Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.brane.membranelabs.org/llms.txt

Use this file to discover all available pages before exploring further.

Brane governs AI agent tool calls by wrapping each tool as a capability and running policy before the tool executes. If a policy denies the attempted tool call, Brane raises CapabilityDeniedError and the original function does not run. This is the right boundary for production agents because most agent risk comes from what tools do, not only from what the model says.

Tool Calls Are Capabilities

In Brane, a tool is one kind of Capability: 
@runtime.capability(name="delete_user", type="tool", risk="critical")
def delete_user(user_id: str):
    ...
The capability metadata gives policies enough context to make governance decisions.

Example: Require Approval Signal For A Destructive Tool

@runtime.before_capability("delete_user")
def require_delete_approval(ctx):
    if not ctx.action.metadata.get("approved"):
        return Decision(
            type="deny",
            reason="delete_user requires an approval signal",
        )
    return Decision(type="allow")
The tool does not execute unless the policy allows it.

Example: Tenant Isolation

@runtime.before_capability("*")
def enforce_tenant_boundary(ctx):
    requested_tenant = ctx.arg("tenant_id", ctx.tenant_id)
    if requested_tenant != ctx.tenant_id:
        return Decision(type="deny", reason="Cross-tenant action blocked")
    return Decision(type="allow")
This pattern protects tools that accept tenant IDs, customer IDs, account IDs, or other scope-bearing arguments.

Tool Governance Checklist

For every production tool, define:
  • Capability name
  • Capability type
  • Risk level
  • Owner
  • Tenant or data namespace
  • Required scopes
  • Before-capability policies
  • After-capability policies for output checks