How do I install Csl Core?

Install Csl Core with a single command: npx mdskills install Chimera-Protocol/csl-core. This downloads the skill files into your project and your AI agent picks them up automatically.

What platforms support Csl Core?

Csl Core works with Claude Code, Claude Desktop, Cursor, Vscode Copilot, Windsurf, Continue Dev, Codex, Gemini Cli, Amp, Roo Code, Goose, Opencode, Trae, Qodo, Command Code. Skills use the open SKILL.md format which is compatible with any AI coding agent that reads markdown instructions.

← Back to skills

Csl Core

Name: Csl Core: AI Agent Skill
Rating: 8 (1 reviews)
Author: Chimera-Protocol

Verified

Database DesignIntermediate

CSL-Core (Chimera Specification Language) is a deterministic safety layer for AI agents. Write rules in .csl files, verify them mathematically with Z3, enforce them at runtime — outside the model. The LLM never sees the rules. It simply cannot violate them. Originally built for Project Chimera, now open-source for any AI system. This doesn't work. LLMs can be prompt-injected, rules are probabilist

by @Chimera-Protocol0Updated 1 weeks ago

Add this skill

npx mdskills install Chimera-Protocol/csl-core

Fork & Edit

Skill Advisor8.0

Deterministic AI safety layer with Z3 formal verification, CLI tools, and framework integrations for policy enforcement

+Provides formal verification using Z3 theorem prover for mathematical guarantees
+Includes comprehensive CLI tooling (verify, simulate, repl) for policy development
+Demonstrates real production use with concrete benchmarks showing 100% attack blocking
-Declares full filesystem, shell, and network permissions without clear justification for all
-Complex architecture may have steep learning curve for policy language syntax

SKILL.md

Edit in Browser

1# CSL-Core
2 
3[![PyPI version](https://img.shields.io/pypi/v/csl-core?color=blue)](https://pypi.org/project/csl-core/)
4[![PyPI Downloads](https://static.pepy.tech/personalized-badge/csl-core?period=total&units=INTERNATIONAL_SYSTEM&left_color=BLACK&right_color=GREEN&left_text=downloads)](https://pepy.tech/projects/csl-core)
5[![Python](https://img.shields.io/pypi/pyversions/csl-core.svg)](https://pypi.org/project/csl-core/)
6[![License](https://img.shields.io/pypi/l/csl-core.svg)](LICENSE)
7[![Z3 Verified](https://img.shields.io/badge/Z3-Formally%20Verified-purple.svg)](https://github.com/Z3Prover/z3)
8 
9**CSL-Core** (Chimera Specification Language) is a deterministic safety layer for AI agents. Write rules in `.csl` files, verify them mathematically with Z3, enforce them at runtime — outside the model. The LLM never sees the rules. It simply cannot violate them.
10 
11```bash
12pip install csl-core
13```
14 
15Originally built for [**Project Chimera**](https://github.com/Chimera-Protocol/Project-Chimera), now open-source for any AI system.
16 
17---
18 
19## Why?
20 
21```python
22prompt = """You are a helpful assistant. IMPORTANT RULES:
23- Never transfer more than $1000 for junior users
24- Never send PII to external emails
25- Never query the secrets table"""
26```
27 
28This doesn't work. LLMs can be prompt-injected, rules are probabilistic (99% ≠ 100%), and there's no audit trail when something goes wrong.
29 
30**CSL-Core flips this**: rules live outside the model in compiled, Z3-verified policy files. Enforcement is deterministic — not a suggestion.
31 
32---
33 
34## Quick Start (60 Seconds)
35 
36### 1. Write a Policy
37 
38Create `my_policy.csl`:
39 
40```js
41CONFIG {
42  ENFORCEMENT_MODE: BLOCK
43  CHECK_LOGICAL_CONSISTENCY: TRUE
44}
45 
46DOMAIN MyGuard {
47  VARIABLES {
48    action: {"READ", "WRITE", "DELETE"}
49    user_level: 0..5
50  }
51 
52  STATE_CONSTRAINT strict_delete {
53    WHEN action == "DELETE"
54    THEN user_level >= 4
55  }
56}
57```
58 
59### 2. Verify & Test (CLI)
60 
61```bash
62# Compile + Z3 formal verification
63cslcore verify my_policy.csl
64 
65# Test a scenario
66cslcore simulate my_policy.csl --input '{"action": "DELETE", "user_level": 2}'
67# → BLOCKED: Constraint 'strict_delete' violated.
68 
69# Interactive REPL
70cslcore repl my_policy.csl
71```
72 
73### 3. Use in Python
74 
75```python
76from chimera_core import load_guard
77 
78guard = load_guard("my_policy.csl")
79 
80result = guard.verify({"action": "READ", "user_level": 1})
81print(result.allowed)  # True
82 
83result = guard.verify({"action": "DELETE", "user_level": 2})
84print(result.allowed)  # False
85```
86 
87---
88 
89## Benchmark: Adversarial Attack Resistance
90 
91We tested prompt-based safety rules vs CSL-Core enforcement across 4 frontier LLMs with 22 adversarial attacks and 15 legitimate operations:
92 
93| Approach | Attacks Blocked | Bypass Rate | Legit Ops Passed | Latency |
94|----------|----------------|-------------|------------------|---------|
95| GPT-4.1 (prompt rules) | 10/22 (45%) | 55% | 15/15 (100%) | ~850ms |
96| GPT-4o (prompt rules) | 15/22 (68%) | 32% | 15/15 (100%) | ~620ms |
97| Claude Sonnet 4 (prompt rules) | 19/22 (86%) | 14% | 15/15 (100%) | ~480ms |
98| Gemini 2.0 Flash (prompt rules) | 11/22 (50%) | 50% | 15/15 (100%) | ~410ms |
99| **CSL-Core (deterministic)** | **22/22 (100%)** | **0%** | **15/15 (100%)** | **~0.84ms** |
100 
101 
102**Why 100%?** Enforcement happens outside the model. Prompt injection is irrelevant because there's nothing to inject against. Attack categories: direct instruction override, role-play jailbreaks, encoding tricks, multi-turn escalation, tool-name spoofing, and more.
103 
104> Full methodology: [`benchmarks/`](benchmarks/)
105 
106---
107 
108## LangChain Integration
109 
110Protect any LangChain agent with 3 lines — no prompt changes, no fine-tuning:
111 
112```python
113from chimera_core import load_guard
114from chimera_core.plugins.langchain import guard_tools
115from langchain_classic.agents import AgentExecutor, create_tool_calling_agent
116 
117guard = load_guard("agent_policy.csl")
118 
119# Wrap tools — enforcement is automatic
120safe_tools = guard_tools(
121    tools=[search_tool, transfer_tool, delete_tool],
122    guard=guard,
123    inject={"user_role": "JUNIOR", "environment": "prod"},  # LLM can't override these
124    tool_field="tool"  # Auto-inject tool name
125)
126 
127agent = create_tool_calling_agent(llm, safe_tools, prompt)
128executor = AgentExecutor(agent=agent, tools=safe_tools)
129```
130 
131Every tool call is intercepted before execution. If the policy says no, the tool doesn't run. Period.
132 
133### Context Injection
134 
135Pass runtime context that the LLM **cannot override** — user roles, environment, rate limits:
136 
137```python
138safe_tools = guard_tools(
139    tools=tools,
140    guard=guard,
141    inject={
142        "user_role": current_user.role,         # From your auth system
143        "environment": os.getenv("ENV"),        # prod/dev/staging
144        "rate_limit_remaining": quota.remaining # Dynamic limits
145    }
146)
147```
148 
149### LCEL Chain Protection
150 
151```python
152from chimera_core.plugins.langchain import gate
153 
154chain = (
155    {"query": RunnablePassthrough()}
156    | gate(guard, inject={"user_role": "USER"})  # Policy checkpoint
157    | prompt | llm | StrOutputParser()
158)
159```
160 
161---
162 
163## CLI Tools
164 
165The CLI is a complete development environment for policies — test, debug, and deploy without writing Python.
166 
167### `verify` — Compile + Z3 Proof
168 
169```bash
170cslcore verify my_policy.csl
171 
172# ⚙️  Compiling Domain: MyGuard
173#    • Validating Syntax... ✅ OK
174#    ├── Verifying Logic Model (Z3 Engine)... ✅ Mathematically Consistent
175#    • Generating IR... ✅ OK
176```
177 
178### `simulate` — Test Scenarios
179 
180```bash
181# Single input
182cslcore simulate policy.csl --input '{"action": "DELETE", "user_level": 2}'
183 
184# Batch testing from file
185cslcore simulate policy.csl --input-file test_cases.json --dashboard
186 
187# CI/CD: JSON output
188cslcore simulate policy.csl --input-file tests.json --json --quiet
189```
190 
191### `repl` — Interactive Development
192 
193```bash
194cslcore repl my_policy.csl --dashboard
195 
196cslcore> {"action": "DELETE", "user_level": 2}
197🛡️ BLOCKED: Constraint 'strict_delete' violated.
198 
199cslcore> {"action": "DELETE", "user_level": 5}
200✅ ALLOWED
201```
202 
203### CI/CD Pipeline
204 
205```yaml
206# GitHub Actions
207- name: Verify policies
208  run: |
209    for policy in policies/*.csl; do
210      cslcore verify "$policy" || exit 1
211    done
212```
213 
214---
215 
216## MCP Server (Claude Desktop / Cursor / VS Code)
217 
218Write, verify, and enforce safety policies directly from your AI assistant — no code required.
219 
220```bash
221pip install "csl-core[mcp]"
222```
223 
224Add to Claude Desktop config (`~/Library/Application Support/Claude/claude_desktop_config.json`):
225```json
226{
227  "mcpServers": {
228    "csl-core": {
229      "command": "uv",
230      "args": ["run", "--with", "csl-core[mcp]", "csl-core-mcp"]
231    }
232  }
233}
234```
235 
236| Tool | What It Does |
237|---|---|
238| `verify_policy` | Z3 formal verification — catches contradictions at compile time |
239| `simulate_policy` | Test policies against JSON inputs — ALLOWED/BLOCKED |
240| `explain_policy` | Human-readable summary of any CSL policy |
241| `scaffold_policy` | Generate a CSL template from plain-English description |
242 
243> **You:** "Write me a safety policy that prevents transfers over $5000 without admin approval"
244>
245> **Claude:** *scaffold_policy → you edit → verify_policy catches a contradiction → you fix → simulate_policy confirms it works*
246 
247---
248 
249## Architecture
250 
251```
252┌──────────────────────────────────────────────────────────┐
253│  1. COMPILER    .csl → AST → IR → Compiled Artifact      │
254│     Syntax validation, semantic checks, functor gen       │
255├──────────────────────────────────────────────────────────┤
256│  2. VERIFIER    Z3 Theorem Prover — Static Analysis       │
257│     Contradiction detection, reachability, rule shadowing │
258│     ⚠️ If verification fails → policy will NOT compile    │
259├──────────────────────────────────────────────────────────┤
260│  3. RUNTIME     Deterministic Policy Enforcement          │
261│     Fail-closed, zero dependencies, <1ms latency          │
262└──────────────────────────────────────────────────────────┘
263```
264 
265Heavy computation happens once at compile-time. Runtime is pure evaluation.
266 
267---
268 
269## Used in Production
270 
271<table>
272  <tr>
273    <td width="80" align="center">
274      <a href="https://github.com/Chimera-Protocol/Project-Chimera">🏛️</a>
275    </td>
276    <td>
277      <a href="https://github.com/Chimera-Protocol/Project-Chimera"><b>Project Chimera</b></a> — Neuro-Symbolic AI Agent<br/>
278      CSL-Core powers all safety policies across e-commerce and quantitative trading domains. Both are Z3-verified at startup.
279    </td>
280  </tr>
281</table>
282 
283*Using CSL-Core? [Let us know](https://github.com/Chimera-Protocol/csl-core/discussions) and we'll add you here.*
284 
285---
286 
287## Example Policies
288 
289| Example | Domain | Key Features |
290|---------|--------|--------------|
291| [`agent_tool_guard.csl`](examples/agent_tool_guard.csl) | AI Safety | RBAC, PII protection, tool permissions |
292| [`chimera_banking_case_study.csl`](examples/chimera_banking_case_study.csl) | Finance | Risk scoring, VIP tiers, sanctions |
293| [`dao_treasury_guard.csl`](examples/dao_treasury_guard.csl) | Web3 | Multi-sig, timelocks, emergency bypass |
294 
295```bash
296python examples/run_examples.py          # Run all with test suites
297python examples/run_examples.py banking  # Run specific example
298```
299 
300---
301 
302## API Reference
303 
304```python
305from chimera_core import load_guard, RuntimeConfig
306 
307# Load + compile + verify
308guard = load_guard("policy.csl")
309 
310# With custom config
311guard = load_guard("policy.csl", config=RuntimeConfig(
312    raise_on_block=False,          # Return result instead of raising
313    collect_all_violations=True,   # Report all violations, not just first
314    missing_key_behavior="block"   # "block", "warn", or "ignore"
315))
316 
317# Verify
318result = guard.verify({"action": "DELETE", "user_level": 2})
319print(result.allowed)     # False
320print(result.violations)  # ['strict_delete']
321```
322 
323Full docs: [**Getting Started**](docs/getting-started.md) · [**Syntax Spec**](docs/syntax-spec.md) · [**CLI Reference**](docs/cli-reference.md) · [**Philosophy**](docs/philosophy.md)
324 
325---
326 
327## Roadmap
328 
329**✅ Done:** Core language & parser · Z3 verification · Fail-closed runtime · LangChain integration · CLI (verify, simulate, repl) · MCP Server · Production deployment in Chimera v1.7.0
330 
331**🚧 In Progress:** Policy versioning · LangGraph integration
332 
333**🔮 Planned:** LlamaIndex & AutoGen · Multi-policy composition · Hot-reload · Policy marketplace · Cloud templates
334 
335**🔒 Enterprise (Research):** TLA+ temporal logic · Causal inference · Multi-tenancy
336 
337---
338 
339## Contributing
340 
341We welcome contributions! Start with [`good first issue`](https://github.com/Chimera-Protocol/csl-core/issues?q=is%3Aissue+is%3Aopen+label%3A%22good+first+issue%22) or check [`CONTRIBUTING.md`](CONTRIBUTING.md).
342 
343**High-impact areas:** Real-world example policies · Framework integrations · Web-based policy editor · Test coverage
344 
345---
346 
347## License
348 
349**Apache 2.0** (open-core model). The complete language, compiler, Z3 verifier, runtime, CLI, MCP server, and all examples are open-source. See [LICENSE](LICENSE).
350 
351---
352 
353**Built with ❤️ by [Chimera Protocol](https://github.com/Chimera-Protocol)** · [Issues](https://github.com/Chimera-Protocol/csl-core/issues) · [Discussions](https://github.com/Chimera-Protocol/csl-core/discussions) · [Email](mailto:akarlaraytu@gmail.com)

Full transparency — inspect the skill content before installing.