🛡️ Agent OSS Guardrails

Safe, composable instructions for AI agents managing open source dependencies

---

🎯 What is this?

Agent OSS Guardrails provides reusable, modular instruction files that guide AI coding agents toward safer dependency selection practices for supply chain risk reduction.

Why: AI agents can introduce dependencies faster than humans can review them. These guardrails provide agent-readable constraints that encourage safer practices.

Use cases: AI coding agents (Cursor, Cline, GitHub Copilot, Aider, Windsurf), organizational policies, training guidelines

Key characteristics: Modular, ecosystem-specific, risk-adaptive, standards-aligned

Reality check: These are guidelines for AI agents, not security controls. They complement (not replace) SCA tools, SBOM, and code review. Effectiveness depends on agent capabilities.

📖 Read why this exists

---

🚀 Quick Start

1. Choose Your Baseline

# Most projects - balanced safety and flexibility
skills/foundational/oss-selection-baseline.skills.md

# Production/sensitive - strict controls
skills/foundational/oss-selection-strict.skills.md

2. Combine What You Need

# Node.js with autonomous agent
cat skills/foundational/oss-selection-baseline.skills.md \
    skills/overlays/capabilities/agent-can-install-packages.skills.md \
    skills/overlays/ecosystems/npm-node.skills.md \
    > .clinerules/oss-guardrails.md

# Or use pre-packaged combinations
cp packaged/baseline-general.skills.md .clinerules/oss-guardrails.md

📖 Detailed selection guide

---

📁 Repository Structure

skills/
├── foundational/          # baseline or strict
└── overlays/
    ├── capabilities/      # what agent can do
    ├── ecosystems/        # language-specific
    ├── artifact-types/    # CI/CD, scanners, MCP
    └── contexts/          # prototype, production, regulated

packaged/                  # ready-made combinations
examples/                  # usage examples
docs/                      # detailed guides

---

📖 Documentation

Document	Purpose
Why This Exists	Supply chain risks & problem context
How to Choose	Decision guide with examples
Design Principles	15 core principles
Mapping to Standards	SLSA, OWASP, NIST alignment
Contribution Guide	How to contribute

---

🔧 Implementation

For AI Agents:

.clinerules/oss-guardrails.md           # Cline/Roo (project-level)
~/Documents/Cline/Rules/                # Cline (global)
.cursorrules                            # Cursor
.aider.conf.yml                         # Aider
.github/copilot-instructions.md         # GitHub Copilot

For Organizations:

• Artifact registry policies (Artifactory, Nexus)
• Policy-as-code (OPA, Kyverno)
• PR templates and pre-commit hooks

---

🤝 Contributing

Contributions welcome! See Contribution Guide

📄 License

MIT License - see LICENSE

---

Practical supply chain guidance for AI agents

Built with lessons from SLSA, OWASP, NIST SSDF

⬆ Back to Top