Skip to main content
Install brane-core and govern your first tool capability.

Install

Package name may change before the stable release. Check the GitHub repo for the latest install instructions.

Create a Runtime

A Runtime is the coordinator for capabilities and policies. Create one per agent process.

Register a Capability

Use the @runtime.capability decorator to turn a function into a governed capability. The decorator registers the capability in the runtime’s capability registry and wraps the function so every call passes through the policy engine.

Write a Before Policy

A before_capability policy runs before the function executes. Return Decision(type="deny") to block the action. Return Decision(type="allow") to let it proceed.

Call the Capability

Handle the Error

What Happened

When you called execute_sql("delete from customers"), Brane:
  1. Intercepted the function call
  2. Created an AgentAction record for the attempt
  3. Built a PolicyContext with the capability, arguments, and runtime metadata
  4. Found the read_only_sql policy matching the execute_sql capability
  5. Evaluated the policy; it returned Decision(type="deny")
  6. Raised CapabilityDeniedError without calling the underlying function

Complete Example

Next Steps