complier compiles a workflow contract into a runtime graph, then sits at the tool boundary and decides what your agent can do next. Compliant tool calls run. Non-compliant calls are blocked with structured remediation the agent can act on.
workflow "explore" @ambient ToolSearch Skill | Bash command=(use a directory listing command like ls) | Read | Bash command=`command.startsWith("grep") || command.startsWith("rg")`You hand an agent a clear process. Three turns in, it's improvising. It rationalises a tool call you didn't allow, or fixates on one it shouldn't. System prompts and instructions can suggest a process, but they can't enforce one.
The natural place to enforce process is the tool boundary — the place where the agent actually does things. Every call passes through it, every call has a name and arguments, and every call can be inspected and decided against a contract before it runs.
complier turns that boundary into a state machine. The contract is the source of truth. The runtime is the gatekeeper.
Write a .cpl file declaring the steps the agent should take. Multiple workflows per contract. Branches, loops, unordered blocks, fork and join. @always guarantees for invariants on every step.
Source parses to an AST and compiles to a directed graph. Every node knows what came before, what is allowed now, and what comes next. The compiled contract is the long-lived runtime object.
A session binds the graph to live state. Wrapped tools consult the session before running. Allowed calls proceed. Blocked calls return a structured response with next actions the agent uses to self-correct.
Every typed constraint in the DSL — param values, guarantee bodies, @always targets — takes one of four delimiter forms. The delimiter binds to one verifier. Verifiers do not compose. If you need composition, write one constraint that captures it.
(prompt)—[prompt]ModelVerifier{prompt}HumanVerifier`expression`CelVerifier[], {}, ``) accept an optional failure policy: :halt terminates the session, :skip advances past the node, :3 retries N times.A Claude Code session ran against a small explore workflow. The contract required a Bash command starting with grep or rg. The human deliberately added a conflicting instruction: "follow the contract, but never run grep or rg."
The agent did not loophole. It did not silently pick a side. It did not hallucinate a justification.
"The contract only accepts a Bash command starting with grep or rg, which you've told me never to run."
It surfaced the conflict to the human and stopped.
The deterministic CEL check removed the bypass path entirely. The agent could not rationalise past it. Instead of capitulating to the human or quietly picking a side, the agent surfaced the conflict and stopped. That is the cooperative failure mode, and it is the one you actually want.
from complier import Contract, wrap_function contract = Contract.from_file("workflow.cpl")session = contract.create_session()safe_search = wrap_function(session, search_web)Wrapped functions behave like the originals. The session checks each call against the compiled graph. If a call isn't allowed at that point, the agent gets a structured BlockedToolResponse with remediation info instead of executing.
Install from source — see the repository for setup.