Documentation

Governance

How > tool_os governs AI agent access. The three rings, entity model, role-based access control, and the quarantine flow.

The three rings

The governance architecture is three concentric rings. Each ring builds on the one inside it. You cannot have routing without identity. You cannot have interop without routing. The rings are:

Governance as a visible product surface
> tool_os
identity routing bridge
Access Control
Entityops-agent
roledeveloper
orgworkspace-alpha
Capabilities4 granted
repo:readallowed
browser:navigateallowed
shell:executerestricted
Policy Feed
terraform.applyreview
reasonprod env + cost spike
read_fileallow
reasonproject-scoped safe read
Quarantine
Requestterraform.apply prod
Escalationhuman approval required
Traceentity → role → capability → guardrail
Ring 1: RBAC Ring 2: Routing Ring 3: Universal Bridge

Ring 1: RBAC

Identity and access control for every entity type. If it touches your infrastructure, it has an identity and a permission set. Roles and permissions work the same way whether the actor is a human developer or an AI agent. This is the foundation everything else builds on.

Ring 2: Routing

Intelligent task routing across model providers. Three modes:

  • Cheap-first fanout — try small, fast models first. Escalate to larger models only on failure. Keeps costs low for simple tasks.
  • Complexity-based escalation — route to the appropriate model tier based on task complexity. Simple queries go to fast models; complex reasoning goes to capable models.
  • Shared policy — org-wide guardrails applied to all agent entities regardless of provider. Cost caps, rate limits, and access restrictions enforced at the routing layer.

Ring 3: Universal Bridge

Vendor-agnostic tool interop. OpenTool's manifest system (opentool.json) describes capabilities, triggers, and inputs for any tool, skill, or plugin. The bridge translates between provider-specific formats so your tools work everywhere without rewiring. Write once, run on any provider.

The entity model

In > tool_os, every actor that interacts with the system is a first-class entity with identity, role, and permissions. This is what makes AI governance possible — agents are not anonymous processes, they are identified entities with defined capabilities and restrictions.

Human
Developers, team leads, admins. Authenticated via GitHub OAuth. Permissions scoped to org membership and role.
Agent
AI agents with defined capability sets. Each agent session has an identity, a permission scope, and a cost budget. Tool access is gated by role.
Pipeline
CI/CD pipelines and automated workflows. Scoped permissions for build, test, and deploy operations. Audit trail for every action.
Service Account
Machine identities for integrations. API key authentication (otk_ tokens). Defined capability sets with no interactive session.

The entity model is the key insight: if you treat AI agents as first-class entities with the same identity and permission model as humans, you can apply the same governance. RBAC, audit trails, cost tracking, and access control all work because the agent has an identity.

Roles and capabilities

Each entity is assigned a role within an organization. Roles define what the entity can do — which tools it can call, which app surfaces it can access, and what actions require additional approval.

Role Description
viewer Read-only access. Can view workspace state but cannot invoke tools or modify data. Default for new users in the lobby org.
developer Standard workspace access. Can invoke most tools, write files, browse the web, and use the agent. Cannot manage org settings or access control.
operator Extended permissions for infrastructure tasks. Shell access, deployment tools, and configuration management. Actions on sensitive paths may trigger quarantine.
admin Full access to Mission Control surfaces. Can manage access control, approve quarantined operations, view cost ledger, and manage org membership.
global_admin Platform-level administration. Multi-org management, provider configuration, and system settings. First user is auto-assigned this role.

Guardrails

Guardrails are declarative rules that the policy engine enforces on every tool call. They are defined in opentool.json manifests and in org-wide policy configuration. Examples:

  • Path restrictions — block writes to /etc/, ~/.ssh/, or any path matching a pattern
  • Command patterns — block destructive shell commands (rm -rf, DROP TABLE, terraform destroy)
  • Cost caps — per-session and per-org cost limits that pause execution when exceeded
  • Rate limits — maximum tool calls per minute to prevent runaway agent loops
  • Provider restrictions — which AI providers an entity can route to, preventing cost escalation
  • File size limits — maximum file size for read/write operations

The quarantine flow

When a tool call is flagged for quarantine, it enters a human review loop. The operation is paused, the request appears in the Quarantine app surface, and an admin reviews the details before approving or rejecting.

Agent requests tool Policy: QUARANTINE Held for review Admin approves Execute

The quarantine surface shows the full context: which entity made the request, what tool was called, with what parameters, and why the policy engine flagged it. The admin sees everything the policy engine evaluated, making informed approval possible.

If the admin rejects the request, the agent receives a denial message and can adjust its approach. The rejection is logged in the audit trail.

Why this matters for enterprise

Enterprise teams face a specific problem: AI agents are getting real infrastructure access. kubectl commands, Terraform applies, database queries, API calls with production credentials. And most agent systems have no governance layer.

The governance model in > tool_os is not an add-on. It is the architecture. The policy engine is in the critical path of every tool call. Audit is automatic. Cost tracking is built in. Entity identity is required. You cannot use the system without the governance layer active.

This matters for:

  • Compliance — SOC2, HIPAA, PCI-DSS, and FedRAMP all require audit trails and access control. The entity model and policy engine provide both by default.
  • Cost control — per-session and per-org cost tracking with budget alerts. Agents cannot escalate to expensive providers without budget authorization.
  • Incident response — session replay lets you reconstruct exactly what an agent did, when, and why. Every tool call is a span in the OTEL trace.
  • Separation of duties — different roles for different entity types. A development agent does not have the same permissions as a deployment pipeline.
  • Vendor independence — the universal bridge means you are not locked into a single AI provider. Switch providers without changing your governance model.

Change management is the final safety layer

The policy engine decides whether a tool call is allowed in the current runtime. Change management decides whether an artifact is allowed to become real in production. Those are related but not identical decisions.

That distinction matters when the system discovers a new threat surface. Exploration can be intentionally permissive inside a local workspace or a draft branch. Promotion to production should still pass through supply-chain and change-control checks:

discovered surface -> local prototype -> packaged artifact -> reviewed change -> production promotion inputs -> code, docs, assets, manifests, lockfiles, image tags checks -> build output, dependency diff, owner approval, target env, rollback path decision -> keep local / quarantine / approve / promote / revert
What gets reviewed
Source diffs, build provenance, dependency lock changes, container tags, release notes, environment scope, and the rollback plan. If any of those move, the change record should explain why.
What does not count as safe
A model saying the change is fine. A green local preview alone. A successful unit test alone. The final decision requires governed promotion, not just a plausible demo.
Discover surface Prototype locally Package change Review supply chain Promote to prod

The safety boundary is not just tool execution. It is the path from exploration to production: who approved it, what changed, what it depends on, and whether the artifact that reached prod is the same one that was reviewed.