Constraints that compile.
You have watched an agent confidently ignore the one rule that mattered. Boxcar's answer is not a better system prompt. Governance docs compile into an autonomy envelope: explicit permissions, blocked actions, review gates. Change the doc, change what the agent is allowed to do. Every block is scored, logged, and replayable.
Runs fully offline on a laptop. Peer-to-peer on a LAN. Server-governed in your tenant with Postgres, RBAC, SSO, and audit logs. Local LLM or bring your own keys. We never sit between you and your provider's invoice.
Plug in Claude Code, or use the private-LLM harness. Works with the stack you already run.
A governance layer you cannot read is asking for faith.
And faith is not a control. Trust infrastructure earns trust by being readable, so the core is inspectable on purpose. Evaluate the envelope mechanics, the decision log, and the document graph without talking to anyone.
Every action lands somewhere on severity and confidence.
Low-severity, high-confidence work executes. Ambiguous work gets held with the reason attached. Destructive operations without staging proof get blocked, and the block cites the rule and the runbook that triggered it.
The scoring is deterministic and versioned. Replay any decision and get the same answer, which is what makes agent behavior something you can actually operate.
No. Prompts are suggestions the model can route around. The envelope is enforcement outside the model: typed actions, compiled policy, gates that hold regardless of how persuasive the completion is.
Three ways to run it. One product.
Local desktop for evaluation, air-gapped if you like. LAN peer-to-peer with no server tier. Enterprise with your identity stack and key posture, in your tenant or ours.