POLICY ENGINE
</> GOVERNANCE IN ONE YAML FILE
Declare rules. The Warden enforces them.
No LLM guesswork on the boundary. First-match policy, fail-closed default.
FAIL-CLOSED DEFAULT
Unknown action types are blocked. Not guessed.
FIRST-MATCH WINS
Rules evaluated top-down, predictable.
HUMAN ESCALATION
Flag risky actions with a single rule line.
IMMUTABLE TRAIL
Every verdict logged to Band history.
version: "1.0" fail_closed: true rules: - name: block-exfiltration match: action: write_file path: /external/* verdict: DENY - name: human-gate-transfers match: action: transfer_funds amount: ">= 10000" verdict: ESCALATE notify: "@compliance-team" - name: allow-internal-reads match: action: read_file path: /internal/* verdict: ALLOW
Governance that writes its own audit trail.
Every request, verdict, and human decision logged to Band. No second database.
01
Agent sends an action request
No tools, no access. Intent only.
02
Warden evaluates policy
Real-time verdict. First-match wins. No LLM in the loop.
03
Human gates what policy can't
@mention in Band. Approve or deny in the UI. Decision logged immediately.
04
Band writes the ledger
Immutable trail. Every verdict, every human decision, one history.
The threat model made concrete.
COMPROMISED AGENT
Tries to write customer PII to an external path.
FORBIDDEN.
Not executed. Policy matched block-exfiltration before the tool was called.
ROGUE PAYOUT
Transfer instruction to an account not on the approved list.
BLOCKED.
Held at the airlock. Human notified. No funds moved.
LARGE TRANSFER
Agent requests a $50,000 wire. Policy threshold requires sign-off.
ESCALATED.
Paused at the gate. @compliance-team mentioned in Band. Waiting on human approval.
AIRLOCK IS LIVE
Your agents are already running.
The question is who's watching the door.