I’ve been thinking about a gap in how teams are shipping AI agents: system prompts are not a security boundary.
When an agent can issue refunds, run commands, send emails, export data, or modify production systems, the control point should sit before the tool callback executes, not inside the prompt.
Enforra is an open-source SDK that wraps application-owned tool callbacks and returns one of four decisions before the callback runs:
- allow
- block
- require_approval
- log_only
Example: a support agent tries to refund $1,000. Policy says block above $500. The callback never runs. The decision and reason are logged before execution.
It includes:
- Node SDK
- YAML policy engine with any/all condition groups
- CLI for creating and testing policies
- policy simulator for CI
- decision trace showing why a policy matched
- local JSONL audit logs with secret redaction
- optional hash-chain audit integrity
- starter policy examples and demos
The OSS core runs locally, makes no hosted API calls, and does not execute your tools remotely.
Curious whether others building agents have hit this problem: what is your current approach to controlling what your agent is actually allowed to do at runtime?
Hi HN,
I’ve been thinking about a gap in how teams are shipping AI agents: system prompts are not a security boundary.
When an agent can issue refunds, run commands, send emails, export data, or modify production systems, the control point should sit before the tool callback executes, not inside the prompt.
Enforra is an open-source SDK that wraps application-owned tool callbacks and returns one of four decisions before the callback runs:
- allow - block - require_approval - log_only
Example: a support agent tries to refund $1,000. Policy says block above $500. The callback never runs. The decision and reason are logged before execution.
It includes:
- Node SDK - YAML policy engine with any/all condition groups - CLI for creating and testing policies - policy simulator for CI - decision trace showing why a policy matched - local JSONL audit logs with secret redaction - optional hash-chain audit integrity - starter policy examples and demos
The OSS core runs locally, makes no hosted API calls, and does not execute your tools remotely.
Install:
npm install @enforra/sdk-node
Try the CLI:
npx @enforra/cli init npx @enforra/cli test
Repo: https://github.com/enforra/enforra
Website: https://enforra.com
Curious whether others building agents have hit this problem: what is your current approach to controlling what your agent is actually allowed to do at runtime?