after hitting many "legal but wrong" failures, I built a deterministic enforcement layer for the tool boundary

been using openclaw for a few months and the failure mode that kept biting wasn't bad code generation, it was the agent doing things that were "technically legal but operationally wrong": editing files outside the working directory, force-pushing because the prompt said "make sure the branch is clean", running migrations against the wrong db. prompt engineering caught most. the 5% that slipped were exactly the postmortem cases. the thesis: llm agents are probabilistic by construction. prompts give statistical behavior, not guarantees. once context fills, even "obvious" rules drift. hard guarantees have to live outside the probabilistic part of the system. so i built sponsio. open-source, apache 2.0. you write contracts in yaml. the runtime evaluates each tool call deterministically before it commits. guarantee clauses are temporal logic over the action trace, so you can express "tests must pass before commit" or "no two writes to the same file in a session", not just deny-lists. plug-in. sponsio sits at the tool boundary. you keep using openclaw (also works with claude agent sdk and common frameworks). no llm in the hot path, \~0.14ms p50. repo: [github.com/SponsioLabs/Sponsio](http://github.com/SponsioLabs/Sponsio) curious what "legal but wrong" failures other openclaw users have hit, especially the ones that don't show up in any obvious log.