Skip to content

How it goes in

Your agent is already in production. Nothing proves who owned the call a regulator can punish.

The agent ships work today, and the day an investigator asks, your own log is the suspect vouching for itself. You fix that without re-platforming. Your agent keeps running on LangChain, CrewAI, or your own code, inside your own environment, and we wrap the tools it already calls, same names, same schemas. A risky action stops for a named human before it runs, and the record is written as it acts, ready for an auditor to recompute offline.

The proof layer, in your environment

The proof layer goes on the agent you already have.

The agent does the routine work on its own and stops the one serious call for a named human to sign. The proof is not bolted on afterward. The action and the record are written in the same step, where your work already runs, on your own infrastructure, with nothing to re-platform. Underneath it is always the same: the agent cannot approve its own work, and any auditor can check the record themselves.

The work

The serious call waits for a named human.

The routine work runs on its own. The consequential call stops for the person who owns it, from day one. The record that they signed it is written as the agent acts, not patched together later.

The integration

It runs where your agent already runs.

The agent runs on any framework, inside your own walls, on your own Postgres. You point the SDK at a MakerChecker you host yourself and wrap the tools the agent calls, same names, same schemas, so there is nothing to re-platform. A risky action is stopped before the tool runs, and every call is signed into the record as it happens.

How it goes in is below: the connectors for each framework, how it attaches, and where it runs. The record and the action are written together, in one step, so an agent that acted but left no trace simply cannot happen.

Cross-framework

The agent can run anywhere. The governance is the same everywhere.

Governance should not be locked to one vendor's runtime, so neither are we. LangChain and the Claude Agent SDK have typed connectors. CrewAI, LlamaIndex, AutoGen, and any other callable go through the generic SDK wrapper. Same rules, same record your auditor can check. The only difference is how tightly it slots into your framework's types, and we never claim a typed connector we do not ship.

Typed connector

LangChain

governLangChainTool and governToolkit take a real LangChain tool and return one with the same name, description, and schema. The LLM tool spec is byte-for-byte identical, so it drops into the same ToolNode or agent executor with no other change.

Typed connector

Claude Agent SDK

governClaudeTool returns a normal SdkMcpToolDefinition with the name, description, and input schema preserved. Drop it into createSdkMcpServer alongside your ungoverned tools and the agent invokes it through the SDK as normal.

Generic SDK wrapper

CrewAI, LlamaIndex, AutoGen

There is no typed connector for these. They go through the generic SDK wrapper: governedTool in TypeScript or governed_tool in Python wraps any async callable that takes a plain-object input. The framework stays the executor; the wrapper adds check, run, record around the call.

Generic SDK wrapper

Any callable

A raw HTTP call, a database write, or a bare function works the same way. If there is no dedicated connector for your stack, the generic wrapper covers it, and it is what the LangChain and Claude connectors are built on.

Whatever the framework, the wrapper does the same three things in order, inside the tool call: check the proposal against the agent's role and grants, run the original tool if the check passes, and record the outcome to the audit chain. A denied check throws before the tool body ever runs.

The same pattern, both surfaces

A typed connector and the generic wrapper, in a few lines each.

The package names are real; the SDK and connectors live in the open-source repository, Apache-2.0, so you read every line before it touches a real action. Both paths open a proxy session, wrap a tool, and let the agent call it normally.

Typed · LangChain

LangChain connector

import { createClient } from "@makerchecker/sdk";
import { governLangChainTool } from "@makerchecker/connector-langchain";


// Point at your own self-hosted MakerChecker.
const mc = createClient({ baseUrl: process.env.MAKERCHECKER_URL });
const { session } = await mc.proxy.openSession({ label: "pv-run" });


// Typed connector: name, description, and schema are preserved, so the
// governed tool drops into the same ToolNode or agent executor.
const assessSeriousness = governLangChainTool(
  mc,
  { sessionId: session.id, agentName: "pv-processor", skillRef: "seriousness-assess@1" },
  rawAssessSeriousness,
);


// The agent calls it normally. A denied action throws before it runs,
// and every call is signed into the audit chain.
await assessSeriousness.invoke({ case: "P-4003" });

Generic wrapper · CrewAI, LlamaIndex, AutoGen

generic SDK wrapper

from makerchecker import create_client, governed_tool, GovernanceDeniedError


mc = create_client(base_url=os.environ["MAKERCHECKER_URL"])
session = mc.proxy.open_session(label="pv-run")["session"]


# Generic SDK wrapper: CrewAI, LlamaIndex, AutoGen, or a bare function.
# There is no typed connector for these, and we never imply one.
triage = governed_tool(
    mc, session["id"], "pv-processor", "case-triage@1", raw_triage,
)


# check -> deny raises GovernanceDeniedError before the function runs
# -> run -> record the outcome to the audit chain.
try:
    triage({"case": "P-4001"})
except GovernanceDeniedError as err:
    # err.code is machine-readable; err.reason is the human sentence.
    route_to_human(err.reason)

The full connector reference: every surface, with denial handling →

How the integration attaches

Proxy sessions to govern calls. Flows to gate sign-off.

Most integrations start by governing the tools the agent already calls. When a high-risk step needs a named human to sign, a flow makes that sign-off a first-class, audited step instead of an out-of-band approval.

Proxy sessions

Wrap the tools your agent already calls.

A session ties a run of governed calls together in the audit. You open one, wrap and invoke tools against it, then close it. Each call is checked and recorded, and a high-risk action is denied before the tool runs. The fastest path, and where most teams start.

Run the quickstart →

Flows

Make the sign-off a first-class step.

Define the workflow in MakerChecker, with approval gates where a high-risk step waits for a named human to sign. The sign-off becomes an audited step in the run rather than an approval that happens somewhere off the record. Publishing a flow without the gate on a high-risk step is rejected by construction.

See a gated run verify →

skill_not_granted

The skill is not granted to the role, or not at this version. Deny by default.

sod_violation

Acting would let one party check its own work. The agent that processed a case cannot also sign it off.

high_risk_requires_gate

The action is high-risk. Through the proxy it is denied; in a flow it waits at an approval gate.

A denial is a recorded event. The check is appended to the audit chain before the error is thrown, so a refused action leaves the same tamper-evident trace as an allowed one.

Open and self-hosted

On your infrastructure, air-gapped if you need it.

You point the SDK at a MakerChecker you run yourself, inside your own walls, on your own Postgres. It is open source and self-hosted, so your security team can read every line. The engine is AGPL-3.0 and the SDK is Apache-2.0, and you can air-gap it, before anything touches a real action. It sits alongside whatever control plane already runs your fleet. That layer runs the agents. We are the file your auditor checks.

Run the quickstartRead the connectors on GitHub
Typed connectors
LangChain, Claude Agent SDK
Generic wrapper
CrewAI, LlamaIndex, AutoGen
Languages
TypeScript and Python
Models
Proxy sessions and flows
Runs on
Your infrastructure
On a risky call
Stops before the tool runs

Self-hosted · open source · runs on any framework, in your environment · the record is written as the agent acts, and any auditor can check it themselves.

Keep reading

For life sciences

Complaint and adverse-event triage, batch release, the reportability call stays a named officer’s.

Read →

For oncology

Patient access, funding and appeals, and trial cohort identification, the eligibility attestation kept off the agent that ran the investigation.

Read →

The six primitives

Agents as employees, versioned grants, structural segregation of duties, gates, limits, signed audit.

Read →

Use cases

Where a governed agent must not act alone, every workflow has a one-way door.

Read →

Why now

No rules means no safe harbor. The predicate rules underneath are date-proof.

Read →

How it compares

Guardrails, gateways, observability, and the authorization layer only MakerChecker provides.

Read →

See it for yourself

Drop it into the agent you already have.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Book a demoRead the docs

Designed against the rules your auditors already enforce.