Labsco
fpytloun logo

Intaris

β˜… 17

from fpytloun

Guardrails service for AI agents. Default-deny tool call evaluation with LLM safety analysis, priority-ordered decision matrix, and human-in-the-loop escalations. Session recording, behavioral analysis, MCP proxy, secret redaction, and real-time audit.

πŸ”₯πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedAccount requiredAdvanced setup
<p align="center"> <img src="files/banner.jpg" alt="Intaris"> </p>

intaris

Guardrails service for AI agents. Intaris sits between your AI agent and its tools, evaluating every tool call for safety and alignment before allowing execution. Works with OpenCode, Claude Code, OpenClaw, and any MCP-compatible client.

Default-deny. Every tool call is classified and evaluated. Read-only operations are fast-pathed; everything else goes through LLM safety evaluation. Unknown tools are never auto-approved.

Real-time. Sub-second evaluation with a priority-ordered decision matrix. Read-only calls resolve in under 1ms. LLM evaluations complete within the 5-second circuit breaker. WebSocket streaming for live monitoring.

Self-hosted. Single Python process, SQLite or PostgreSQL storage, no external dependencies beyond an LLM API key. Your code and audit trail stay under your control.

Part of the Cognara platform (Cognis controller, Intaris guardrails, Mnemory memory).

Features

  • Default-deny classifier -- Explicit read-only allowlist with critical pattern detection. Everything not allowlisted goes through LLM evaluation.
  • LLM safety evaluation -- OpenAI-compatible structured output for alignment checking, risk assessment, and decision reasoning.
  • Priority-ordered decision matrix -- Critical risk auto-denies, aligned low/medium approves, high risk and misalignment escalate for human review.
  • Session management -- Hierarchical parent/child sessions with intention tracking, lifecycle states, and idle sweep.
  • Intention tracking -- User-driven intention model with IntentionBarrier for real-time updates and AlignmentBarrier for parent/child enforcement.
  • MCP proxy -- Sits between clients and upstream MCP servers, evaluating every tool call with per-tool preference overrides.
  • Audit trail -- Every evaluation is logged with decision, reasoning, risk level, classification, latency, and redacted arguments.
  • Secret redaction -- API keys, passwords, tokens, and connection strings are automatically redacted before audit storage.
  • Filesystem path protection -- Working directory enforcement with approved path prefix learning from LLM approvals.
  • Session recording -- Full-fidelity event logs with live tailing, playback, and chunked ndjson storage (filesystem or S3).
  • Cognis-ready auth -- Accepts Cognis-issued ES256 JWTs for service-to-service calls while keeping standalone API key auth for direct clients.
  • Behavioral analysis -- Three-layer system: per-call data collection, session summaries, and cross-session behavioral profiling.
  • Management UI -- Built-in web dashboard with session tree view, audit log, approval queue, MCP server management, and real-time charts.
  • Judge auto-resolution -- Escalated tool calls can be automatically reviewed by a more capable LLM (gpt-5.4), reducing human intervention while maintaining safety. Three modes: disabled, auto, advisory.
  • Webhook callbacks -- HMAC-signed escalation notifications for external approval systems.
  • Notification channels -- Per-user push notifications (Pushover, Slack, webhook) with one-click approve/deny action links.
  • Rate limiting -- Per-session sliding window rate limiter to prevent runaway agents.

Screenshots

<p align="center"> <img src="files/screenshots/ui-dashboard.png" width="800" alt="Dashboard"> <br><em>Dashboard -- evaluation metrics, decision distribution, performance stats, and activity timeline</em> </p> <p align="center"> <img src="files/screenshots/ui-sessions.png" width="800" alt="Sessions"> <br><em>Sessions -- hierarchical tree view with expandable session details and recent evaluations</em> </p> <p align="center"> <img src="files/screenshots/ui-approvals.png" width="800" alt="Approvals"> <br><em>Approvals -- pending escalations with reasoning, arguments, and one-click approve/deny</em> </p> <p align="center"> <img src="files/screenshots/ui-analysis-profile.png" width="800" alt="Behavioral Profile"> <br><em>Analysis -- behavioral risk profile with per-agent risk indicators and trends</em> </p> <p align="center"> <img src="files/screenshots/ui-analysis-trend.png" width="800" alt="Analysis Trend"> <br><em>Analysis -- cross-session behavioral trend tracking over time</em> </p> <p align="center"> <img src="files/screenshots/ui-session-suspicious.png" width="800" alt="Suspicious Session"> <br><em>Sessions -- suspicious session detail with evaluation reasoning and risk assessment</em> </p> <p align="center"> <img src="files/screenshots/ui-critical-denied.png" width="800" alt="Critical Denied"> <br><em>Audit -- critical tool execution denied with detailed reasoning</em> </p>

See the Management UI docs for all tabs and features.

Supported Clients

ClientIntegrationSetup Guide
OpenCodePlugin (intaris.ts)OpenCode Guide
Claude CodeHooks (bash scripts)Claude Code Guide
OpenClawPlugin (@fpytloun/openclaw-intaris)OpenClaw Guide
Hermes AgentPlugin (hermes-intaris)Hermes Guide
Any MCP clientMCP proxy (/mcp endpoint)MCP Proxy Guide

Plugin/Hooks give fine-grained control: custom error messages, fail-open/fail-closed behavior, session lifecycle management, and behavioral analysis. MCP proxy is zero-code configuration but with less UX control.

How It Works

Intercept. The client integration (plugin, hooks, or MCP proxy) captures every tool call before execution and sends it to Intaris for evaluation.

Classify. The classifier checks the tool against a priority chain: session policy denies, tool preference overrides, critical patterns, the read-only allowlist, and filesystem path policy. Read-only tools are auto-approved. Critical patterns are auto-denied.

Evaluate. Tool calls classified as WRITE go through LLM safety evaluation. The LLM assesses alignment with the session intention, risk level (low/medium/high/critical), and recommends a decision -- all within a 4-second timeout.

Decide. The decision matrix applies priority-ordered rules: critical risk always denies, aligned low/medium risk approves, high risk and misalignment escalate for human review. The decision, reasoning, and full context are recorded in the audit trail.

See the Architecture and Evaluation Pipeline docs for the full technical details.

Benchmark Results

Intaris catches 100% of critical threats (destructive commands, data exfiltration, RCE) with zero false positives. Across 41 benchmark scenarios including adversarial attacks, social engineering, and cross-session patterns, Intaris achieves 94% F1 with 100% precision -- it never blocks legitimate developer work.

MetricValue
Precision100%
F1 Score93.7%
False Positive Rate0.0%
Critical Misses0
Avg Latency1.1s

See the Benchmarking docs for methodology, scenario details, and how to run your own benchmarks.

Documentation

DocumentDescription
Quick StartGet running in 5 minutes
ArchitectureSystem design, layers, and key decisions
Evaluation PipelineClassification, LLM evaluation, and decision matrix
ConfigurationEnvironment variable reference
REST APIFull API endpoint reference
MCP ProxyMCP proxy setup, tool namespacing, and preferences
Management UIBuilt-in web dashboard
DeploymentProduction deployment guide
DevelopmentContributing, tests, and code conventions
OpenCode IntegrationOpenCode plugin setup
Claude Code IntegrationClaude Code hooks setup
OpenClaw IntegrationOpenClaw extension setup
BenchmarkingGuardrails benchmark system