AI agents inherit the ambient permissions of their environment and hallucinate their successes. We fix this by separating execution intent from deterministic verification.
From pre-execution policy gates to post-execution proof — a complete governance plane for AI agents.
The Three Pillars
A unified architecture for agent security and verification.
The Wrapper
The drop-in wrapper that intercepts agent execution loops (like OpenClaw's tool calls) before they hit your OS or browser.
Learn morePre-Execution
The local Rust daemon that evaluates the paused intent against deterministic YAML policies and IdP tokens in <1ms.
Learn morePost-Execution
The verification engine that uses ML-ranked DOM snapshots and assertions to prove the agent actually succeeded.
Learn moreEvery action follows a chronological lifecycle. The authority issues a cryptographic mandate — a "Work Visa" — before any side effect occurs.
The Predicate SDK (e.g., predicate-claw) pauses the tool call before execution.
The sidecar checks intent against policy. If safe, it issues a cryptographic mandate (a "Work Visa").
The mandate is passed to the OS or backend API to perform the action.
The Snapshot Engine verifies the new state (e.g., terminal output matches, DOM updated correctly).
YAML policy blocking dangerous commands:
# policy.yaml - Pre-execution rules
rules:
- name: block_destructive_commands
match:
tool: bash
command_pattern: "rm -rf|mkfs|dd if="
action: DENY
reason: "Destructive command blocked by policy"
- name: allow_safe_file_ops
match:
tool: bash
command_pattern: "cat|ls|grep|find"
action: ALLOW
- name: require_approval_for_network
match:
tool: bash
command_pattern: "curl|wget|ssh"
action: REQUIRE_APPROVAL
escalate_to: human_in_loopSemantic snapshot proving action succeeded:
{
"verification": {
"status": "PASSED",
"assertions": [
{
"predicate": "url_contains('checkout')",
"result": true,
"evidence": "https://shop.example.com/checkout"
},
{
"predicate": "text_visible('Order Confirmed')",
"result": true,
"element_id": 47
}
],
"snapshot_confidence": 0.94,
"timestamp": "2024-01-15T10:23:45Z"
},
"mandate_id": "mnd_8f3k2j1m",
"execution_time_ms": 234
}Deep Dive
Predicate Authority relies on predicate-authorityd (the Rust sidecar) and plugins like predicate-claw to enforce policies locally.
If the sidecar is unreachable or returns an error, the action is blocked. No silent failures. No ambient permissions.
Circuit breaker: After 3 consecutive failures, the agent pauses and escalates to human review.
Policy evaluation happens in <1ms. No cloud round-trips for authorization. The sidecar runs locally alongside your agent.
Local-first: Policies sync from Predicate Vault but evaluate on your machine.
Principal
Who is the agent? What IdP token?
Intent
What tool and action are requested?
Resource
What file, URL, or system is targeted?
Context
Time, rate limits, session state?
Deep Dive
The Snapshot Engine cuts token bloat by 95% by stripping out HTML noise. Instead of dumping 500k tokens of DOM, your agent gets ranked, actionable elements.
500k+
Raw DOM tokens
~1k
Semantic snapshot tokens
95%+ reduction means smaller models become viable for web automation
{
"id": 42,
"role": "button",
"text": "Add to Cart",
"importance": 95,
"bbox": { "x": 320, "y": 480, "width": 120, "height": 40 },
"in_viewport": true,
"is_occluded": false,
"visual_cues": {
"is_primary": true,
"is_clickable": true,
"background_color_name": "green"
},
// Ordinal fields for "click 3rd result" queries
"group_key": "480_main",
"group_index": 2,
"in_dominant_group": true,
// Layout detection
"layout": {
"grid_id": 1,
"grid_pos": { "row_index": 0, "col_index": 2 },
"region": "main"
}
}id – stable element identifierrole – button, link, inputtext – visible labelbbox – pixel coordinatesin_viewport – currently visibleis_occluded – covered by overlayimportance – ML relevance scoreis_primary – main CTAgroup_key – geometric bucketgroup_index – position in groupin_dominant_group – main contentgrid_pos – row/column indicesPredicate complements agent frameworks rather than replacing them. It slots into the governance and verification layer.
Planner/executor: OpenClaw, LangChain, PydanticAI, custom
Secure wrapper + Authority sidecar + Runtime verification
Browser (Playwright), Terminal (Bash), APIs, or custom backends
If you're building agents that must act securely, Predicate Systems is the missing layer.
Explore interactive SDK examples or test the API directly with real automation scenarios
Apply a permission policy, run agent steps with lifecycle hooks, trace tool calls, and verify a real download deterministically.
1# Verification-first runtime demo (Agent acts; Predicate asserts)
2from sentience import SentienceBrowser, PermissionPolicy, SentienceAgent
3from sentience.llm_provider import OpenAIProvider
4from sentience.agent_runtime import AgentRuntime
5from sentience.tools import ToolRegistry, ToolContext, register_default_tools
6from sentience.verification import exists, download_completed
7from sentience.tracing import Tracer, JsonlTraceSink
8
9# Tracing (local JSONL; upload optional)
10tracer = Tracer(run_id="demo-run", sink=JsonlTraceSink("trace.jsonl"))
11
12# Startup permission policy avoids non-DOM browser permission bubbles
13policy = PermissionPolicy(
14 default="clear",
15 auto_grant=["geolocation"],
16 geolocation={"latitude": 37.7749, "longitude": -122.4194},
17)
18
19browser = SentienceBrowser(
20 api_key="sk_live_...",
21 allowed_domains=["example.com"],
22 permission_policy=policy,
23)
24browser.start()
25
26llm = OpenAIProvider(api_key="sk_openai_...", model="gpt-4o-mini")
27agent = SentienceAgent(browser, llm, tracer=tracer)
28runtime = AgentRuntime(browser, browser.page, tracer)
29
30# Typed, traceable tools (includes evaluate_js + permission tools)
31registry = ToolRegistry()
32register_default_tools(registry, runtime)
33ctx = ToolContext(runtime)
34
35def on_start(ctx): print("hook start:", ctx.goal)
36def on_end(ctx): print("hook end:", ctx.success, ctx.outcome)
37
38browser.page.goto("https://example.com/billing")
39
40# Small introspection (bounded output; no DOM dump)
41title = await registry.execute("evaluate_js", {"code": "document.title"}, ctx=ctx)
42
43# Act with lifecycle hooks
44agent.act("Sign in if needed", on_step_start=on_start, on_step_end=on_end)
45
46# Verify + download (assert what happened, not what you hope happened)
47runtime.begin_step("Download invoice and verify")
48await runtime.snapshot(limit=60)
49runtime.assert_(exists("role=button text~'Download invoice'"), "has_download_button", required=True)
50
51agent.act("Click 'Download invoice PDF'", on_step_start=on_start, on_step_end=on_end)
52
53await runtime.snapshot()
54await runtime.check(download_completed("invoice"), label="invoice_downloaded", required=True).eventually(timeout_s=10)
55
56print("PASS ✓ invoice_downloaded")
57await tracer.close(upload=False)
58browser.close()Verify outcomes deterministically — assert what happened, not what you hope happened
Rendered DOM after hydration with confidence scoring — enables deterministic verification
Retry verification (not actions) with confidence gating — explainable failures with reason codes
Predicate Systems focuses on governance and verification. Browser runtimes and navigation engines are intentionally decoupled.