as a runtime circuit breaker. It is now the SP/1.0 conformance standard for runtime mediation of agent tool calls — an authored, verifiable contract that any runtime can be tested against.

Typed Decision Surface

ALLOW / DENY / HITL — a small, closed verdict set with typed reasons, not free-text guesses.

Conformance Model

Valid(τ) ⇔ Required(τ) ⊆ Supported(τ). A transition is valid iff every required capability is supported.

14 Verifiable Fixtures

9 decision-core + 5 HITL transition cases (approve / reject / modify / defer-escalate / duplicate-resume), each a hash-verifiable vector.

Reference Implementation

A stdlib-only decide() produces every verdict. Run pytest tests/test_conformance.py to prove conformance.

The core invariant: history-visible ≠ runtime-executable. A record that an action happened is not proof the transition was supported. A runtime is SHACKLE-conformant iff it passes the published fixtures — provable by reproduction, not assertion.

Honest scope: the conformance layer (spec + 14 fixtures + reference decide()) is the verified standard. The @Guard runtime is the reference integration — it uses the same canonical-hashing discipline and is tested on Python 3.10–3.12, with a literal runtime→decide() wiring on the roadmap.

Read the SP/1.0 Spec → View the Fixtures →

Get SHACKLE Certified.

A certification is only worth what it can withstand. SHACKLE Certification proves — not promises — that a runtime correctly enforces the SP/1.0 mediation contract, measured against 14 public, hash-verifiable conformance fixtures. The same vectors that certify you are the ones anyone can re-run to check the claim. No trust required.

What SP/1.0 actually governs: every moment an autonomous agent is about to act — call a tool, spend budget, invoke another agent, execute a transaction. SP/1.0 defines, verifiably, whether that action is ALLOW, DENY, or HITL (halt for a human), on a simple contract: a transition is valid only if everything it requires is within what the system provably supports. Its core invariant — history-visible ≠ runtime-executable — means a rejected or deferred action can never "resume" its way past the guardrail. For a buyer, that answers the one question every acquirer and regulator asks about autonomy: can you prove it does only what it's allowed to do? A SHACKLE-certified runtime can — in minutes, from a clean clone.

SP/1.0-Core

Core Conformance. All mediation fixtures pass — ALLOW / DENY / HITL verdicts and deny reasons match the spec.

SP/1.0-HITL

Transition-Complete. Core, plus every human-in-the-loop transition: approve, reject, modify, defer-escalate, duplicate-resume.

SP/1.0-Sovereign

Enterprise Runtime. HITL, plus daemon atomic-state, ledger tamper-evidence, and audit export (V2 runtime).

  1. Run the suite. Execute the conformance fixtures against your runtime: pytest v2/tests/test_conformance.py.
  2. Capture the evidence. SHACKLE emits a per-fixture pass/fail report with the fixture hashes verified. That report is your reproducible conformance artifact.
  3. Submit for listing. Open a certification request with your report to be added to the public SHACKLE Conformance Registry.
  4. Get listed. Verified runtimes are published with the level achieved, SP/1.0 version, and date.

An open standard. An open door.

SP/1.0 is neutral and public. Any agent runtime — including competing frameworks and competing safety products — is invited to test against it and be listed. The fixtures are public, the verdicts are deterministic, the registry is open. We hold our own reference implementation to exactly the bar we ask of everyone else. A standard is only worth what it can withstand: if a runtime conforms, the registry proves it; if it doesn't, the fixtures show exactly where. The measure is public, and the same for everyone.

// Testimonials

What Developers Say.

"SHACKLE's litellm hook is brilliant for teams running polyglot stacks (CrewAI + AutoGen + LangGraph). You get one unified guardrail across your whole topology."

— Creator of TokenCircuit, competing LangGraph solution

"The error-amplification logic (catching 401/500s on the 2nd attempt) is incredibly sharp."

— Developer on LangGraph issue tracker

🔗 Seeking Integration Partners

Running multi-agent production systems? SHACKLE fills the circuit breaker gap in your delegation protocol. We're looking for integration partners with live production deployments. Cross-framework, sandbox-compatible, runtime-level.

Propose Integration →
// Integrations

Drop Into Your Stack.

SHACKLE now ships first-class governance for the two biggest chokepoints in the agent ecosystem — LiteLLM (the universal adapter under CrewAI, AutoGen, LangGraph and thousands of custom agents) and Microsoft AutoGen. One integration governs the whole supply chain, and every decision traces to the hash-pinned SP/1.0 conformance fixtures.

LiteLLM guardrail

ShackleGuardrail enforces the pure SP/1.0 reference decide(); ShackleEngineGuardrail drives the full stateful circuit breaker (budget / repeat / timeout). Sync check()/record() for the SDK, plus async pre/post hooks for the LiteLLM proxy. litellm is optional.

AutoGen wrapper

@wrap_tool governs any AutoGen tool through the same engine, with canonical input dedup so dict key ordering can’t evade loop detection. create_shackle_agent() spins up a governed AssistantAgent.

Same contract everywhere

Every path enforces Valid(τ) ⇔ Required(τ) ⊆ Supported(τ) and the ALLOW / DENY / HITL decision surface. See INTEGRATIONS.md for proxy config and usage.

// Pricing

Stop the Bleeding. Today.

Open Source

$0
  • Full V1 decorator source
  • Terminal HITL console
  • Budget + repeat + timeout guards
  • AGPLv3 license
  • Community support
  • Distributed state
  • SOC2 audit logs
  • Commercial license
GitHub →

Enterprise Sovereign

Custom
  • V2 sidecar daemon + distributed state
  • Postgres audit logs (SOC2-ready)
  • Remote HITL console (web/mobile)
  • Multi-tenant isolation
  • Commercial license (no copyleft)
  • SLA-backed priority support
  • On-premise deployment
Contact →
// Provenance

Built by Someone Who Ships.

Dante Bullock — 52-year-old self-taught systems architect, Oakland, California. Founder of Sovereign Logic. No venture capital. No corporate incubator. Just code that works.

"I don't wait for VC validation. I scrape issue trackers, find the bleeding, and build the tourniquet."

GitHub: @Fame510  |  docspoc101@gmail.com