For security & platform teams

Control what your agents can do.
Prove what they did.

Runtime policy enforcement and a tamper-evident audit log for every agent in your fleet. Drop in the SDK, write YAML policies, ship.

Book a demo Read the docs

~/payments-bot/agent.py

import rubric

rubric.init(agent_name="payments-bot")

@rubric.tool
def transfer_money(to: str, amount: int):
    # policy bundle gates this call
    return bank.transfer(to, amount)

# SDK exchanges enrollment token →
# JWT-SVID, 60min, auto-rotated.

Decision livestream

ALLOWpayments-bot → read_invoice(inv_8821)14:02:11.043

DLPsupport-bot → send_email(redacted PII)14:02:11.214

DENYpayments-bot → transfer_money($12,400)14:02:11.397

ALLOWresearch-bot → web_search("q3 filings")14:02:11.502

sha256:a91c…f7d2policy v23 · 0.4ms

Product

Built for teams running agents in production

Six primitives that turn an agent fleet into something a security team can sign off on.

Per-agent identity

Short-lived (60-min) JWT-SVID signed by your org. Auto-rotated by the SDK. Events ship with cryptographic attribution you can verify.

Runtime policy bundles

YAML, versioned, pulled every 30 seconds, evaluated in-process. Sub-millisecond per call, no network round-trip.

Tamper-evident audit log

Every decision is hash-chained per org. Signed anchors are verifiable by external auditors against your org public key.

Conversation traces

Pass a TraceContext and the SDK uploads the surrounding messages. Click any deny to see exactly what the model was thinking.

DLP pre-flight

Optional inline regex or Presidio scan over tool arguments. Detection types become first-class policy fields.

Frozen-agent kill switch

One click freezes an agent. Server-side denies kick in within 30 seconds — even if the agent ignores the bundle.

How it works

From install to first audited call: under five minutes

Install the SDK

pip install rubric — pure Python, no native deps for the base install.

Mint an enrollment token

Generate a token in the dashboard and add it as an environment variable. The SDK enrolls itself on first run, then rotates its own credentials automatically.

Decorate your tools

Sprinkle @rubric.tool over functions. Or use one of the framework adapters — MCP, Claude Agent, LangChain.

Write policies, watch decisions

YAML in the dashboard. Versioned, dry-runnable, published as bundles. Every decision streams into the audit log.

The dashboard

See your fleet without leaving your terminal mindset

One pane for every agent, policy version, decision, and trace. Built for security teams; lightweight enough that engineers actually open it.

Dashboard

Fleet

Active agents

0 frozen · 3 unowned

Decisions / 24h

across 3 agents

Deny rate / 24h

0.0%

4,783 of 39,109 denied

Open incidents+3 / 24h

3 critical

Decision activity

0decisions·12.2% denied

30d ago-22d-15d-8dtoday

Agents by risk

3 agents

020406080100

Critical80–1000

High55–793

Med30–540

Low0–290

Top toolsView all

shell.exec

8680

git.push

8623

db.write

8564

read_file

8561

delete_file

8553

list_files

8540

Top deny reasonsView all

uncategorized

8361

Live deny streamlive

12:31:22
PM

smoke-bot-2 › delete_file

deny

Adapters

Drop-in for the agent frameworks you already use

Three lines of code; the adapter handles the dispatch.

MCP

Works against any Model Context Protocol server.

gov = Governance.bootstrap()
govern_mcp_session(gov, session)

Claude Agent SDK

Installs a PreToolUse hook for every tool call.

hooks = governance_hook_matchers(gov)
agent = ClaudeAgent(hooks=hooks)

LangChain

Wraps any BaseTool list so every invocation is governed.

tools = govern_tools(gov, tools,
  session_id="ops")

Developer-side governance

Your devs' Claude Code, on the same control plane.

Roll Rubric out across every developer machine. Every tool call routes through the policies, audit log, and dashboard you already use for your production agents — hardened against bypass in managed mode.

One command on every developer machine

No code change. The CLI patches ~/.claude/settings.json, writes a launchd plist or systemd unit, and starts a 47821-port loopback daemon.

Same policies, same dashboard

Author once in YAML; apply to your production agents and your devs’ Claude Code from the same Policies page. Every decision lands in the same audit log.

Hardened against bypass in managed mode

Push the hook block via enterprise managed-settings with allowManagedHooksOnly: true. Designed to survive --dangerously-skip-permissions, so a developer can’t simply edit it away.

Just want it on your own machine? See the dev version →

Anatomy of a deny

A policy on the left. The decision it produced on the right.

Every deny carries the rule that fired, the matched fields, and a link straight back to the conversation trace.

policy.yamlv23 · sha:a91c…

# payments fleet policy

rules:

- id: cap_transfer_amount

when:

tool: transfer_money

arg.amount.gt: 1000

action: deny

reason: "amount exceeds cap"

- id: block_external_recipient

when.dlp_match: [external_account]

action: warn

decision · evt_8821DENY

denied · cap_transfer_amount

agentpayments-bot · agent.001

tooltransfer_money

amount$12,400.00

toacct_8f21…c099

latency0.4ms · in-process

traceview conversation →

Matched rule cap_transfer_amount. arg.amount > 1000 evaluated true. Chained to event evt_8820 (sha256:a91c…f7d2).

<0ms

Eval latency, in-process

Bundle propagation

Decisions in audit log

SHA-256

Hash-chain integrity

Ship agents your security team
can sign off on.

Book a 30-minute walkthrough. We’ll dig into your agent fleet, your risk surface, and what governance looks like in production.

Book a demo Email us