Without enforcement
An agent workflow reaches a production system. There is no record of what it was authorised to do, who authorised it, or whether the action it took matched what was approved.
Syndicate Claw
Syndicate ClawRuntime execution enforcement for AI.
Sensitive AI requests block until an authorized approval decision is made.
Operational hygiene for intelligent systems: Syndicate Claw creates approval tasks for sensitive Syndicate Gate requests, preserves correlation IDs, and records exportable approval evidence before execution resumes.
Enforcement: Syndicate Claw provides orchestration with policy-gated controls.
With Syndicate Claw
Every tool execution passes a policy evaluation before it runs. If the policy requires human approval, execution suspends. The approval record includes the exact action, the approver's identity, the timestamp, and the policy version evaluated.
The evidence chain
Every state transition produces an audit event. Every approval decision is recorded against the policy version active at the time. The full run is reconstructable from the event log.
Mechanism: Append-only audit chain with cryptographic integrity signing.
Works alongside enterprise AI platforms
Governance at the execution boundary.
Enterprise AI platforms govern which agents your teams use. Syndicate Claw governs what those approved agents are permitted to execute at the exact moment they try to do it.
FinServ / Data
Production database operations
An agent approved by your AI platform to query a database still requires operator approval of the specific statement before execution. The approval record includes the exact query, the approver's identity, the timestamp, and the policy version evaluated. No statement executes without that record.
Customer Ops
CRM write operations
A customer service agent can read freely from your knowledge base. Any write to the CRM, including message sends, record updates, and contact modifications, requires an explicit approval gate. Read and write side effects are governed by separate policies.
Compliance evidence
Regulated data operations
In deployments configured with approval gates and audit retention, AI-generated actions that touch regulated data can produce a cryptographically-linked evidence record. That record shows not just that an action occurred, but who approved the exact action and under which policy version. Forensic reconstruction is deterministic for the captured run history.
What you can build with Syndicate Claw.
Automated workflows
Mechanism: Define workflows as graphs. Nodes can invoke LLMs, call tools, query external APIs, or suspend for human review. Workflows can be scheduled, triggered by connector events, or invoked via API. Every node transition is checkpointed and audited.
Connectors
Mechanism: Inbound triggers from Slack, Discord, and Telegram. Outbound actions via webhook. Extend with the plugin system. Every connector action passes through the same policy engine as internal tool calls.
Multi-agent coordination
Mechanism: Agents delegate to specialists, publish to topic subscriptions, and receive resumption signals after approval. Memory is namespaced per agent with provenance tracking. Delegation is audited.
Inference routing
Mechanism: Built-in provider layer with idempotent Postgres-backed request tracking. Routes to any OpenAI-compatible endpoint. Syndicate Gate is the recommended provider for end-to-end audit chain integration. Provider credentials are operator-managed.
Deployment
Mechanism: Syndicate Claw is self-hosted only. Requires PostgreSQL. Redis for rate limiting and caching. Deploy via Docker Compose for evaluation, Kubernetes Helm for production.
Current release: v2.0.0. Subject to: Security pentest coverage (OWASP A01-A10), chaos testing under failure scenarios, and performance benchmarking against a committed baseline.
View Security Proof →Pricing is based on your deployment requirements. Contact us to discuss your use case ->
Core enforced controls
No tool executes without a policy decision record.
Mechanism: If policy evaluation fails or decision persistence fails, execution is denied (fail closed).
Policy evaluation defaults to deny.
Mechanism: If the policy engine is unavailable, execution is denied (fail closed).
All actions emit audit events with actor attribution.
Mechanism: If immediate audit persistence fails, the request continues and the event is queued for retry.
Replay loads only integrity-verified checkpoints.
Mechanism: If checkpoint integrity verification fails, replay is aborted.
Enforcement model
What this system actually enforces
Policy enforcement
Mechanism: Policy rules are evaluated with default deny behavior.
If this fails: If the policy engine cannot return a decision, execution is denied (fail closed).
Tool execution gating
Mechanism: Tool execution requires a policy decision and a decision record.
If this fails: If the decision record cannot be written, the tool call is blocked (fail closed).
Audit integrity
Mechanism: Audit events are append-only at the application layer and can be HMAC-signed.
If this fails: If audit write fails, the request continues and the event is queued for retry.
Replay controls
Mechanism: Replay uses checkpoint state with integrity verification before load.
If this fails: If checkpoint verification fails, replay is denied.
Approval separation
Mechanism: Approval routing enforces approver separation and blocks self-approval.
If this fails: If valid approver separation cannot be resolved, the run remains blocked.
Failure semantics
| Failure case | System behavior | Failure mode | Proof |
|---|---|---|---|
| Policy engine unavailable | Execution is denied before tool execution. | Fail closed | View Proof → |
| Decision ledger unavailable | Execution is denied because decision records cannot be persisted. | Fail closed | View Proof → |
| Redis unavailable | Rate limiting degrades in non-strict mode; strict mode denies requests when the limiter cannot evaluate. | Degraded in non-strict mode; fail closed in strict mode | View Proof → |
| Audit write failure | Request processing continues and the audit event is queued. | Fail open for request path | View Proof → |
| PostgreSQL unavailable | Requests fail and database transactions do not partially commit. | Fail closed | View Proof → |
Trust model
- The system trusts the configured database, application secret material, and operator-controlled runtime environment.
- Audit integrity depends on protection of the application secret used for signing.
- Append-only behavior is enforced by application logic, not immutable storage primitives.
- The system does not protect against database administrator tampering or full host compromise.
Deployment model
- Syndicate Claw is self-hosted only. It is not a SaaS, managed platform, or hosted service.
- Deploy and operate in your environment on Docker, Kubernetes, or virtual machines.
- Requires PostgreSQL. Redis is used for rate limiting and caching behavior.
- Operator responsibilities include availability, backups, and key management.
- Current release is production-ready for single-domain environments (one trust boundary).
- Not ready for shared multi-team environments without additional isolation work. Not ready for multi-tenant isolation.
Evidence model
- Per-run artifacts include audit events, decision records, input snapshots, and checkpoints.
- These artifacts form an evidence chain tied to run identity and actor attribution.
- The evidence chain is designed to support review of who executed actions, what policy decisions were evaluated, and what inputs were used.
Current limitations
- No full RBAC model yet; current permission model remains prefix-based and transitional.
- No tenant isolation.
- Namespace isolation is incomplete.
- Rate limiting behavior depends on Redis availability and strict-mode configuration.
- Audit integrity depends on protecting the application secret.