VertRule

Stop unsafe agent actions before they happen

VertRule sits between AI agents and your real systems. Each action is evaluated against deterministic policy, allowed or blocked, and receipted with independently verifiable evidence.

See a blocked action Verify a receipt
Blocks destructive SQL Blocks protected-branch force pushes Stops unapproved data egress Verifiable receipts for every decision

Intercept

Every agent action passes through VertRule before it reaches a repo, database, deployment target, or external API.

Decide

Deterministic policies evaluate the action and return allow or deny. No heuristics, no probabilistic detection. The same input always produces the same verdict.

Prove

Each decision produces a cryptographic receipt — BLAKE3 digest, JCS canonical form. Independently verifiable, permanently auditable.

Same agent. Same task. Less blast radius.

An incident-response agent with real system access reads logs, queries production, and opens a safe rollback PR. When it tries destructive SQL, a protected-branch force push, or unapproved data egress, VertRule blocks the action before execution and records the decision.

Policy

[email protected]

Determinism policy

Read operations on governed tables are permitted
No destructive SQL on production tables
All collections use ordered iteration

Runtime

vertrule-runtime

$

Every decision produces a receipt

The receipt is evidence. Each one is independently verifiable.

Receipt envelope denied

event_hash befdf1a1...680e

action execute_sql

statement DROP TABLE sessions

policy db-safety@1

reason Destructive SQL blocked by policy

This receipt is a real verifier-passing artifact. Verify it yourself.

One control point for every agent boundary

Deploy VertRule in front of the systems your agents can touch. Start with one workflow, then expand policy coverage over time.

Repos

Force pushes, direct commits to protected branches

Databases

Destructive SQL, schema mutations, unbounded queries

CI/CD

Unapproved deployments, pipeline modifications

Internal APIs

External data transfers, privilege escalation

Verify any receipt locally

Upload a receipt JSON file and verify it in your browser. Client-side only — nothing leaves your machine. No account required.

BLAKE3

befdf1a174e8fd225e0b584fb68214d19f2fb832a43193708e33fb92bedc680e

Verify a receipt

Start with a controlled pilot

One workflow. One integration boundary. 3-5 policies. Receipts on every decision. See VertRule stop the expensive mistake on your systems.

Request a pilot Verify a sample receipt