Every AI guardrail watches what already went wrong. DRAFT prevents it from going wrong in the first place.
DRAFT (Define, Rules, Artifacts, Flex, Test) is a structured intake governance protocol that forces AI agents to confirm they understand your intent before they act. Five dimensions. Three tiers. One rule: questions come before answers.
pip install draft-protocol| Output Guardrails | DRAFT Protocol | |
|---|---|---|
| When it acts | After the LLM responds | Before the LLM acts |
| What it checks | Toxicity, format, policy | Intent, scope, assumptions |
| Failure mode | Catches bad output, wastes the call | Prevents bad calls entirely |
| Evidence basis | Synthetic benchmarks | 50+ real governed sessions |
| Complementary? | Yes | Yes — use both for defense-in-depth |
AI agents are getting powerful. They can write code, manage files, query databases, deploy infrastructure. But they all share the same failure mode: they act on what they think you meant, not what you actually meant.
The result? Scope creep, misunderstood requirements, wasted work, and sometimes real damage — all because no one verified intent before execution.
Current solutions focus on output safety (content filtering, guardrails). Almost nobody governs the intake — the moment where intent is captured and interpreted.
DRAFT maps every request across five dimensions:
| Dimension | Question | Why It Matters |
|---|---|---|
| Define | What exactly are we building? | Prevents vague starts |
| Rules | Who decides? What's forbidden? | Prevents authority drift |
| Artifacts | What goes in? What comes out? | Prevents garbage-in/garbage-out |
| Flex | What can change? What can't? | Prevents scope creep |
| Test | How do we know it worked? | Prevents "done" without evidence |
Each field is labeled SATISFIED, AMBIGUOUS, or MISSING. Ambiguous and missing fields generate targeted questions. The confirmation gate blocks execution until all applicable fields are confirmed by the human.
Not every message needs the same scrutiny:
- CASUAL — "What's the weather?" → Internal mapping only. No visible ceremony.
- STANDARD — "Build a REST API" → Full pipeline. Questions for gaps. Assumptions surfaced.
- CONSEQUENTIAL — "Restructure the auth system" → Maximum rigor. All dimensions mandatory. Devil's Advocate on assumptions. Quality review required.
Tier classification is automatic (keyword matching + optional LLM), with manual override.
pip install draft-protocolWorks with any MCP-compatible AI client. Add to your config:
Claude Desktop — claude_desktop_config.json
{
"mcpServers": {
"draft-protocol": {
"command": "python",
"args": ["-m", "draft_protocol"],
"env": {}
}
}
}Cursor — .cursor/mcp.json
{
"mcpServers": {
"draft-protocol": {
"command": "python",
"args": ["-m", "draft_protocol"],
"env": {}
}
}
}Windsurf — ~/.codeium/windsurf/mcp_config.json
{
"mcpServers": {
"draft-protocol": {
"command": "python",
"args": ["-m", "draft_protocol"],
"env": {}
}
}
}Continue — ~/.continue/config.json
{
"experimental": {
"modelContextProtocolServers": [
{
"transport": { "type": "stdio", "command": "python", "args": ["-m", "draft_protocol"] }
}
]
}
}VS Code Copilot — .vscode/settings.json
{
"github.copilot.chat.mcpServers": {
"draft-protocol": {
"command": "python",
"args": ["-m", "draft_protocol"]
}
}
}For web-based MCP clients, browser extensions, or remote access:
# SSE transport (Server-Sent Events)
python -m draft_protocol --transport sse --port 8420
# Streamable HTTP (new MCP standard)
python -m draft_protocol --transport streamable-http --port 8420Connect any SSE-capable MCP client to http://127.0.0.1:8420/sse.
python -m draft_protocol --transport rest --port 8420Endpoints: /classify, /session, /map, /confirm, /gate, /elicit, /assumptions, /status, /health. Full CORS support.
The included Chrome extension adds DRAFT governance to any AI chat interface:
- Start the REST server:
python -m draft_protocol --transport rest - Load the extension: Chrome →
chrome://extensions→ Developer mode → Load unpacked → selectextension/ - Visit any supported AI chat — a governance badge appears automatically
Supported platforms: ChatGPT, Claude, Gemini, Copilot, Mistral, Poe, Perplexity, HuggingFace Chat.
The badge shows real-time tier classification as you type. Click it for full session status. Open the side panel for the complete DRAFT workflow.
| Variable | Default | Description |
|---|---|---|
DRAFT_TRANSPORT |
stdio |
Transport: stdio, sse, streamable-http, rest |
DRAFT_HOST |
127.0.0.1 |
Bind address for HTTP transports |
DRAFT_PORT |
8420 |
Port for HTTP transports |
DRAFT_DB_PATH |
~/.draft_protocol/draft.db |
SQLite database location |
DRAFT_LLM_PROVIDER |
none |
LLM provider: none, ollama, openai, anthropic |
DRAFT_LLM_MODEL |
(empty) | Model name (auto-detects provider if not set) |
DRAFT_EMBED_MODEL |
(empty) | Embedding model name |
DRAFT_API_KEY |
(empty) | API key for cloud providers |
DRAFT_API_BASE |
(empty) | Custom API endpoint URL |
DRAFT works out of the box with keyword matching and heuristics. For better accuracy, connect any LLM provider:
Ollama (local, free)
{
"env": {
"DRAFT_LLM_PROVIDER": "ollama",
"DRAFT_LLM_MODEL": "llama3.2:3b",
"DRAFT_EMBED_MODEL": "nomic-embed-text"
}
}OpenAI
{
"env": {
"DRAFT_LLM_PROVIDER": "openai",
"DRAFT_LLM_MODEL": "gpt-4o-mini",
"DRAFT_EMBED_MODEL": "text-embedding-3-small",
"DRAFT_API_KEY": "sk-..."
}
}Anthropic
{
"env": {
"DRAFT_LLM_PROVIDER": "anthropic",
"DRAFT_LLM_MODEL": "claude-sonnet-4-20250514",
"DRAFT_API_KEY": "sk-ant-..."
}
}Note: Anthropic does not provide an embeddings API. When using the Anthropic provider, DRAFT uses Claude for chat-based classification but embedding-based features (semantic field matching) are unavailable. For full functionality, pair Anthropic chat with a separate embedding provider, or use Ollama/OpenAI which support both chat and embeddings.
Any OpenAI-compatible API (Together, Groq, LM Studio, etc.)
{
"env": {
"DRAFT_LLM_PROVIDER": "openai",
"DRAFT_LLM_MODEL": "meta-llama/Llama-3-70b-chat-hf",
"DRAFT_API_KEY": "...",
"DRAFT_API_BASE": "https://api.together.xyz/v1"
}
}Add the env block to any MCP client config above. With an LLM, DRAFT gets semantic tier classification, embedding-based field assessment, and context-aware suggestions. Without one, you still get full governance via keyword heuristics. Auto-detection: set DRAFT_LLM_MODEL without a provider and DRAFT infers it (gpt-* → openai, claude-* → anthropic, anything else → ollama).
| Tool | Purpose |
|---|---|
draft_intake |
Start a session. Classifies tier automatically. |
draft_map |
Map all 5 dimensions against your context. |
draft_elicit |
Generate questions for gaps. |
draft_confirm |
Record your answer for a field. |
draft_assumptions |
Surface key assumptions as falsifiable claims. |
draft_verify |
Confirm or reject an assumption. |
draft_gate |
Check if all fields are confirmed. Blocks execution if not. |
draft_review |
Quality self-assessment of the elicitation. |
draft_status |
View current session state. |
draft_escalate |
Manually increase tier. |
draft_deescalate |
Manually decrease tier (logged). |
draft_unscreen |
Reverse a dimension marked N/A. |
draft_add_assumption |
Add a manual or Devil's Advocate assumption. |
draft_override |
Override a blocked gate (logged, auditable). |
draft_close |
Close the current session. |
You: "Build a Python CLI that backs up my PostgreSQL database to S3"
DRAFT classifies: STANDARD (keyword: "build")
DRAFT maps dimensions and finds gaps:
- D1 ✅ SATISFIED — CLI tool for PostgreSQL backup to S3
- D3 ❓ MISSING — What fails without it? (manual backups? no backups at all?)
- R3 ❓ MISSING — What's forbidden? (drop tables? modify data?)
- T1 ❓ MISSING — How do we know it worked?
- A2 ❓ MISSING — What inputs should be rejected?
DRAFT asks targeted questions:
"What currently handles backups? If nothing, what's the risk of the current approach?" "Are there any operations this tool must never perform?" "What does a successful backup look like — file in S3, notification, verification?"
You answer. DRAFT confirms. Gate opens. AI executes with verified intent.
A complete session using curl — copy-paste to try it yourself:
# Start the server
python -m draft_protocol --transport rest --port 8420 &
# 1. Create a session
curl -s -X POST http://127.0.0.1:8420/session \
-H "Content-Type: application/json" \
-d '{"message": "Build a CLI that backs up PostgreSQL to S3"}'
# → {"session_id": "abc123", "tier": "STANDARD", "reasoning": "Keyword match: build", "confidence": 0.85}
# 2. Map dimensions (provide context about your project)
curl -s -X POST http://127.0.0.1:8420/map \
-H "Content-Type: application/json" \
-d '{"session_id": "abc123", "context": "Python CLI using boto3. Only read-only DB access. Success = verified S3 upload."}'
# → Returns dimension map with SATISFIED, AMBIGUOUS, and MISSING fields
# 3. Check what's blocking the gate
curl -s -X POST http://127.0.0.1:8420/gate \
-H "Content-Type: application/json" \
-d '{"session_id": "abc123"}'
# → {"passed": false, "confirmed": 2, "total": 5, "blockers": ["D3: MISSING", "A2: MISSING", "T2: MISSING"]}
# 4. Confirm a missing field
curl -s -X POST http://127.0.0.1:8420/confirm \
-H "Content-Type: application/json" \
-d '{"session_id": "abc123", "field_key": "D3", "value": "Without this, backups are manual and unreliable"}'
# → {"field": "D3", "status": "CONFIRMED", "value": "Without this, backups are manual and unreliable"}
# 5. Repeat for remaining blockers, then check the gate again
curl -s -X POST http://127.0.0.1:8420/gate \
-H "Content-Type: application/json" \
-d '{"session_id": "abc123"}'
# → {"passed": true, "confirmed": 5, "total": 5, "blockers": [], "summary": "[PASS]: 5/5"}
# Gate passed — safe to execute.Tip: In MCP mode the AI client calls these tools automatically. The REST API is for non-MCP integrations and the Chrome extension.
DRAFT includes hardened input validation:
- Empty/whitespace message rejection at intake
- Minimum content threshold on field confirmations (prevents bypass)
- Empty dimension detection at gate check
- Prompt extraction pattern detection (OWASP LLM07) — automatically escalates suspicious messages
- Full audit trail in SQLite (every tool call logged with timestamp)
Sessions are stored in SQLite at ~/.draft_protocol/draft.db (configurable via DRAFT_DB_PATH). The database includes a full audit trail of every action.
DRAFT Protocol is the intake governance layer of Vector Gate, a three-gate AI governance pipeline:
- Gate 1 — DRAFT (this project): Intake governance. Ensures AI understands intent.
- Gate 2 — Guardian: Output governance. Checks responses against constitutional rules.
- Gate 3 — GovMCP: Execution governance. Enforces authorized execution boundaries.
DRAFT works standalone. The full pipeline provides defense in depth.
Apache 2.0 — see LICENSE.
We welcome contributions! See CONTRIBUTING.md for development setup, code style, and PR guidelines.
- Bug reports: Open an issue
- Feature requests: Open an issue
- Security vulnerabilities: See SECURITY.md
- Changelog: See CHANGELOG.md
If you find a governance gap (gate bypassed when it shouldn't be), that's a critical bug — please report it immediately.
Built by Manifold Vector LLC. AI governance that works mechanically, not behaviorally.