Survives an audit.
We give agents real access to your systems, so the discipline that governs what they do is the product, not the footnote. Every mutating action passes a gate. Every inbound is treated as hostile. Every behaviour is pinned by a test. And every document is judged before you see it.
A trustworthy agent asks before it acts
Every mutating tool passes a five-field action gate before it runs. The gate turns 'should I do this?' from a judgement call into a checklist with a defined answer — and when a required fact is missing, the answer is to stop and ask.
Trigger
What event is allowed to start this action in the first place.
Preconditions
The state that must already hold before the action may run.
Required info-sources
The facts the agent must have looked up — not guessed — to proceed.
Failure-if-missing
What the agent does when a required fact is absent: it stops and asks.
Postconditions
What must be true once the action completes, recorded and checkable.
Five standing protocols
Identity resolution
Resolve exactly who and what an action concerns before acting on it.
Memory-first
Consult durable memory before asking the model to reason from scratch.
Pre-action gate
Run the five-field gate on every mutating tool, every time.
Tool discovery
Load only the tools a step needs, when it needs them — nothing standing by.
Cache survival
Keep the gate's discipline intact across cached and compacted context.
“A helpful agent guesses. A trustworthy one asks.”
Prompt injection is the threat model, not the surprise
If an agent reads the open internet and your inbox, someone will try to talk it into doing something it should not. The defence is not a cleverer prompt — it is making sure the part of the system that reads untrusted input is structurally incapable of acting on it.
Every inbound is hostile
Emails, documents and web pages are untrusted by default. Prompt injection is not an edge case we patch around — it is the threat model the architecture is built for.
The reader cannot act
The sub-agent that reads untrusted input holds no tools that can act. Instructions smuggled inside a message reach a process with nothing to grab — there is no send button in the room.
Silent filters, audited out
A tool that quietly drops results lets an agent mistake an empty answer for a complete one. We audited all 149 tools and fixed the 23 that filtered silently.
“A tool may return nothing, but it may never pretend nothing is everything.”Tools audited for silent filtering — and the count we fixed.
If you cannot test it, you cannot trust it
An agent's behaviour is software, and we hold it to the same bar. Assertions, not vibes: every release is measured against golden traces and budgets before it ships.
“An agent you cannot test is not a product. It is a rumour with API access.”
Golden traces
Known-good runs are captured as fixtures. Every change is replayed against them, so a behaviour we have promised stays promised.
A CI regression gate
Evals run in continuous integration. A change that weakens a guardrail or breaks a golden trace fails the build rather than reaching production.
Token and latency budgets
Cost and speed are asserted, not hoped for. A run that blows its token or latency budget trips the gate the same way a wrong answer would.
The system looks at its own output before you do
A bid pack, a compliance file or a finance workbook is only as good as the page that lands. Usermode closes the loop: it authors, renders, judges the rendered result with vision, and edits until there is nothing left to flag.
Author
Compose the document in brand-locked Typst — fonts, layout and rules fixed by template, not left to chance.
Render
Produce the actual artefact a person would receive — the rendered page, not the source.
Vision-judge
A vision model inspects the rendered output the way a reviewer would, and reports concrete findings.
Edit to zero
Apply the fixes and re-render until the judge returns nothing. Only then is the document allowed out.
“The difference between a demo and a deliverable is whether the system looked at its own output before you did.”
Governance is how the fleet behaves. The infrastructure beneath it — tenant isolation, signed grants, the audit ledger — has its own page.
See the security postureBring us your hardest 'what if'
Book a demo and we'll walk your team through the gates, the isolation model and the eval harness in detail — then show you the audit trail an agent leaves behind.