Agent Infrastructure · MIT License

Your agents are writing
to production.
Who approved that?

Gate is the mandatory commit layer every agent deployment is missing — identity verification, policy enforcement, human approval, and immutable audit before any agent output reaches a real system.

Get started free → View on GitHub
The gap in 30 seconds
Every agent deployment today 
agent.enrichLeads(results)

// Who ran this?
// Was it reviewed?
// Is the destination safe?
// Is this the first send or the fifth?
// Where's the audit trail?

salesforce.import(leads)
→ 847 records corrupted. No log. No rollback.
With Gate 
agent.enrichLeads(results)

const p = await gate.propose({
  sender:      "kai-crm-agent",
  destination: "salesforce.import",
  policy:      "crm-low-risk"
})
// p.status → "pending_approval"

await gate.approve({ proposalId: p.id })
await gate.deliver({ proposalId: p.id })
// one-time delivery. immutable audit. done.
Why this exists

You don't have an agent problem.
You have a trust problem.

Teams are moving agents from "read and summarize" to "write and commit." The frameworks don't ship with an enforced approval layer. So every team builds one-off Slack bots, shared buckets, and custom middleware. It's all broken. None of it scales across teams.

Teams let agents do this

  • Read and summarize data
  • Draft emails and documents
  • Enrich and score records
  • Call low-risk tools
  • Generate structured outputs

Teams block agents from this

  • Pushing updates into CRMs
  • Sending legal or financial packets
  • Triggering bulk imports
  • Writing into production systems
  • Handing off to downstream automations
One queue. Every framework.

Marketing ships CrewAI.
Engineering ships LangGraph.
Your CTO has no idea what's writing to prod.

Every framework ships its own half-baked HITL. None of it is enforced. None of it is centralized. There's no shared policy, no unified identity, no audit trail that spans teams. Gate sits outside every framework and governs all of them.

CrewAI LangGraph OpenAI Swarm AutoGen LangChain Claude Code Custom agents Any MCP client
Feature Framework built-in HITL Zehrava Gate
Enforcement Opt-in. Dev forgets to add it. It doesn't run. Mandatory. Policy-driven. No bypass.
Audit log Console logs scattered across 5 different repos. Centralized. Immutable. Queryable by proposal ID.
Cross-team Siloed per framework. Engineering can't see Marketing's queue. One queue. Every agent. Every team. Every framework.
Identity The agent is code. No verified sender. No accountability. Every proposal has a verified sender. Signed manifest.
Delivery Agent writes directly. No expiry. No one-time enforcement. One-time signed delivery. Expired links return 410.
Policy Hardcoded per agent. Inconsistent. Not shareable. Shared YAML policies. Same rules across every agent.
How it works

Five steps. No exceptions.

Every agent output goes through the same flow — regardless of which team built the agent or which framework it runs on.

1

Agent proposes an output

Agent calls gate.propose() with payload, destination, and policy ID. Gate verifies the sender against the agent registry. Unknown agents are rejected immediately.

Identity verified
2

Gate evaluates policy

Payload is classified. Destination is checked against the allowlist. Policy rules fire — schema validation, PII detection, record count thresholds, sensitivity tags.

Blocked if policy fails
3

Block, auto-approve, or queue for human review

Low-risk proposals auto-approve. High-risk proposals enter the approval queue — Slack hook, email, or dashboard. Humans approve or reject with full context.

Pending approval Auto-approved
4

One-time signed delivery

Approved proposals get a signed one-time delivery link or webhook. One destination. Expires. Second request returns 410. The payload cannot be redirected or reused.

Delivered once
5

Immutable audit trail

Every event is logged — proposal, policy check, approval decision, delivery, expiry. Queryable by proposal ID. Not deletable. Not editable. This is the paper trail your compliance team will ask for.

Full audit logged
API

Four methods. That's the whole surface area.

If you need more than this to govern agent writes, you're building the wrong thing.

TypeScript — full flow 
import { Gate } from "@zehrava/gate"

const gate = new Gate({ endpoint: "https://gate.yourco.com", apiKey: "gate_sk_..." })

// 1. Agent proposes
const p = await gate.propose({
  payload:     "./leads.csv",
  destination: "salesforce.import",
  policy:      "crm-low-risk",
  recordCount: 847
})
// p.status → "pending_approval" | "approved" | "blocked"

// 2. Human approves (from queue, Slack, or API)
await gate.approve({ proposalId: p.id })

// 3. One-time delivery
const d = await gate.deliver({ proposalId: p.id })
// d.url → one-time signed link, expires, 410 on second request

// 4. Full audit trail
const audit = await gate.verify({ proposalId: p.id })
// every event: proposed → policy_checked → approved → delivered
Python
from zehrava_gate import Gate

gate = Gate(endpoint="https://gate.yourco.com", api_key="gate_sk_...")

p = gate.propose(payload="payout_batch.csv", destination="netsuite.payout", policy="finance-high-risk")
print(p["status"])  # pending_approval — always, for finance-high-risk
Use cases

Gate doesn't validate your data.
It governs whether your agent
is allowed to send it.

Gate checks: who sent this, where it's going, whether policy allows it, and whether a human approved it. Your downstream system validates the data. Gate controls whether it gets there.

Blocked
CRM bulk update
Agent enriches 847 leads and proposes a Salesforce import. Gate sees the record count exceeds the auto-approve threshold. Proposal is held.
Sender verified
Destination salesforce.import ✓
Record count 847 → pending approval
Manager approves one-time delivery issued
Blocked
Finance payout batch
Agent proposes a payout to an unlisted destination. Gate blocks it cold — destination not in policy allowlist. Nothing moves. Full audit of the attempt.
Sender verified
Destination unknown.system ✗ blocked
Result proposal.status = "blocked"
Audit logged — blocked at policy check
Auto-approved
Support reply
Agent drafts a routine support reply. Policy: auto-approve single messages with no flagged terms. Gate approves instantly. Delivers once. Logs the event.
Destination zendesk.reply ✓
Term scan no blocked terms
Policy auto-approved
Delivery one-time. audit logged.
Blocked
Support reply — risky
Same agent, different draft. Reply contains "refund guaranteed." Policy blocks it before it reaches Zendesk. Agent never sent it. Audit shows why.
Destination zendesk.reply ✓
Term scan "refund guaranteed" → blocked
Result proposal.status = "blocked"
Audit logged — reason recorded
Human required
Legal intake packet
Agent assembles a legal packet and proposes delivery to a law firm. Policy: always require paralegal approval. One-time link. 2-hour expiry. Full audit for discovery.
Destination named allowlist ✓
Policy require_approval: always
Paralegal approves signed manifest issued
Delivery one-time link, 2h expiry
Competitive landscape

Everyone is solving a different problem.
Nobody owns the write-path.

The tools that exist today cover observability, content safety, and model routing. None of them are the governed commit layer between agent output and downstream action. That's the gap Gate owns.

Tool What it actually does Approval queue Write-path control Immutable audit Cross-framework
LangSmith Traces and evals for LangChain/LangGraph. Human feedback is for labeling runs, not blocking writes. Partial LangChain only
Humanloop Prompt management, evals, and human feedback tasks. Approval logic lives in your app code, not Humanloop. Eval only Partial Partial
Portkey LLM gateway for routing and observability. Monitors what goes to the model. Doesn't govern what agents do after. Request logs
Guardrails AI Validates LLM output for content safety, PII, toxicity. Pre-delivery content filtering, not post-output commit control. Partial
NeMo Guardrails Programmable conversation rails — topic control, jailbreak prevention, RAG grounding. Not a write-path governance layer. Partial
Lakera Guard Prompt injection and adversarial input detection at inference time. Secures the model, not the downstream commit.
AgentOps Agent reliability and regression testing. Surfaces failures for review. Not a governed delivery pipeline. Run logs Partial
Zehrava Gate Governed commit layer. Propose → policy → approve → one-time delivery → immutable audit. Sits outside every framework. ✓ All

The right stack: LangSmith for traces + Guardrails AI for content safety + Gate for write-path governance. They're not competing — Gate fills the gap they all leave open.

Policy model

YAML. Simple. Shared across every agent.

No DSL. No rule engine. Declarative configs that any engineer can read, any compliance team can audit, and any agent can reference.

crm-low-risk

allow: only CSV, JSON
destinations: salesforce, hubspot
auto_approve_under: 100 records
require_approval_over: 100 records
expiry: 60 minutes

finance-high-risk

require_approval: always
destinations: netsuite, stripe, quickbooks
delivery: one_time_only
expiry: 30 minutes

legal-packet

require_approval: always
recipients: named_list_only
delivery: one_time_only
expiry: 120 minutes

support-reply

destinations: zendesk, intercom
auto_approve_under: 1 message
block_if_terms: [refund guaranteed, legal action]
expiry: 30 minutes
Quickstart

Running in 5 minutes.
The first "aha" is seeing Gate block a write.

Install + run local server
npm install @zehrava/gate
npx zehrava-gate --port 4000
Your first proposal 
import { Gate } from "@zehrava/gate"

const gate = new Gate({ endpoint: "http://localhost:4000" })

const p = await gate.propose({
  payload:     "./leads.csv",
  destination: "salesforce.import",
  policy:      "crm-low-risk",
  recordCount: 847
})

console.log(p.status)
// "pending_approval" — over the 100-record threshold
// Change recordCount to 50 → "approved" immediately
// Change destination to "unknown.system" → "blocked"
Pricing

Priced on commits, not storage.

You don't pay for bytes. You pay for governed downstream writes — the thing that actually matters.

Free
$0
Local dev and small teams. No credit card.
  • Local dev server
  • 1 workspace
  • 500 proposals/mo
  • 7-day audit retention
Most popular
Team
$149 /mo
Teams running agents in production workflows.
  • 5 workspaces
  • 10,000 proposals/mo
  • Approval queue UI
  • Signed delivery + webhooks
  • 90-day audit retention
  • Slack/email approval hooks
Enterprise
Custom
Full control. Compliance. Self-hosted option.
  • Self-hosted control plane
  • SSO + SCIM
  • Audit export
  • Custom policy packs
  • Managed connectors
  • SLA + dedicated support
Self-hosting is free forever. MIT license. Deploy from GitHub →