Brane · private beta

stop your agent from doing dumb sh*t in production.

Brane is policy-as-code for AI agents. Write Python policies that run before tool calls, model calls, MCP tools, database queries, memory writes, retrieval, and other agent actions execute.

Apply for private beta Read the docs →

policy.pypython

runtime control for what agents do.

What is Brane?

Brane is a policy-as-code runtime control layer for AI agents. It lets teams write Python policies that allow, deny, or eventually transform agent actions before they execute.

Is Brane an AI agent guardrail system?

Yes. Brane acts as runtime guardrails for AI agents by governing tool calls, model calls, database queries, MCP tools, memory writes, retrieval, and other capabilities at the action boundary.

How is Brane different from prompt guardrails?

Prompt guardrails influence model behavior. Brane enforces policy when an agent attempts an action, so unsafe tool calls or database queries can be blocked before side effects occur.

Does Brane work with LangGraph, CrewAI, OpenAI Agents SDK, and MCP?

Brane is framework-independent at the core runtime layer. Dedicated adapters for LangGraph, CrewAI, OpenAI Agents SDK, and MCP are planned, and teams can wrap capability boundaries directly today.

three steps from chaos to controlled.

01 WRITE

Write a policy

Decorate a Python function with @brane.policy. It receives a context object — the capability being requested, the session state, anything you need to make a decision.

02 ENFORCE

Brane enforces it

Before any wrapped capability executes, your policy function runs synchronously. Return Decision.allow(), block(), or rewrite() — Brane does the rest.

03 TRACE

Full decision trace

Every enforced action leaves a structured log: what capability was requested, which policy ran, what was decided, why. Auditable, exportable, replayable.

policy.pystep 01

from brane import Decision, Runtime

runtime = Runtime()

@runtime.before_capability("tool.delete_user")
def require_approval(ctx):
    if not ctx.session.has_human_approval:
        return Decision.block(
            reason="requires explicit approval"
        )
    return Decision.allow()

what brane catches

Block dangerous tool calls

"My agent has access to delete_user. What stops it from calling that on the wrong user?"

Every destructive tool call now requires an upstream signal. Traced, auditable, reversible.

See full example →

python

@brane.policy("tool.delete_user")
def require_human_confirmation(ctx):
    if not ctx.session.has_human_approval:
        return Decision.block(
            reason="delete_user requires explicit human approval"
        )
    return Decision.allow()

Enforce model routing rules

"My agent burned $400 last week calling GPT-5 on tasks GPT-5-mini could handle."

python

@brane.policy("model.call")
def route_cheap_when_simple(ctx):
    if ctx.prompt_tokens < 200 and ctx.task_type == "classify":
        return Decision.rewrite(model="gpt-5-mini")
    return Decision.allow()

Routing decisions become a function, not a hard-coded branch. Hot-reloadable. No redeploy.

See full example →

Redact outputs before they leave

"My agent saw a customer's SSN in context. What's stopping it from echoing it to a third-party tool?"

python

@brane.policy("tool.email.send")
def redact_pii(ctx):
    if contains_pii(ctx.payload.body):
        ctx.payload.body = redact(ctx.payload.body)
        return Decision.rewrite(payload=ctx.payload)
    return Decision.allow()

PII never leaves the agent. The redaction is logged in the trace, not the email.

See full example →

wire up one agent workflow with us.

In the first two weeks of private beta, we wrap your capabilities, write the first policy functions, and produce a full decision trace — showing exactly what your agent is allowed to do and what gets blocked.