How it works
Guardrails & safety
Halo's safety isn't a prompt instruction — it's enforced by the topology: isolated tools, an approval gate, and an inline guardrail.
Read / write tool isolation
The product's tools are split across two separate MCP servers at the gateway:
jaguar-observe— read-only tools (status, diagnostics, deploys, failures).jaguar-act— write tools (the actions that change production).
In degraded mode, Halo is restricted to the read server. Write capability simply is not available when the agent is operating under stress.
The human approval gate
Anything that writes has to clear a human approval before it runs. The action is registered as a pending approval; the incident sits in waiting_for_approval until an operator approves or rejects. Only on approval does the write execute through jaguar-act.
This is the gate you see in the war room: Halo prepares a worker restart, but it will not touch production on its own.
Secrets-detection guardrail
A secrets-detection guardrail runs inline at the gateway. In one incident the notes contained a token; the guardrail caught and blocked the call without us writing any detection logic, and Halo dropped into a safer mode rather than breaking.
Security becomes a gateway policy rather than application code — and the block shows up as real trace evidence in the UI. See TrueFoundry + Bedrock.