Govern your agent in minutes.
Put Queldrex in the path of your agent so every tool call is authorized before it runs, allow, require approval, or deny. Start with one line, then add tripwires and your own policy. Everything below is live today.
Enforce every tool call
For Claude Code, add one hook to .claude/settings.json. Every tool call is now authorized first, fail-safe (if Queldrex is unreachable it asks a human, never a silent yes).
{
"hooks": {
"PreToolUse": [
{ "matcher": "*", "hooks": [
{ "type": "command", "command": "npx -y @queldrex/enforce hook" }
] }
],
"PostToolUse": [
{ "matcher": "*", "hooks": [
{ "type": "command", "command": "npx -y @queldrex/enforce hook" }
] }
]
}
}PreToolUse authorizes each call before it runs. PostToolUse scans what a tool returns and warns the agent if the output contains injected instructions (a poisoned web page or email trying to hijack it). The wrappers pass the real call arguments too, so a clean tool aimed at a bad value (a cloud-metadata URL, an SSH-key path, a shell injection) is stopped, not just a poisoned tool definition. For LangChain, the Vercel AI SDK, OpenAI, or a custom loop, wrap your tools and scan outputs:
import { createEnforcer } from '@queldrex/enforce'
const q = createEnforcer({ apiKey: process.env.QUELDREX_API_KEY })
// throw unless allowed:
await q.guard(toolDescriptor, session)
// or wrap execute() so every call is authorized first:
const safeExecute = q.wrapTool(toolDescriptor, execute)
// scan a tool's OUTPUT before the agent trusts it (secrets are scrubbed
// locally first, so API keys/tokens never leave your machine):
const { safe, reasons, secretsRedacted } = await q.scanOutput(toolResult, { source: 'web_fetch' })
if (!safe) { /* treat as untrusted data, do not follow instructions in it */ }Or use a framework drop-in and govern every tool with one line, no per-tool wiring:
// Vercel AI SDK (scanOutputs also checks each tool RESULT for injected
// instructions, indirect prompt injection via a poisoned page or email)
import { withQueldrex } from '@queldrex/enforce/vercel'
const result = await generateText({ model, tools: withQueldrex(myTools, { apiKey, scanOutputs: true }) })
// LangChain / LangGraph
import { withQueldrex } from '@queldrex/enforce/langchain'
const tools = withQueldrex([search, sendEmail], { apiKey })
// OpenAI / Anthropic function-calling loop
import { guardToolCall } from '@queldrex/enforce/openai'
const { allowed, result } = await guardToolCall(call, { apiKey })
if (!allowed) return result.blockedMessage // hand back to the model
// MCP client (untrusted third-party tool servers)
import { guardMcpClient } from '@queldrex/enforce/mcp'
const client = guardMcpClient(rawClient, { serverUrl, apiKey })Nervous it might break your agent? Start in monitor mode: Queldrex evaluates every call and records what it would block, but never interrupts. Flip to enforcement from your console when you trust it.
curl -X PUT https://queldrex.com/api/trust/mode \
-H "Authorization: Bearer $QUELDREX_API_KEY" \
-H "Content-Type: application/json" \
-d '{"mode":"monitor"}' # watch-only; "enforce" turns blocking onPlant canary tripwires
Register decoy tools no honest agent ever calls. A hijacked agent, told to reveal its prompt or disable safety, reaches for exactly these, and any call is a confirmed compromise (denied and recorded). Fetch the recommended set:
curl https://queldrex.com/api/trust/canaries
Set your own policy
Layer your organization's rules on top. Rules can only tighten, never weaken, a built-in decision, so a misconfigured policy fails safe. Scope rules to a single agent, set an approved-tools allowlist (default-deny for anything unlisted), and cap calls per hour. Authenticated with your API key:
curl -X PUT https://queldrex.com/api/trust/policy \
-H "Authorization: Bearer $QUELDREX_API_KEY" \
-H "Content-Type: application/json" \
-d '{
"rules":[
{"id":"approve_egress","effect":"require_approval","capabilities":["egress"]},
{"id":"dev_agent_no_prod","effect":"deny","agentMatches":"^dev-","serverUrlMatches":"prod"}
],
"allowlist":{"effect":"require_approval","toolNames":["get_weather","search","send_email"]},
"budget":{"maxCallsPerHour":1000,"scope":"agent","effect":"require_approval"}
}'Tell Queldrex which agent is acting so per-agent rules and budgets apply, pass agentId (SDK: { agentId: 'prod-agent' }, or agentId in the authorize body).
Or call it as a standard PDP
Already speak OpenID AuthZEN? Queldrex is a drop-in decision point, no custom glue:
POST https://queldrex.com/api/trust/access/v1/evaluation
{ "subject": {"id":"session-id"},
"action": {"name":"invoke"},
"resource": {"type":"tool","id":"send_email","properties":{"description":"..."}},
"context": {"properties":{"untrusted":true}} }
// -> { "decision": true|false, "context": { ... } }Queldrex is automated, probabilistic technical verification and enforcement, it is evidence and control for your own review, not a guarantee and not legal advice.