Deterministic policy enforcement that sits between Claude and tool execution. Every tool call passes through user-defined YAML rules before running,no LLM in the authorization path, 25ms end-to-end. Ships with locked self-protection rules that prevent agents from disabling their own guardrails. Supports spending limits via encrypted vault ledger, conditional blocks based on parameters or patterns, and probabilistic advisory injection for nudges. Integrates via PreToolUse hooks in Claude Code or Codex, plus an MCP management interface for conversational policy updates. Conditions include spend tracking, credential checks, regex matching, and recent action history. Rules can be locked to prevent agent modification, and the vault uses three-tier encryption with Argon2id key derivation.