Demo • Agent Tools
Execution-time governance for agent tool actions
Proof shape: VETO ⇒ irreversible sink unchanged • ALLOW ⇒ sink changed • Both outcomes are backed by evidence logs + before/after hashes.
Irreversible sink simulated
- Sink: governed file write under
agent_out/ - Threat: path traversal / escape outside workspace
VETO / INVALID
Attempted write escapes allowed scope (path traversal). Sink unchanged.
ALLOW / VALID
Allowed write stays under
agent_out/. Sink hash changes.Evidence reports
VETO report
Observed decision + evidence excerpt + sink hashes.
ALLOW report
Evidence excerpt + before/after hashes proving execution.
Invariants enforced at the boundary
- writes must stay under
agent_out - no absolute paths outside workspace
- extension allowlist:
.txt,.json
Want this on your system?
Share your irreversible sinks. We deliver a scoped governance layer + evidence pack.
Contact
Share your irreversible sinks. We deliver a scoped governance layer + evidence pack.
Contact