AI agents can already call real tools — send payments, delete files, query databases — but nothing checks the call before it runs. Existing guardrails score one action at a time; none correlate a sequence of individually-safe actions into the risk they add up to. syn closes that gap. syn is a deterministic execution-governance layer that sits between an AI agent and the tools it calls. Every call is scored against six factors — severity, policy, anomaly, data sensitivity, confidence, and tool trust — and checked against the agent's session history. A decision tree and session correlator return one of three verdicts: approved, escalated to a human, or blocked. The decision path never touches an LLM; a self-hosted Qwen model on AMD Developer Cloud only writes explanations and drafts setup rules, so the safety-critical logic stays fully deterministic and reproducible. The core differentiator is session correlation: individually-fine actions from the same agent — a database read, then a payment — get escalated because of the sequence, not any single call. Explanations name the actual cause, not just a rule name. AI Bootstrap drafts security rules from tool schemas automatically, with every change shown as a human-reviewed diff before it's written. syn ships with 295 tests across 15 files, plus separate adversarial and realistic-scenario suites. It's honest about scope — real auth and RBAC are explicitly roadmapped, not glossed over. Other emerging specs describe session correlation in drafts and papers; syn is the first working, demoable console that ships it.
Category tags: