AlfaNest Labs

Product · AI Agent Security Layer

Keep AI agents under control in production.

A control layer — not an agent builder. Set rules, require approvals for risky tool calls, and log what the agent tried to do before it touches email, data, or tickets.

Architecture at a glance

How a request moves through the layer before integrations run. See Connect, Policies, and Audit below.

Agent Security Layer — runtime flowUser and application connect to an agent runtime. Before each tool runs, the security layer evaluates policies, then allows execution, denies, or queues for human approval, while appending events to an audit log.requesttool intentallowdenypendingevery decision loggedUserchat / UIYour appagent runtimeplans tool callsAgent Security Layerpolicy engine · decide APIbefore side effects runallow · deny · pendingExecute toolemail · tickets · APIsBlockedpolicy denyApproval queuehuman-in-the-loopAudit trail (append-only design)workspace events · export later
Runtime flow: each tool call is evaluated before integrations run — allow, deny, or queue for approval, with decisions recorded for audit.

Connect

SDK or HTTP before tool execution.

Policies

Allow, deny, or require human approval.

Audit

Append-only event trail per workspace.

Who it's for

AI-first startups, SaaS with copilots, teams using MCP / RAG / tool-use. Buyers: CTO, AI lead, platform, security — especially when governance and audit come up in enterprise conversations.

Plans

Dev — free with usage limits. Starter from €79/mo. Growth from €249/mo. Pro from €599/mo. Billing runs through Stripe when you enable it on your deployment; the API can require an active subscription and apply monthly decision quotas per your configuration.

Support and SLA: Starter is best-effort support. Growth and Pro add contractual targets for decision API availability and support response times. Uptime credits and exact percentages are defined in your order form and DPA.

API and dashboard

The decision endpoint returns policy_version_id. Policies are JSON validated with Zod; you can ship the bundled default or load a custom file from the server environment. Approval and resolve routes write append-only audit events. Use the read-only dashboard to review activity. Integrators use the TypeScript client in this repository and the built-in health check after setup.

POST /api/agent-security/v1/decide · GET /events · GET /approvals · POST /approvals/:id/resolve

Auth: AGENT_SECURITY_API_KEY · Authorization: Bearer … or x-agent-security-key.

Events and approvals persist in the database. When your operators enable file-based billing helpers, the server may read optional JSON for Stripe subscription state and quota counters alongside environment variables.

Scope: This product is about governance and audit of documented / requested agent actions through your integration. It does not replace full SOC processes or formal compliance programs.