How it works

Guardrails & safety

Halo's safety isn't a prompt instruction — it's enforced by the topology: isolated tools, an approval gate, and an inline guardrail.

The approval gate and the read/write split are enforced at the gateway, not asked for in a prompt — so a wrong model output cannot reach production even if the agent decides to try.

Read / write tool isolation

The product's tools are split across two separate MCP servers at the gateway:

  • jaguar-observe — read-only tools (status, diagnostics, deploys, failures).
  • jaguar-act — write tools (the actions that change production).

In degraded mode, Halo is restricted to the read server. Write capability simply is not available when the agent is operating under stress.

The human approval gate

Anything that writes has to clear a human approval before it runs. The action is registered as a pending approval; the incident sits in waiting_for_approval until an operator approves or rejects. Only on approval does the write execute through jaguar-act.

This is the gate you see in the war room: Halo prepares a worker restart, but it will not touch production on its own.

Secrets-detection guardrail

A secrets-detection guardrail runs inline at the gateway. In one incident the notes contained a token; the guardrail caught and blocked the call without us writing any detection logic, and Halo dropped into a safer mode rather than breaking.

Security becomes a gateway policy rather than application code — and the block shows up as real trace evidence in the UI. See TrueFoundry + Bedrock.