Guardrails service for AI agents. Intaris sits between your AI agent and its tools, evaluating every tool call for safety and alignment before allowing execution. Works with OpenCode, Claude Code, OpenClaw, and any MCP-compatible client.
Default-deny. Every tool call is classified and evaluated. Read-only operations are fast-pathed; everything else goes through LLM safety evaluation. Unknown tools are never auto-approved.
Real-time. Sub-second evaluation with a priority-ordered decision matrix. Read-only calls resolve in under 1ms. LLM evaluations complete within the 5-second circuit breaker. WebSocket streaming for live monitoring.
Self-hosted. Single Python process, SQLite or PostgreSQL storage, no external dependencies beyond an LLM API key. Your code and audit trail stay under your control.
Part of the Cognara platform (Cognis controller, Intaris guardrails, Mnemory memory).
- Default-deny classifier -- Explicit read-only allowlist with critical pattern detection. Everything not allowlisted goes through LLM evaluation.
- LLM safety evaluation -- OpenAI-compatible structured output for alignment checking, risk assessment, and decision reasoning.
- Priority-ordered decision matrix -- Critical risk auto-denies, aligned low/medium approves, high risk and misalignment escalate for human review.
- Session management -- Hierarchical parent/child sessions with intention tracking, lifecycle states, and idle sweep.
- Intention tracking -- User-driven intention model with IntentionBarrier for real-time updates and AlignmentBarrier for parent/child enforcement.
- MCP proxy -- Sits between clients and upstream MCP servers, evaluating every tool call with per-tool preference overrides.
- Audit trail -- Every evaluation is logged with decision, reasoning, risk level, classification, latency, and redacted arguments.
- Secret redaction -- API keys, passwords, tokens, and connection strings are automatically redacted before audit storage.
- Filesystem path protection -- Working directory enforcement with approved path prefix learning from LLM approvals.
- Session recording -- Full-fidelity event logs with live tailing, playback, and chunked ndjson storage (filesystem or S3).
- Cognis-ready auth -- Accepts Cognis-issued ES256 JWTs for service-to-service calls while keeping standalone API key auth for direct clients.
- Behavioral analysis -- Three-layer system: per-call data collection, session summaries, and cross-session behavioral profiling.
- Management UI -- Built-in web dashboard with session tree view, audit log, approval queue, MCP server management, and real-time charts.
- Judge auto-resolution -- Escalated tool calls can be automatically reviewed by a more capable LLM (gpt-5.4), reducing human intervention while maintaining safety. Three modes: disabled, auto, advisory.
- Webhook callbacks -- HMAC-signed escalation notifications for external approval systems.
- Notification channels -- Per-user push notifications (Pushover, Slack, webhook) with one-click approve/deny action links.
- Rate limiting -- Per-session sliding window rate limiter to prevent runaway agents.
Intaris needs an OpenAI-compatible API key for safety evaluation. It picks up LLM_API_KEY from your environment automatically.
LLM_API_KEY=sk-your-key uvx intarisThat's it. Intaris starts on http://localhost:8060, management UI at http://localhost:8060/ui.
Now integrate with your agent. We already ship extensions for some clients. For example for OpenCode, install the plugin:
export INTARIS_URL=http://localhost:8060
cp integrations/opencode/intaris.ts ~/.config/opencode/plugins/Intaris can also serve as MCP proxy with audit trail and guardrails for tool calls. To use that, configure any MCP client to use intaris as a single MCP server:
{
"mcpServers": {
"intaris": {
"type": "streamable-http",
"url": "http://localhost:8060/mcp"
}
}
}And add MCP servers via Intaris UI or config.
Intaris is also available via Docker, pip, or production setup. See the full quick start guide for more clients and options.
Dashboard -- evaluation metrics, decision distribution, performance stats, and activity timeline
Sessions -- hierarchical tree view with expandable session details and recent evaluations
Approvals -- pending escalations with reasoning, arguments, and one-click approve/deny
Analysis -- behavioral risk profile with per-agent risk indicators and trends
Analysis -- cross-session behavioral trend tracking over time
Sessions -- suspicious session detail with evaluation reasoning and risk assessment
Audit -- critical tool execution denied with detailed reasoning
See the Management UI docs for all tabs and features.
| Client | Integration | Setup Guide |
|---|---|---|
| OpenCode | Plugin (intaris.ts) |
OpenCode Guide |
| Claude Code | Hooks (bash scripts) | Claude Code Guide |
| OpenClaw | Plugin (@fpytloun/openclaw-intaris) |
OpenClaw Guide |
| Hermes Agent | Plugin (hermes-intaris) |
Hermes Guide |
| Any MCP client | MCP proxy (/mcp endpoint) |
MCP Proxy Guide |
Plugin/Hooks give fine-grained control: custom error messages, fail-open/fail-closed behavior, session lifecycle management, and behavioral analysis. MCP proxy is zero-code configuration but with less UX control.
Intercept. The client integration (plugin, hooks, or MCP proxy) captures every tool call before execution and sends it to Intaris for evaluation.
Classify. The classifier checks the tool against a priority chain: session policy denies, tool preference overrides, critical patterns, the read-only allowlist, and filesystem path policy. Read-only tools are auto-approved. Critical patterns are auto-denied.
Evaluate. Tool calls classified as WRITE go through LLM safety evaluation. The LLM assesses alignment with the session intention, risk level (low/medium/high/critical), and recommends a decision -- all within a 4-second timeout.
Decide. The decision matrix applies priority-ordered rules: critical risk always denies, aligned low/medium risk approves, high risk and misalignment escalate for human review. The decision, reasoning, and full context are recorded in the audit trail.
See the Architecture and Evaluation Pipeline docs for the full technical details.
Intaris catches 100% of critical threats (destructive commands, data exfiltration, RCE) with zero false positives. Across 41 benchmark scenarios including adversarial attacks, social engineering, and cross-session patterns, Intaris achieves 94% F1 with 100% precision -- it never blocks legitimate developer work.
| Metric | Value |
|---|---|
| Precision | 100% |
| F1 Score | 93.7% |
| False Positive Rate | 0.0% |
| Critical Misses | 0 |
| Avg Latency | 1.1s |
See the Benchmarking docs for methodology, scenario details, and how to run your own benchmarks.
| Document | Description |
|---|---|
| Quick Start | Get running in 5 minutes |
| Architecture | System design, layers, and key decisions |
| Evaluation Pipeline | Classification, LLM evaluation, and decision matrix |
| Configuration | Environment variable reference |
| REST API | Full API endpoint reference |
| MCP Proxy | MCP proxy setup, tool namespacing, and preferences |
| Management UI | Built-in web dashboard |
| Deployment | Production deployment guide |
| Development | Contributing, tests, and code conventions |
| OpenCode Integration | OpenCode plugin setup |
| Claude Code Integration | Claude Code hooks setup |
| OpenClaw Integration | OpenClaw extension setup |
| Benchmarking | Guardrails benchmark system |
Business Source License 1.1 — see LICENSE for the full text.
The Licensed Work is (c) 2026 Filip Pytloun. You may use the Software for your own internal business operations free of charge. Commercial use (SaaS, managed services, or as a component of a commercial product) requires a separate license. On the Change Date (2030-03-15), the license converts to Apache License 2.0.
For alternative licensing arrangements, contact: filip@pytloun.cz