Heuristics, contextual judging, arbitration, kill switch, and graduated enforcement.
Product map
Control the action. Preserve the evidence. Operate the system.
A local proxy that combines tool-call safety, provider operations, audit evidence, and incident response across five clear deployment profiles.
Live audit, logs, provider health, alerts, cost views, and operational monitors.
Tracing, session replay, tamper-evident checkpoints, and searchable evidence.
Routing, failover, remote wrappers, anomaly detection, SCM, and issue workflows.
Core protection
Safety & control
Stop dangerous actions without turning routine development into a wall of prompts.
Heuristic Rule Engine
Blocks known destructive commands, credential exfiltration patterns, and unsafe operations before they reach a judge.
Command Normalizer
Reveals encoded commands, invisible characters, homoglyphs, and common shell obfuscation before policy evaluation.
LLM Judge
Adds contextual risk review for ambiguous tool calls. Bring your own judge on Free, Professional, and Enterprise BYOK.
Self-Consistency Check
Repeats high-risk evaluations and flags inconsistent judge results before arbitration.
Explore all safety & control features
Arbitration Engine
Combines deterministic and contextual signals into allow, ask, or deny decisions.
Tool Definition Inspector
Scans tool descriptions and schemas for instructions designed to manipulate the agent.
Per-Tool Stream Buffering
Streams assistant text immediately while holding tool calls until the safety pipeline returns a verdict.
Circuit Breaker
Detects repeated calls, error cascades, and runaway sessions, then halts execution at configurable limits.
Tool Chain Detection
Recognizes dangerous multi-call sequences even when each individual action appears harmless.
Kill Switch
Activates deny-all through config, SIGUSR1, a sentinel file, or the local dashboard; SIGUSR2 clears the signal state.
Danger Tiers & Graduated Enforcement
Apply different review and enforcement levels to low-, medium-, and high-risk operations.
Operational visibility
Observability & incident response
See what agents attempted, why ModelWarden decided, and what changed around an incident.
Local Operations Dashboard
Inspect live audit events, provider health, configuration, licenses, and system status from the proxy.
Error Monitoring & Log Search
Search proxy errors and operational logs without shipping local agent traffic to a third party.
Distributed Tracing
Follow requests across routing, safety stages, providers, and downstream decisions.
Session Replay
Reconstruct an agent session from recorded requests, tool calls, decisions, and timing.
Explore all observability & incident response features
Advanced Observability & Cost
Adds detailed latency, token, provider, and cost views for operational analysis.
Alerting & Notifications
Send threshold alerts through baseline email/webhooks or connect team channels on Professional and Enterprise.
Automatic Anomaly Detection
Models normal proxy behavior and identifies unusual activity without requiring a hand-written threshold for every signal.
Release Health
Track version adoption, crash-free operation, and regressions across managed deployments.
Model routing
Providers & routing
Keep the safety layer stable while models, vendors, and endpoints change underneath it.
Multi-Provider Protocol Support
Understands OpenAI, Anthropic, Gemini, Bedrock, Ollama, MCP, and OpenAI-compatible request and stream formats.
OpenAI Responses HTTP/SSE
Supports custom-provider OpenAI Responses requests over HTTP and server-sent events, including tool-call inspection.
Provider Health Monitoring
Surfaces provider availability, failures, and latency in the local dashboard.
Priority Routing & Failover
Routes by configured priority and moves to the next provider when an upstream is unavailable.
Explore all providers & routing features
Managed Provider Credentials
Refreshes encrypted upstream credentials from the portal for managed Enterprise contracts.
Managed Judge Provider
Provides a preconfigured judge service for managed Enterprise contracts; every other profile remains BYO.
Configurable policy
Policy & configuration
Start with safe defaults, then make policy specific to your tools, paths, and operating model.
Config Hot-Reload
Validates and applies JSON configuration changes atomically without restarting the proxy.
Config Init & TUI
Generate a starter config with --init or use the interactive terminal editor with --tui.
Policy Profiles
Switch among strict, balanced, permissive, and custom policy profiles.
Custom Judge Instructions
Add organization-specific constraints and review guidance to contextual judge requests.
Explore all policy & configuration features
Tool Allowlist & Denylist
Bypass known-safe tools and hard-block prohibited tools, with deny rules taking precedence.
Safe Commands & Trusted Directories
Reduce unnecessary reviews for approved read-only commands and explicitly trusted paths.
Path Policy Resolution
Resolve path-aware stage exclusions, policy overrides, and enforcement levels consistently.
Request & Judge Rate Limits
Applies separate request and judge-call budgets, with higher defaults on Professional and contract-defined Enterprise limits.
Concurrent Judge Capacity
Limits simultaneous judge-backed operations independently from general request throughput.
Evidence trail
Audit & evidence
Keep an explainable record of agent actions without pretending every log line is independently signed.
Tamper-Evident Audit Chain
Hash-links audit records and adds Ed25519-signed checkpoints so retroactive changes can be detected.
Live Audit Stream
Shows tool calls, routing, policy stages, and verdicts in real time.
Secret Redaction
Masks configured keys, tokens, and credential-shaped values before audit and operational output.
TimeGuard
Uses signed portal time to detect suspicious clock movement during license and audit operations.
Explore all audit & evidence features
Persistent JSONL Audit
Writes redacted audit history to rotating local files for investigations and retention workflows.
Log Drains
Forwards operational output to file, HTTP, or syslog destinations.
Enterprise operations
Deployment & enterprise operations
Move from one workstation to managed fleets while keeping the same enforcement and evidence model.
Built-in TLS & API Authentication
Protects proxy access with TLS plus Bearer or x-api-key client authentication.
Non-Loopback Network Bind
Serve trusted team clients beyond localhost when TLS or an explicit remote-HTTP override is configured.
Remote Wrapper
Lets a centralized proxy inspect context for agents running on other machines.
Contract-Authorized Offline Operation
Removes the periodic portal heartbeat dependency for entitled contracts while token validity and upstream network requirements still apply.
Explore all deployment & enterprise operations features
Uptime Monitoring
Checks configured endpoints and raises availability alerts from the local operations surface.
Cron Monitoring
Detects missed or delayed background jobs and records their operational state.
Profiling
Captures CPU profiles for diagnosing proxy hot paths and performance regressions.
Source Code Management Integrations
Links operational events and configuration context to GitHub or GitLab commits.
Issue Tracking Integrations
Turns selected alerts into Jira or Linear issues for team follow-up.
Exact profile differences