Policy-before-execution
Mechanism: Policy rules are evaluated in the execution path before any tool runs.
Limitation: Mechanism: Applies only to the managed execution path. Bypass paths are outside scope.
Product Platform
Syndicate Claw product platform
Mechanism: Syndicate Claw is a self-hosted execution platform that enforces governance before AI actions execute. It runs in your environment, evaluating policy and approval checkpoints before any tool runs.
Mechanism: The key point is that policy gates evaluate before execution, not after. Depending on policy configuration, sensitive operations may require human approval.
Limitation: Current deployment assumes single-domain environments (one trust boundary). Multi-tenant isolation is not provided.
Workflow governance before execution
| Stage | What happens | Control |
|---|---|---|
| Proposal | Workflow or step is queued for execution | Mechanism: State machine transition from pending to queued |
| Pre-execution policy check | Policy rules are evaluated before tool invocation | Mechanism: Fail-closed: blocked actions do not execute |
| Approval gate (if configured) | Human authorization for sensitive operations | Mechanism: Authority resolution excludes requester; self-approval blocked |
| Tool execution | Registered tools run with sandbox checks | Mechanism: SSRF protection, network restrictions enforced |
| Checkpoint capture | HMAC-signed snapshot of run state | Mechanism: Integrity verification available on replay |
| Audit record | Append-only event log with decision trail | Mechanism: Ed25519-signed events, mandatory decision ledger |
Capabilities and limitations
Fail-closed defaults
Mechanism: Blocked actions fail with documented error rather than proceeding.
Limitation: Mechanism: Default can be overridden in configuration. Operator must explicitly enable per rule.
Approval binding
Mechanism: Approvals bind to specific action arguments, not loose intent.
Limitation: Mechanism: Only covers actions through the approval gate. Indirect execution outside the managed path is not bound.
Audit evidence
Mechanism: Append-only events record pre-state, decisions, and outcomes.
Limitation: Mechanism: Evidence covers registered tool execution. External system changes are not automatically recorded.
Replay with integrity
Mechanism: Run state can be reconstructed from signed checkpoints.
Limitation: Mechanism: Replay assumes unchanged tool definitions and external dependencies.
Provider routing
Mechanism: Model provider selection enforced through catalog controls.
Limitation: Mechanism: Only applies to configured providers. New providers require catalog update.
Run execution controls
Mechanism: Directed-graph workflows support retries, checkpoint capture, replay, and explicit run states.
Policy & approvals
Mechanism: Tool execution is policy-gated with fail-closed defaults. Approval gates support authority-based assignee resolution.
Audit evidence
Mechanism: Append-only audit events, mandatory decision records for tool execution, and evidence export.
Inference & tools
Mechanism: Provider routing and catalog controls are available for inference. Tools are explicitly registered.
Agent mesh
Mechanism: Agent registration and messaging APIs support direct and topic routing.
Operations and observability
Mechanism: Prometheus metrics, OpenTelemetry integration, and documented failure behavior support operator observability.
What the platform includes
- Mechanism: Workflow and run APIs with HMAC-signed checkpoints
- Mechanism: Tool framework with mandatory decision ledger
- Mechanism: API-first runtime with documented endpoints
- Mechanism: Memory service with namespaced lineage
- Mechanism: Inference layer with provider catalog controls
- Agent registry, messaging, and workflow coordination
- Schedules for cron, interval, and one-time triggers
- JWT and API key lifecycle with revocation
- Prometheus metrics and OpenTelemetry tracing
- Correlation context for request analysis
Observability posture
Mechanism: Syndicate Claw documents operator observability through metrics, traces, and audit evidence. This site does not claim hosted portfolio dashboard surfaces.
Mechanism: The important distinction is that observability investigates what happened, while policy enforcement determines what is allowed to execute.
Frequently asked questions
How does policy enforcement work in Syndicate Claw?
Mechanism: Policy decisions are evaluated in the execution path to block actions before they reach sensitive systems.
Can approvals be required for selected actions?
Mechanism: Syndicate Claw supports approval gates for sensitive operations, which may require human authorization.
Does Syndicate Claw support multiple model providers?
Mechanism: Yes, subject to configuration. Syndicate Claw includes provider routing and catalog controls.
What is included in the evidence chain?
Mechanism: The evidence chain includes HMAC-signed checkpoints, audit events, and mandatory tool decision records.
Can workflows run on a schedule?
Mechanism: Yes. Schedules support cron expressions and interval durations with distributed locking.
Ready to evaluate?
Compare against your current agent orchestration. See how Syndicate Claw enforces governance before execution.