MotebitGovernance
Surface tension — what crosses the boundary between the agent and the world.
Governance is the surface tension. It controls what crosses the boundary between the agent's interior — memory, tools, state — and the outside world. Without it, a tool-using agent is a liability.
The policy gate
Every tool call passes through the policy gate before execution. The gate evaluates each request against allow/deny lists, risk classification, operator mode, rate limits, and per-tool approval requirements.
The result is one of three outcomes: allowed (the tool executes), denied (the tool is blocked), or requires approval (the user decides).
Risk levels
Tools are classified by the risk they carry:
| Level | What it means | Examples |
|---|---|---|
| Read-only | No side effects | Search the web, read a file, recall memories |
| Annotate | Creates metadata, no external effect | Browse events, fetch a URL |
| Write | Modifies local storage | Write a file |
| Execute | Runs code or commands | Shell execution |
| Financial | Money is involved | Payment tools |
Read-only tools flow through automatically. Write and execute tools require operator mode. Financial tools are denied by default. The risk level is inferred from the tool's name and description, so even tools from external sources get classified.
Operator mode
Operator mode is a PIN-protected escalation that unlocks higher-risk tools. Think of it as sudo for your agent.
- Enable operator mode in settings
- Enter a 4-6 digit PIN
- While active, write and execute tools can proceed (still subject to per-tool approval rules)
- Disable operator mode to re-lock everything immediately
The PIN is hashed and stored in the OS keyring. It's never stored in plaintext and never sent over the network.
Audit trail
Every policy decision is logged — what tool was requested, what arguments were passed, whether it was allowed or denied, and what the result was. The audit log is append-only and immutable. You can review exactly what your agent has done, attempted, and been prevented from doing.
Memory governance
Governance extends to memory formation. The memory governor checks every memory candidate before it enters the graph:
- Memories above a sensitivity threshold can be rejected entirely
- Retention rules are enforced per sensitivity level
- When sensitive memories are deleted, cryptographic deletion certificates are produced
Injection defense
When a tool returns data from an external source, the system checks for prompt injection attempts — patterns designed to hijack the agent's behavior. Suspicious content is flagged, and external data is clearly delineated from internal content so the agent can reason about trust boundaries.
The principle
Fail closed. If the policy engine errors, the tool call is denied. If sensitivity classification fails, the memory is rejected. If the keyring is unavailable, operator mode can't be enabled. Every failure mode defaults to the more restrictive option.