Governance runtimeThe gates every run passes.
Author an agent and every run flows through the same fail-closed governance chain — identity, budget, guardrails, registry, control-tower, policy, oversight, audit. Deny is the default.
Testable policy rules with simulate and golden tests
Author rules that evaluate in priority order with the most-restrictive effect winning (deny > require_approval > allow), preview a decision and its per-rule trace before shipping, and gate changes against a golden-test suite.
Actions as first-class governed objects
Every action runs through dry-run → propose → approve/deny → execute → compensate with an immutable invocation ledger and an evidence pack. High-risk actions land in a human approval inbox; declared rollback keys enable compensation.
Explicit autonomy levels with a risk floor
Set per-agent autonomy from suggest_only through autonomous. Oversight can only tighten a decision, never weaken the action's own approval floor — and admin break-glass force-executes with a mandatory audited reason.
Identity and access for every agent
Agents carry their own identity, allowed tools, allowed models, allowed data, and deployment channel. The runtime refuses to execute missing, draft, unpublished, cross-tenant, expired, paused, or unauthorized agents.
Governed Model Context Protocol servers and tools
MCP servers register as pending and cannot be invoked until approved; block is an instant kill-switch. Governed invokes run a DLP scan on input, enforce a per-server tool allow-list, and record every call with redacted I/O.
One command center over the whole fleet
An aggregated per-tenant view of agents, runs, spend, tools, and active controls — with one-click pause and tool-disable that the runtime enforces (a paused agent is rejected 409 AGENT_PAUSED).