§ 01 Pre-execution governance kernel
The boundary between intent and action.
Fulcrum is the live control plane between what an agent intends and what the world receives.
INTENTmcp.database_query
args.sqlDROP TABLE invoices;
trust0.71 · β(12,5)
action · governed
ACTION · denied0.55 ms
modeclassified
rulesql · DROP
Action withheld at the boundary.
boundary req.a8c2decision denymode classifiedlatency 0.55 ms
§ 02 the category
After execution is too late. Before is the product.
After execution
observability · classifiers · postmortems
- Watches the agent act, records the trace.
- Flags problems once they have already occurred.
- Guardrail libraries suggest, then the agent proceeds anyway.
- No labeled verdict. No stop. No receipt.
Before execution
fulcrum · governance kernel
- Sits on the hot path between intent and action.
- Every call is labeled: proved · deterministic · classified · human.
- Out-of-process. The agent cannot disable what it cannot reach.
- Sub-millisecond. Audit-emitted. Tenant-isolated.
§ 03 the conversion moment
A request arrives. Fulcrum stops it.
Incoming proposal · from agent
ops-bot-prod-04 · trust β(12,5) · tenant ops
POST mcp.call → database_query
args.sql "DROP TABLE invoices;"
args.db "prod.analytics"
cost.est $ 8,940 rows 124,318
prior.p(loss) 0.41 trust 0.71
RISK · destructive sql · prod scope · cost.est ≫ budget.p95
POLICY · sql.mutation.drop :: not permitted on tenant.ops
Pipeline · sweep
01Trust0.12 ms · β(12,5)
02Static0.14 ms · shape ok
03Interceptor0.21 ms · sql.drop
04Policyskipped · halted
Governed action · from fulcrum
Deny.deny
rule · sql.mutation.drop not permitted · tenant.ops
Audit receipt · emitted
req.idreq_a8c2e419
tenantops
agentops-bot-prod-04
tooldatabase_query
verdictdeny · classified
rulesql.mutation.drop
hashsha256:91e…c04f
emitnats://tenant.ops/audit · 2026-04-19T14:22:11Z
signed · tamper-evident · replayable
no side-effect · downstream untouched
§ 04 the pipeline
Four stages. One decides.
instrument · governance.pipeline.p50
Every request crosses four gates in sequence. Each stage returns early on deny.
All readings below are measured on Fulcrum-Proofs/benchmarks · v0.4.2. No illustrative numbers.
Trust0.12 ms
Static0.14 ms
Interceptor0.21 ms
Policy0.08 ms
01 · trustBeta(α,β)
0.12 ms · bounded · proved
02 · staticshape / scope
0.14 ms · schema · deterministic
03 · interceptorsql · fs · net
0.21 ms · halt on hit
04 · policyOPA / lean
0.08 ms · proved · mode
p50 · latency0.55 ms
p99 · latency1.82 ms
verdicts · 24 h4.12 M
deny · rate0.31 %
§ 05 four modes of verdict
No decision is ever merely “governed.”
Every call carries a decision mode — the viewer always sees how the verdict was reached.
intent
list_invoices · args.tenant = ops · scope = read
proved
allow · proved
C-020 · PoA ≤ 9/7 · lean 4intent
send_email · to = inside-domain · shape = valid
deterministic
allow · deterministic
rule · email.outbound.domain-lockedintent
shell_exec · cmd = rm -rf /var/data
classified
deny · classified
classifier · destructive · conf 0.993intent
wire_transfer · amount = $ 42,500 · dest = new_payee
human
hold · human-approved
queued · approver ops-lead · ttl 30m§ 06 out-of-process, one install
The seam is a different address.
Entry points
Any call an agent makes — MCP, CLI, code-exec, gRPC, A2A, webhook — is routed to the same out-of-process kernel. The agent cannot disable what it cannot reach.
MCP proxyzero-code · drop-in
SDK · python, tsFulcrumClient · governed envelope
Framework adapterlangchain · llamaindex · crewai
CLI / code-execsandboxed · cgroup'd
gRPC · A2A · webhookmTLS · tenant-isolated
BSL 1.1 runtimeApache 2.0 gil · trustproofs · private
One-line wiring · MCP proxy
# fulcrum.yaml proxy: listen: "0.0.0.0:4443" upstream: "mcp://tools.internal" tenant: "ops" audit: "nats://audit.ops/stream" # agent config — point at the seam, not the tool export MCP_URL="https://fulcrum.ops:4443"
SDK · governed envelope
## python from fulcrum import FulcrumClient client = FulcrumClient(host="localhost:50051", api_key="$FULCRUM_API_KEY", tenant_id="ops") with client.envelope(workflow_id="ops-bot") as env: if env.guard("database_query", input_text="SELECT * FROM invoices"): run_query() ## typescript import { FulcrumClient } from '@fulcrum-governance/sdk'; const client = new FulcrumClient({ host: 'localhost:50051', apiKey: process.env.FULCRUM_API_KEY, tenantId: 'ops' }); const env = client.envelope({ workflowId: 'ops-bot' }); if (await env.guard('database_query', 'SELECT * FROM invoices')) { await runQuery(); }
Tenants isolate memory, audit streams, and policy bundles. A compromised agent in tenant A cannot see, disable, or impersonate the kernel in tenant B.
§ 07 closure · evidence
What we have proved.
Fulcrum-Proofs · lean 4 · tamper-evident ledger
A closed kernel admits no quiet assumptions.
C-018Coordination game admits a Nash equilibrium (mixed Nash via Brouwer-via-Scarf).proved
C-020Price of Anarchy bounded above by 9 / 7.proved
C-022Trust circuit breaker guarantees termination.proved
C-023RLM recursive loop is bounded under bounded budget.proved
Closure note, on the page without euphemism: C-018 now closes through ExistsNashEq plus a PMF↔stdSimplex bridge, and the earlier Kakutani placeholder is gone. The public proof portfolio is now sorry-free in Lean 4.
Lean 40 sorry
core kernel
core kernel
§ 08 thesis & ask
Wedge. Platform. Kernel.
Wedge — a production-grade governance layer for AI agents, installed as proxy or SDK, auditable from day one.
Platform — the terminology (pre-execution, four modes, out-of-process) that teams adopt to reason about agent systems.
Kernel — the mechanism, provably bounded, that regulates any autonomous process touching critical infrastructure.
design-partner program · 2026Building on agents that touch money, data, or people. One tenant. One seam. One receipt.