Appearance
What this is
The control plane is the governance layer the gateway enforces: what an agent may do, what must pause for a human, and what gets recorded. Control starts before the agent runs.
Governed actions
Every registry tool carries a risk level (read / write / external / destructive) and a confirmation requirement (never / sensitive / always). These drive what the policy engine does at execution time — they are properties of the tool, not prompt instructions inside an agent.
Policy (execution-time)
A deterministic engine decides each execute_tool call against the principal, action, and resource:
- allow — runs (credentials injected server-side).
- route — parked in the approval queue for a named human.
- deny — blocked; the executable path is closed.
- abstain — no matching rule → default-deny + a non-binding suggestion slot; a human authors a rule. The engine never fabricates an action.
The engine is the only decision authority; the LLM explains or suggests, it never decides.
Approvals
Routed actions wait in the approval queue. A reviewer sees the actor, the proposed action, the attached domain check (fairness / pay-equity / consent), and the sources — then approves or denies. Nothing sensitive executes before that decision, and the decision becomes part of the evidence.
Connector access model
Connectors are scoped to project · role · resource. Read, write, and approve are separate permissions. An agent authorized to read a CRM is not thereby authorized to send through it or to approve a change in it. Out-of-scope connectors are invisible, not merely restricted.
Audit & evidence
Every call resolves to an append-only control record (actor, tool, argument summary, decision, approver, result, source refs, timing). Evidence is reviewable per workflow, user, connector, or agent, and exportable for investigation. Every capability resolves to a control record.
Legal hold
A hold freezes a set of evidence (by workflow, user, or matter) against deletion or expiry, preserving the trail across source access, retrieved context, generated work product, and exports.
Admin tool controls
Admins curate the registry (enable/disable tools, set risk and confirmation), define approval routing, manage connector scopes, and review access — the operating surface behind the gates.
Honest scope
The control plane enforces and records; it does not certify compliance and does not make the business decision. A named human owns every sensitive action, and the customer owns the outcome.