Model-layer alignment stops at the model. The action layer — where a tool call actually executes — needs its own gate. This is that gate: a tiny, dependency-free library that enforces a machine-readable Constitution before an agent acts. It's the exact policy logic FlowDesk runs server-side, extracted so any MCP server, agent runtime, or API gateway can drop it in.
Install
One file, no build step. Vendor it, or load it directly:
enforce() returns { allow, violation, requiresApproval }. Deny → return the rule to the agent and log it. requiresApproval → route to a human queue. allow → run the tool call. Per-agent rules merge on top of the workspace's via mergeRules(ws, key) — union the forbidden lists, tighten the caps.
Try it — runs in your browser
The same kernel that's loaded on this page, evaluating live:
// click a button — verdicts computed by the kernel, not a server
Why a kernel, not an API
No round-trip, no dependency on us. The policy runs in your process, before the side effect. FlowDesk can be offline and your agents are still governed.
Same logic, everywhere. The library is what FlowDesk's own server runs, so a simulation, a gateway, and the live action all agree.
Open by design. Apache-2.0. Fork it, audit it, extend the rule set. Alignment infrastructure shouldn't be a black box.
This is a reference implementation, not a sandbox. The kernel decides allow/deny; your runtime still has to actually stop on a deny, write the audit row, and wire the kill-switch. FlowDesk provides those rails server-side — see the showcase.