Plumbline is an open-source analyzer for LLM and agentic code. It finds the defects that make agents fall over — unbounded loops, missing fallbacks, unsafe tool calls — before a single line ships. Trust starts before production.
Plumbline uses taint and dataflow analysis to reason about real properties of LLM and agentic code — not formatting, not naming. The defects that break agents in production are structural, and they're written long before deployment.
Same code, same findings, every run. No flakiness, no model calls, no surprises — safe to gate a build on.
No network calls. No telemetry. Nothing leaves your machine. Plumbline runs fully offline.
Emits SARIF for GitHub code scanning and your IDE, JSON for tooling, and ships a pre-commit hook.
The bugs that survive testing and surface only under real traffic — the ones a code review misses because they're about behaviour, not syntax.
An agent that can loop without an iteration cap — a runaway cost and latency risk.
No handling when the model provider rate-limits or fails — the agent stalls in production.
Untrusted input reaching a tool-enabled prompt — the setup behind prompt-injection incidents.
A model quietly changed with no guardrail — behaviour drifts and nobody notices.
Plumbline lives on the left of the lifecycle — design-time. AgentGuard picks it up on the right — runtime. Together they cover the whole path.
Run plumb scan locally before you commit.
The ships-with hook scans every change automatically.
A quality gate the build can fail on — deterministic, so it's fair.
SARIF findings surface right in GitHub, next to your other checks.
Plumbline guards the code before it gets there. AgentGuard guards it once it's live.
Plumbline is Apache-2.0 and public — because you shouldn't have to trust a black box to tell you your AI is sound. Install it in a minute; gate your next build on it.
pip install actaclad-plumbline · plumb scan