Stipul

1/5 Your AI agent can read your codebase, run shell commands, and call external APIs. In many setups, nothing stops it from doing something you did not authorize. And if it does, you may not be able to prove what happened. That is the problem Stipul is built for.

Great point. User approval should not be treated as unlimited permission because like you said users don't fully understand what they are doing and even if they do, agent actions can be unpredictable. I believe in a zero trust approach here. There should be hard policy boundaries in place so users can’t accidentally approve harmful actions the agent should never be allowed to take.

I have different point. I don’t think we should treat user approval as a real security boundary. A lot of people use options like "--dangerously-skip-permissions", and even when they don’t, they usually have no way to fully understand what an agent might do next. If AI companies can just say everything after approval is the user’s responsibility, they have much less reason to take post-auth vulnerabilities seriously. That’s what worries me.

What worries me most about AI agent security is how easily things get waved away as “by design.” Once a user clicks approve, even a dangerous outcome can be treated like it was expected behavior. But real users don’t fully understand every permission, every tool call, and every possible chain of actions in that moment. Meanwhile, agents keep getting more features, more access, and more ways to interact with the outside world. Then when something breaks, the answer is often just: “Well, the user approved it.”

working on it...

@Docker Pre-execution enforcement is what matters. Most governance today is still around the agent, not at the moment of the tool call. If the agent can execute it, it’s already too late.

Introducing Docker AI Governance. Teams are racing to deploy agents, but those agents access repos, data, and APIs with little visibility. Docker AI Governance is now available, so teams can move fast without losing control. More: bit.ly/4nq37kd

You gave your agent a database connection string. It read from the table you wanted. Then it wrote to one you didn't. Then it dropped a column to “clean things up.” Three queries. One connection string. No policy between the agent and the schema. Access was authority. And no one checked. Stipul sits at that boundary. The Charter defines what the agent is allowed to do before the query runs. Writ enforces that Charter at execution. The Chronicle records what happened. The Seal proves the record wasn’t quietly rewritten.

For a deeper demo, try the Claude Code agent workflow. It runs Stipul through an MCP gateway and shows what happens when agent tool access is governed at the boundary. Allowed calls run. Denied calls are blocked. Evidence is recorded. Tampering is rejected. github.com/miadco/Stipul

See it for yourself: pipx install stipul stipul demo proof Tamper with the evidence. Verify again. Watch the proof break.

A prompt is instruction. A Charter is policy. A tool call requests authority. Writ enforces authorization. A log describes activity. The Chronicle preserves evidence. A hash detects tampering. A Seal proves integrity. That is the Stipul thesis: control before action, proof after.

1/5 Your AI agent can read your codebase, run shell commands, and call external APIs. In many setups, nothing stops it from doing something you did not authorize. And if it does, you may not be able to prove what happened. That is the problem Stipul is built for.

Stipul makes agent actions provable at the tool boundary. Policy is enforced before the tool call executes. Every decision is recorded in a tamper-evident chain. Cryptographic proof breaks if the evidence is altered. Not logging. Not monitoring. Enforcement with evidence.