Architecture

A fail-closed control plane that proves intent, policy, and execution before anything runs.

Pre-execution control plane for agent actions (policy → approval → scoped session → audit).

Request a walkthrough Read how it works

Control loop

Step 1

Client / Agent

Step 2

Decision APIFail-closed

Step 3

Approval (optional)

Step 4

Session issuance

Step 5

Tool preflight/commitFail-closed

Step 6

Audit logAppend-only

1
Client / Agent
2
Decision APIFail-closed
3
Approval (optional)
4
Session issuance
5
Tool preflight/commitFail-closed
6
Audit logAppend-only

Fail-closed points

No policy match → denyMissing evidence → denyApproval denied/expired → deny

Where it sits

Agent framework path

Agent framework→Gateway→Tools

Apply one oversight model even when teams use different agent frameworks and toolchains.

MCP shim path

MCP shim→Gateway→MCP servers/tools

Enforce the same policy and approval behavior across MCP-based integrations.

Direct API gateway path

Direct API calls→Gateway→Any API/tool

Control high-risk API actions with deterministic checks before execution begins.

What gets proven

Deterministic decisions

Same inputs, same result - bound to a versioned policy.

Scoped sessions

Time-bound, revocable capability - limited to explicit intent.

Audit-ready evidence

Append-only receipt that ties intent → approval → execution.

Proof artifacts

Decision receipt example

decision=needs_review
traceId=trc_01hq8w77na
matchedPolicy=policy_transfer_guard_v5
action=tool: finance.transfer
reason=Transfer exceeds auto-allow threshold

This is what auditors and reviewers can verify.

Session scope example

session=sess_01hr2n9d3
duration=15m
constraints=amount<=500, destination_allowlist=true
revocable=true

This is what auditors and reviewers can verify.

Trust boundaries

Decision API verifies intent and policy before any execution path is allowed.
Approval (optional) gates elevated actions until explicit reviewer consent is present.
Scoped sessions remain short-lived, revocable, and bound to approved intent.
Tool preflight and commit checkpoints fail closed when policy evidence is incomplete.
Audit records stay append-only for replay, review, and incident response.

Common failure modes

Policy mismatch: decision returns deny to stop execution when requested action is outside policy.
Missing evidence: tool preflight returns deny until required approval, session, or context is present.
Approval denied or expired: decision remains needs_review or deny so no privileged action runs without current authorization.

Latency + reliability expectations

Policy checks are deterministic and cacheable.
Fail-closed behavior is explicit at every checkpoint.
Decisions are replayable for audits and debugging.

Security Threat Model Docs Responsible Disclosure

See it in your stack.

Walk through one high-risk workflow and leave with an enforceable policy.

Request a walkthrough Read how it works