brane-core and govern your first tool capability.
Install
Package name may change before the stable release. Check the GitHub repo for the latest install instructions.
Create a Runtime
A Runtime is the coordinator for capabilities and policies. Create one per agent process.Register a Capability
Use the@runtime.capability decorator to turn a function into a governed capability. The decorator registers the capability in the runtime’s capability registry and wraps the function so every call passes through the policy engine.
Write a Before Policy
A before_capability policy runs before the function executes. ReturnDecision(type="deny") to block the action. Return Decision(type="allow") to let it proceed.
Call the Capability
Handle the Error
What Happened
When you calledexecute_sql("delete from customers"), Brane:
- Intercepted the function call
- Created an AgentAction record for the attempt
- Built a PolicyContext with the capability, arguments, and runtime metadata
- Found the
read_only_sqlpolicy matching theexecute_sqlcapability - Evaluated the policy; it returned
Decision(type="deny") - Raised
CapabilityDeniedErrorwithout calling the underlying function
