Prempti
Experimental Preview — This project is under active development and released as an early preview. Interfaces and behavior may change between releases. We welcome your feedback to help shape its future.
Falco meets AI Coding Agents
Prempti brings Falco to the world of AI coding agents. It gives you guardrails that can deny or ask for confirmation on unwanted behaviors, plus real-time visibility into every tool call your coding agent makes — shell commands, file writes, reads, API calls. Both are driven by Falco rules you can customize to fit your workflow.
By default, Prempti runs in guardrails mode: rules produce verdicts that shape what the agent does. When a tool call is blocked or flagged, the agent receives an LLM-friendly explanation of why and adapts — the policy guides behavior through feedback. If you prefer pure observation without intervention, switch to monitor mode: every tool call proceeds while rules still evaluate and log the activity.
Who is this for? Anyone using a coding agent daily — developers, product managers, designers, vibe coders, and anyone else who wants to see what their agent is doing on their machine and set sensible boundaries for it.
What It Is — and What It Isn't
It is a cooperative policy and visibility layer at the tool-call level. It gives you an audit trail of agent activity, and guardrails the agent respects because it sees and understands them.
It is not a sandbox, OS-level security, or a substitute for least-privilege environments or system hardening. It does not contain a determined adversarial agent. Use it alongside containment techniques — it complements them, it does not replace them.
Features
- Real-time tool-call interception — every shell command, file write/edit/read, web fetch, and MCP call is evaluated before it runs.
- Allow / deny / ask verdicts — block, prompt for confirmation, or let it through; agents receive LLM-friendly feedback on denials and adapt.
- Two operational modes — guardrails (verdicts enforced) and monitor (observe-only); switch any time with
premptictl mode.
- Customizable Falco rules — standard YAML rules; a curated default ruleset ships with the project covering common attack surfaces (credentials, sandbox-disable attempts, exfiltration, persistence, MCP/skill poisoning, and more).
- Full audit trail — every tool call recorded with structured fields, correlatable across rule alerts.
- Cross-platform — Linux, macOS, and Windows on x86_64 and aarch64.
- CLI included —
premptictl for status, health checks, mode switching, log streaming, and hook management.
- Rule-authoring skill for Claude Code — an interactive skill to draft and validate custom rules with the help of your agent.
How It Works
When your coding agent tries to use a tool, Prempti intercepts the call before it executes, evaluates it against your rules, and produces a verdict:
| Verdict | What Happens |
|---|
| Allow | The tool call proceeds normally |
| Deny | The tool call is blocked — the agent is told why |
| Ask | You are prompted to approve or reject the call |
Rules are standard Falco rules written in YAML. A sensible default ruleset ships with Prempti, and you can add your own to customize behavior for your workflow (see Custom Rules).
Modes
- Guardrails mode (default) — verdicts are enforced:
deny blocks, ask prompts you, allow proceeds.
- Monitor mode — all tool calls proceed; verdicts are still evaluated and logged but never act on the agent. Useful for pure observation, auditing, and rule tuning.
Switch between modes at any time with premptictl mode <guardrails|monitor>.
When It Makes Sense