Visual Proof
Capability Check Risk Engine Policy Decision
The product’s logic is architectural, not cosmetic: capability validation, policy evaluation, approvals, sandboxing, and audit all sit in the actual execution path.
Constrails
Agent safety enforced outside the agent.
Constrails routes meaningful agent actions through a safety kernel that can identify the agent, validate capabilities, score risk, evaluate policy, require approvals, sandbox or quarantine execution, broker tools, and record auditable outcomes.
Request flow
Agent → Kernel → Capability → Risk → Policy → Decision → Broker → Audit
Every step is explicit. If something fails, Constrails fails closed.
Why this matters
Prompting alone isn’t a safety boundary. Constrails turns control into infrastructure with enforcement at execution time. Agents don’t call tools directly — the broker executes only after the kernel decides.
Technical Proof
What the system demonstrates
Constrails demonstrates a clear thesis: agent safety belongs in infrastructure, not just prompts, intentions, or surface-level guardrails.
Use Case Fit
Where it matters most
Environments that care about least privilege, approvals, auditability, containment, and controlled execution for autonomous or semi-autonomous systems.
Capability Manifests
Explicit definitions with path, domain, and command controls plus history.
Risk Engine
Heuristic scoring with exfiltration-chain detection and quota tracking.
Policy Evaluation
OPA integration with degraded/strict availability modes and fallbacks.
Tool Broker
Filesystem, HTTP, and exec adapters with sandbox-first execution.
Approvals
Lifecycle with webhooks, retries, quota enforcement, and replay flows.
Audit & Admin
Read-only inspection endpoints, scoped queries, and durable persistence.
Current status
Constrails ships with a working kernel (FastAPI), CLI lifecycle, sandbox executor, approval workers, and compose smoke coverage. Areas still maturing include broader sandbox validation, identity lifecycle depth, distribution polish, and Postgres-first migrations.
Design principles
- External enforcement over self-regulation
- Least privilege via explicit capabilities
- Fail-closed defaults wherever practical
- Auditable, replayable decisions
- No direct tool access outside the broker
Stay close
Track Constrails or talk about integrating it.
The public repo shows exactly how the kernel works today. For deeper collaboration, governance tailoring, or deployment support, reach out to TMFPRETTY directly.