Skip to content

Changelog

All notable changes to Xybern are listed here. Xybern follows Semantic Versioning.

2026-07

Added

  • Runtime Containment (Agent EDR), continuous control over an agent that is already running, not just a verdict on each action. Open a session for a run and set live budgets (maximum actions, time-to-live) that are enforced at the choke-point; kill a running agent from the new Live Sessions dashboard tab or the API, and its next action returns a terminate verdict; the Python SDK runs a background heartbeat that raises SessionTerminated, so an integrated agent aborts within seconds rather than only on its next action; and revoking a credential now cascade-kills every active session using it, so a compromised key halts in-flight runs immediately. Containment events (budget breaches, revocations) are opened automatically as incidents with the remediation taken, surfaced in a new Incidents dashboard tab and notified by webhook, and you can request compensating actions (rollback) that your own handler executes. Every session and incident event is sealed to the signed Provenance Vault. See the Runtime Containment documentation.
  • Efficacy Benchmark (XAAB), an open, reproducible benchmark that measures how well an AI-agent authorisation layer stops unsafe actions while allowing legitimate ones, across 137 scenarios drawn from OWASP LLM Top 10, MITRE ATLAS and CWE. The Xybern Authorisation Layer caught 100% of unsafe actions with 0% false positives, held at 100% under paraphrase where a strong keyword guardrail collapsed from 84% to 44%, and stayed stable across repeated runs. Every benchmark decision is sealed to the signed Provenance Vault, and the whole suite (dataset, harness, reference policy pack, and an open-source offline verifier) is public under Apache-2.0. See the Efficacy Benchmark documentation.
  • Self-Hosted Relay, run the enforcement plane inside your own network. The relay evaluates deterministic and stateful policies locally, so action content never leaves your infrastructure, forwards only intent-based (semantic) checks to the cloud, caches your policies for low latency and availability, and forwards a metadata-only audit record of every decision to the tamper-evident Provenance Vault. Point the SDK at it and everything else is transparently proxied. Ships as a Docker image. See the Self-Hosted Relay documentation.

2026-06

Added

  • Stateful / sequence policies, a new policy type that judges a pattern across an agent's recent actions rather than a single action, catching what one-shot rules can't: velocity ("more than N wire transfers in 5 minutes") and ordered sequences ("read many records → then send externally", a classic exfiltration pattern). Evaluated over the agent's recent decision history within a configurable time window. Create them from the policy form, via Ask Xybern, or the API. See the Policies documentation.
  • pip install xybern, auto-discovery SDK, a one-line way to bring an existing agent stack under governance. from xybern import auto; auto.connect() discovers the AI agents, tools, and MCP servers running in your process (LangChain, CrewAI, OpenAI Agents SDK, MCP, LangGraph, AutoGen, Semantic Kernel, LlamaIndex), registers each to your workspace with a cryptographic identity, and instruments them, in observe mode by default, so nothing is ever blocked until you turn enforcement on. Sign in with a browser device-code flow (xybern login) or an API key; content is sent as a hash by default and the SDK fails open if Xybern is unreachable. See the Python SDK documentation.
  • External anchoring & per-decision certificates, the Provenance Vault now periodically emits a checkpoint: a single Merkle root ("tree head") committing every entry, signed with the KMS key and timestamped by an independent RFC-3161 Time-Stamp Authority, proving the log's contents and order existed before a point in time, which not even Xybern can backdate. Any single record can prove membership in that signed, timestamped root via a Merkle inclusion proof, and you can export a per-decision certificate, a self-contained, shareable proof for one action that a third party can verify offline (inclusion proof + checkpoint signature checked automatically by the open-source verifier; the RFC-3161 token verifiable with openssl ts). See Verifiable Provenance.
  • Policy-version binding, every enforcement decision is now bound to the exact ruleset that produced it. The signed Vault entry records a policy_set_hash (identifying the precise set of active policies in force at decision time) plus a self-contained snapshot of the rules that actually fired, and the full ruleset is snapshotted the first time each hash is seen, so a decision's proof reads as "at time T, policy-set H (these exact rules) produced this verdict", and resolves to the precise rules even after they're later edited or deleted. Surfaced in the Vault entry view and resolvable via API. Builds on Verifiable Provenance.
  • Verifiable Provenance, every decision and audit event in the Provenance Vault is now hash-chained and asymmetrically signed (ECDSA P-256), with the signing private key held only in AWS KMS. Anyone, an auditor, regulator, insurer, or your own customer, can independently verify that a record is authentic, untampered, and correctly ordered using only Xybern's published public key, while nobody (not even Xybern) can forge or backdate one. Public keys are published at a no-auth endpoint, a self-contained proof bundle can be exported per workspace, and an open-source verifier checks everything offline with zero dependency on Xybern. Foundation for EU AI Act Article 12, ISO 42001, and SOC 2 record-keeping. See the Verifiable Provenance documentation.
  • Authorisation Layer Semantic Policies, a new policy type that judges an AI action's intent against a rule written in plain English, catching paraphrase, euphemism, and obfuscation that regex-based rules can't (e.g. a "never promise a refund" rule that also stops "expect the funds back in your account"). The judge runs on the enforcement path with a fast model, caching, and a short timeout, and is fail-open by default so an LLM outage never wrongly blocks legitimate traffic (set on_unavailable: "escalate" to fail closed instead); a per-policy confidence floor controls how certain a match must be, and semantic conditions compose inside AND/OR policies and run in shadow mode like any other type. See the Semantic Policies documentation.
  • Ask Xybern now creates semantic policies, the in-dashboard assistant that already turns a plain-English description into a one-click policy now understands the semantic type, so describing a rule whose wording could vary (e.g. "never promise a refund") produces a ready-to-create semantic policy automatically. A live test box on the policy form lets you check a single action against the rule and see the verdict and confidence while you tune it.
  • Policy Backtesting, replay any draft policy against your workspace's real decision history before you deploy it, and see exactly what it would have done: the trigger rate, how many previously-allowed actions would now be blocked or escalated, the new-decision breakdown, and sample hits with the judge's reasoning. Deterministic policies sweep a wide window instantly; semantic policies sample recent actions and judge them in parallel.
  • Model resilience for the Authorisation Layer, wherever the layer uses an LLM, the semantic policy judge and the Ask Xybern assistant, it now falls back automatically to a secondary provider if the primary is unreachable or out of credits, so intent enforcement and the assistant keep working through an upstream billing or rate-limit event.
  • Scroll AML, Sanctions & PEP Screening, screen every client and their named owners against global sanctions and PEP lists (via OpenSanctions), with scored matches showing the list and reason, a clear / needs-review / flagged status and a low / medium / high risk rating. Review matches and record a determination (cleared, true match, false positive); every screening is kept as a dated, hashed audit record. New clients are screened automatically, a daily job re-screens stale records, and a jurisdiction-scoped Compliance inbox lists clients by status with flagged and overdue first. Data residency is supported by self-hosting the matching engine. See the AML Screening documentation.
  • Scroll Document Intelligence, upload a client document (or have the client send it through the portal or a message) and Scroll reads it, classifies the type (passport, trade licence, Ejari, CR, GOSI, visa, and more), extracts the holder, number, issue and expiry dates, and authority, matches it to a client, and offers to create the deadline and the renewal in one click. Text documents are read directly; photos and scans are read with AI vision. Client-submitted documents are ingested and analyzed automatically into a jurisdiction-scoped Documents inbox; extracted detail is stored encrypted and nothing is created without your confirmation. See the Document Intelligence documentation.
  • Scroll Public Verification & QR, every sealed matter now gets a permanent, scannable verification link and QR code. Anyone, a client, an auditor, or a government officer, can scan it or open the link to confirm the document is held in your Provenance Vault, with its hash and (if signed) its signature, on a firm-branded page that shows no document content or PII. The QR is embedded on the signed PDF certificate page and available from each matter via a Verification QR action. Pure hash and signature verification, so it works independently of any AI service. See the Public Verification documentation.
  • Ask Scroll, the ask bar on the Workflows screen now answers questions about your own firm, not just regulations. Alongside its regulatory expertise (with live web search), it is given a jurisdiction-scoped snapshot of your clients, renewals, deadlines, matters, signatures, and open requests, so you can ask "which clients have renewals due next month?", "what's the status of this client?", or "who still has a signature pending?". It uses non-sensitive fields only (names, references, dates, statuses), never the encrypted PII profile fields, and answers stream back formatted. See the Ask Scroll documentation.
  • Scroll Client E-Signature, clients can electronically sign completed, sealed matters from the portal by typing or drawing their signature and confirming consent. Each signature is stamped with the time and IP, bound to the matter's Provenance Vault hash (so any later change breaks verification), and a signature certificate page is appended to the PDF. The firm requests a signature with one click, both sides are notified, and signed matters carry a Signed badge in the Vault.
  • Scroll Client Portal Messaging, a two-way conversation per client. The firm posts notes asking for documents or details, with a per-message Request a document toggle, and the client replies in plain text or attaches multiple documents (which land in Client documents, ready to download or run a workflow on). Both sides are notified by email and Telegram. A Client activity feed shows signatures, uploads, requests, and sign-ins at a glance.
  • Scroll Client Portal, a white-label, passwordless portal where your clients track their matters, see upcoming renewals and deadlines, message you, upload documents, download completed packages, and request new services. Each client signs in with a one-time code or magic link (no passwords); every session is scoped to one client, and documents are only downloadable once a matter is completed and approved. Firms control it end to end: enable or revoke access per client, brand the portal (firm name, colour, logo), and work from a Client documents inbox where every client upload can be downloaded, fed straight into a workflow with one click (the run is created for that client with the document attached, then flows through the normal approval gate), or deleted. Service requests land in a Client requests inbox where you can mark them done or dismiss them, with an unseen-count badge. Fully Arabic and right-to-left, with a per-client language switch. See the Client Portal documentation.
  • Scroll Regulatory Change Radar, a daily monitor that checks official UAE and Saudi sources for changes to the fees, rates, thresholds, and rules behind your workflows. It keeps a Current Rates & Rules reference of the latest figure on record for every topic (with official sources and a last-verified date, available from day one), and a Recent changes feed showing what moved, with summaries, effective dates, and source links. Changes relevant to the workflows your firm uses are highlighted and surfaced first. When something changes, Scroll feeds the new figure into future workflow runs automatically, flags any already-prepared renewal in Renewal Autopilot with a one-click Re-prepare action (still gated for approval), and alerts you by email and Telegram. Monitoring runs globally on behalf of all firms, and the first check of each topic records a silent baseline so there are no false alerts. Source-cited and alert-and-surface only, nothing is auto-submitted. See the Regulatory Change Radar documentation.
  • Scroll Insights & ROI dashboard, a single screen showing the value Scroll delivers: renewals prepared automatically, documents read, documents anonymised before any AI saw them, and audit-ready records, plus staff time and money saved based on the firm's own per-workflow time/cost figures (entered once, never a hardcoded guess). Adds forward-looking upcoming renewal workload (30/60/90 days), deadlines at risk, period-over-period change on every metric, and a turnaround trend. Fully measured from real activity, jurisdiction-filterable, and Arabic-localised. See the Insights & ROI documentation.
  • Authorised Agents, domain-specialised AI agents that plan, get your approval, then execute, with every action governed by the Authorisation Layer. Four presets: Banking, Legal, Project Management, and Fraud, each with tuned skills and example prompts. See the Authorised Agents documentation.
  • Agent Skills, toggleable domain skill packs per agent, auto-suggested per request, plus custom skills you define in plain language.
  • Agent Automations, schedule an agent to run a recurring task (e.g. a weekly status report or daily fraud monitoring); each run is logged.
  • Agent Connectors & Documents, a shared document library plus Gmail, Google Drive, Dropbox, OneDrive, Slack, Notion, Trello, and HTTP/webhook connectors, with Telegram access to talk to your agent on the go.
  • Xybern Scroll, an Arabic-native regulatory workflow platform for UAE and Saudi firms. Reads Arabic government documents, prepares submissions, gates them for human approval, and seals them in a tamper-proof Provenance Vault. See the Scroll documentation.
  • Scroll Workflow Library, 31 built-in workflows across real estate, banking, legal, government, energy, and tourism - DLD, DED, MOHRE, GDRFA, DIFC/ADGM, SAMA, CMA, ZATCA, GOSI, MOJ, DEWA, ADNOC, Aramco, DTCM, STA, and more.
  • Scroll Renewal Autopilot, watches every client's deadlines and auto-prepares renewals before they're due, requests missing details from the client via a targeted link, holds for human approval, and rolls the deadline forward perpetually.
  • Scroll AI Workflow Builder, describe a regulatory process in plain language and Scroll generates a custom, editable workflow.
  • Scroll Clients & CSV Import, encrypted client profiles that pre-fill workflows, with bulk import from any CRM/Salesforce CSV export via automatic header mapping.
  • Scroll CRM Connections, live contact search from Zoho CRM (multi-data-centre aware) and CSV import for Salesforce.
  • Scroll Client Intake Links, shareable links that collect client details - including targeted links that ask only for the fields you're missing.
  • Scroll Webhooks, let external systems trigger workflow runs by POSTing to a unique URL.
  • Scroll PII Redaction, client PII is tokenised before any LLM sees it and restored afterward, built on Xybern Redact.
  • Scroll Live Web Search, analysis steps check official UAE/Saudi sources for current fees, rates, and rule changes.
  • Scroll Approvals & Provenance Vault, every submission pauses for human approval at an Authorisation Layer gate; every completed workflow is sealed as a tamper-proof record.
  • Scroll Arabic & RTL, full Arabic (MSA) interface, workflow content, and AI output with a right-to-left layout, chosen per workspace.

Improved

  • Scroll jurisdiction scoping, each client now has a jurisdiction (UAE, Saudi, or Both), and the topbar UAE / KSA / Both selector now scopes the entire workspace consistently: the workflow library, Clients, Runs, the Vault, the Compliance Tracker, Renewal Autopilot, Insights, the Regulatory Radar, the Documents inbox, and the Client Portal documents, requests, and activity, plus the workflows a client can request in the portal. Every view follows the same rule, a specific jurisdiction shows its own plus cross-market items.
  • Ask Scroll answers stream in formatted, the Workflows ask bar now renders answers as Markdown with a live typing effect, matching the workflow step outputs.
  • Docs restructured under Products, the Authorisation Layer (now including MCP Server, LLM Gateway, and Framework Integrations), Redact, and Scroll are grouped under a single Products section.

2026-05

Added

  • Python SDK, pip install xybern-redact gives you a zero-configuration HTTP client for the Redact API. anonymize() strips PII and returns an entity map, deanonymize() restores real values client-side from that map, chat() handles the full proxy flow automatically, and anonymize_file() uploads documents for anonymization. Supports multi-turn conversations via thread_id, context manager usage, and typed exceptions for authentication and server errors.
  • Co-reference Resolution, Name variants within a document now resolve to the same pseudonym automatically. After detecting a full name, Xybern searches the remaining text for title and last name variants (Mr. Chen, Dr. Chen), initial and last name variants (M. Chen), and bare last name references (Chen, when unambiguous). Pseudonyms placed during the primary pass are protected before the variant pass runs to prevent accidental overwriting.
  • Data Erasure, Permanently delete an individual's real values from the entity map to fulfil GDPR Article 17 right-to-erasure requests (and equivalent rights under CCPA and other privacy regulations). Submit up to 500 values per request via the Erasure tab in the Redact dashboard or POST /api/redact/{workspace_id}/erasure. Every erasure operation creates an immutable audit record in the Provenance Vault showing how many entries were deleted and the breakdown by entity type. Future requests containing the erased values receive fresh pseudonyms.
  • Structured Data API Access, The structured data detect and anonymize endpoints now accept API key authentication in addition to session auth. ETL pipelines and data engineering workflows can call POST /api/redact/{workspace_id}/structured/detect and POST /api/redact/{workspace_id}/structured/anonymize directly using a Bearer API key without a browser session. IBAN added as a supported column entity type with automatic suggestion for columns named iban or bank_account.
  • Format-Preserving Anonymization, SSNs, credit card numbers, IBANs, and phone numbers are now replaced with structurally valid fakes instead of redaction tokens. Fake SSNs pass SSA format rules, fake card numbers pass Luhn checksum validation, fake IBANs pass ISO 13616 mod-97 check digit validation with the country code preserved, and fake phone numbers preserve the original separator style and digit count. No configuration required. Applies to all policies automatically.
  • Structured Data Anonymization, Upload a CSV or JSON file to the Structured Data tab, configure each column individually (Person, Email, Phone, Organisation, SSN, Credit Card, or skip), and download the anonymized file in the same format. Column names are used to auto-suggest entity types. Pseudonym assignment is consistent with your workspace entity map. Available in the dashboard and via POST /api/redact/{workspace_id}/structured/anonymize.
  • Multi-Turn Conversation Support, Pass a thread_id on each proxy request to maintain consistent pseudonym mappings across a full conversation thread. The same real value always resolves to the same pseudonym within the thread. Clear a thread via DELETE /api/redact/{workspace_id}/threads/{thread_id} when the conversation ends.
  • Selective Disclosure, Generate a signed, time-limited proof link for any vault record. External auditors open the link to verify document hashes, HMAC signature, and Merkle inclusion proof without accessing your workspace. Links expire after 30 days. Available via the Disclose button in the Vault tab or the API.
  • Vault Search by Entity Type, Filter the Provenance Vault by detected entity type - Person, Email, Phone, Organisation, SSN, Credit Card, or Signature. Returns only records where that entity type was stripped. Available in the dashboard filter bar and via the entity_type query parameter on the vault API.
  • Anonymization Preview, Paste any sample text into the Preview tab, select a policy, and see exactly what gets redacted before sending a real request. Detected PII is highlighted in the original, pseudonyms are highlighted in the anonymized output, and a full entity map is shown. No vault record is created.
  • Workspace Domain Scoping, Each Redact workspace is configured for a single domain (Legal, Healthcare, Finance, General) at creation time. API keys and policies are scoped to that domain automatically, enforcing least-privilege access at the infrastructure level.
  • Admin-Provisioned API Keys, Redact workspace API keys are now provisioned by the Xybern administrator and scoped automatically to the workspace domain. Customers copy their key from the API Keys tab without needing to generate one.
  • Ask Xybern, Natural language policy generation. Describe your data processing needs in plain English and Xybern configures the entity types, custom patterns, and redaction settings automatically. Uses Anthropic with DeepSeek as automatic fallback.
  • Redact Policy Templates, One-click compliance policies for HIPAA, GDPR, PCI-DSS, and SOC 2. Each template creates a fully configured policy with the correct entity types, date offset, and permanent redaction setting for the compliance framework.
  • Redact Vault Search and Filtering, Filter the provenance vault by status, model, and date range directly from the dashboard or via API query parameters. Designed for compliance audits, incident investigation, and data governance reviews.
  • Redact Batch API, POST /redact/v1/batch accepts up to 500 messages and returns a job ID immediately. Processing runs asynchronously. Poll GET /redact/v1/batch/{job_id} for progress or receive a batch.completed webhook on completion.
  • Redact Entity Map TTL, Set a workspace-level TTL so pseudonym mappings expire after N days. Expired entries are pruned automatically, supporting GDPR right-to-erasure and data minimisation requirements.
  • Redact Multilingual PII Detection, Person name detection now covers French, Spanish, German, Chinese (including surname-first patterns via _CHINESE_SURNAMES), and Arabic script names (including Saudi Gulf names) using Unicode-range regex.
  • Redact Auto Document Class Detection, Pass "doc_class": "auto" on any request and Redact infers the document type from content keywords. The correct policy is applied automatically.
  • Redact Webhooks, Subscribe to leakage.detected events. Receive an HMAC-signed HTTP callback the moment PII leakage is found in an LLM response.
  • Redact Permanent Redaction Mode, Policy toggle that skips de-anonymization entirely. Pseudonyms remain in the LLM response, suitable for training data generation and third-party review workflows.
  • Redact Custom Entity Types, Define regex-based patterns per policy for domain-specific identifiers (employee IDs, project codes, custom account numbers). Applied after built-in entity detection.
  • Redact Streaming, Pass "stream": true to receive proxy responses as Server-Sent Events, compatible with the OpenAI streaming format. Anonymization and leakage scanning complete before the stream begins.
  • MCP Proxy Gateway Mode, Run Xybern's MCP server as a transparent proxy in front of any existing MCP server. All tool calls are intercepted and enforced without changes to the downstream server.
  • Active Connections, Real-time view of all LLM provider connections in the Authorisation Layer dashboard, with per-connection enforcement statistics.
  • LLM Gateway, Proxy layer between your application and LLM providers (OpenAI, Anthropic, Google, Azure). Every prompt and completion is evaluated against active policies before reaching the model or your system. Supports dry-run mode for safe policy testing.
  • Vault Retention Policy, Per-workspace automatic deletion of vault records older than a configured window (30, 60, 90, 180 days, or 1 year). A background job runs every 24 hours. Manual immediate purge also available. Satisfies GDPR Article 5(1)(e) storage limitation requirements.
  • Redact Extension Document Upload, Drag and drop a PDF, DOCX, TXT, CSV, or MD file directly in the extension popup to anonymize it. The anonymized file is returned as a download. Supports files up to 10 MB.
  • Redact Extension Clipboard Scanner, Automatic PII detection on paste. When you paste text into any input field, the extension scans locally for emails, phone numbers, SSNs, credit card numbers, and API keys. A warning banner lets you anonymize before the text reaches the page, with no network request for detection alone.
  • Redact Chrome Extension, Browser extension for PII anonymization without leaving your workflow. Right-click any selected text on any webpage and receive the anonymized version in an overlay card. Available on the Chrome Web Store.

Improved

  • Provenance Vault summary strip, Four stat cards at the top of the Vault tab show total entities stripped, leakage events, erasure operations, and clean rate at a glance.
  • Temporal Permission Windows now support action-level constraints within a scope, not just scope-level grants.
  • Enforcement response now includes decision_path (fast or full) so you can distinguish cached from fully evaluated decisions.

2026-04

Added

  • Federation, Connect multiple Xybern workspaces or external identity providers for cross-organisation enforcement.
  • Agent RBAC, Assign roles to agents and attach policies to roles. Simplifies governance at scale without per-agent policy management.
  • Policy Shadow Mode, Evaluate new policies against live traffic without enforcing them. Identify false positives before activating a policy in production.
  • A2A Delegation, Agent-to-Agent delegation. An agent can grant a subset of its own permissions to another agent for a specific task, with full audit trail.
  • Policy-as-Code SDK, Define, version, and deploy policies as Python code. Xybern diffs your policy definitions against current state and applies changes atomically with full Provenance Vault tracking.

Improved

  • Breakglass events now trigger an automatic Slack or webhook notification if a webhook is configured for the breakglass event type.
  • POST /v1/enforce/intercept latency reduced on the fast path, average under 5 ms.

Fixed

  • Escalation status polling no longer returns stale state after a resolution is submitted in under 500 ms.

2026-03

Added

  • Webhooks, Subscribe to enforcement events and receive them at any HTTP endpoint. Supports decision.allow, decision.block, decision.escalate, escalation.resolved, breakglass.triggered, and policy.changed.
  • Metadata Field Policy, Evaluate arbitrary action metadata fields (amount, recipient, region) against policy rules without SDK changes.
  • Custom Policy Builder, UI-based policy authoring for non-engineering teams. Build metadata-driven rules without writing code.
  • Breakglass Protocol, Emergency override mechanism with mandatory justification, audit logging, and per-agent cooldown (max 3 per 30 minutes).
  • Temporal Permission Windows, Time-bounded permissions that auto-expire. Modelled after JIT access patterns in human IAM, purpose-built for AI agents.

Improved

  • Decision log pagination now supports cursor-based pagination in addition to offset-based.
  • Agent registry now supports tags and description fields for easier management at scale.

2026-02

Added

  • Provenance Vault, Immutable audit log for every enforcement decision, escalation, policy change, and credential event.
  • Human-in-the-Loop, Full escalation flow with Authorisation Layer dashboard review queue, resolution API, and SDK-level wait_for_escalation() polling.
  • Credential Lifecycle Management, Automatic issuance, rotation, and revocation of agent credentials. Agents never hold long-lived secrets.
  • SDK Auto-Capture, Automatically intercept agent tool calls without adding manual intercept calls at each action site. Zero code changes for CrewAI, LangGraph, AutoGen, and LlamaIndex integrations.

Improved

  • Framework integrations now include full examples for CrewAI, AutoGen, LangGraph, LlamaIndex, and custom pipelines.

2026-01

Added

  • Python SDK, Official SDK with enforcement client, policy management, escalation polling, and auto-capture layer.
  • Authorisation Layer Dashboard, Web interface for security teams to monitor decisions, review escalations, and manage agents and policies.
  • Decisions & Escalations API, Query the immutable decision log, list pending escalations, and resolve them programmatically.
  • Policies CRUD, Create, read, update, and delete policies via API. Policies are evaluated against every intercepted action.
  • Agent Registry, Register, update, suspend, and deregister agents. All enforcement decisions are tied to a registered agent_id.
  • Agent-to-Agent communication enforcement, POST /v1/enforce/agent-comm for governing messages between agents in multi-agent pipelines.
  • Core enforcement API, POST /v1/enforce/intercept for pre-execution action interception. Returns allow, block, or escalate with trust score, reasoning, and vault entry ID.