Before your agent can call a tool,let Stage0 approve the action.
Stage0 is a decision API for agent runtime control. Send the proposed goal, tool context, and side effects, receive GO / NO_GO / DEFER plus ALLOW / DENY / DEFER verdicts, and keep final execution inside your own system.
Stage0 never executes tasks for you. Final execution control always stays with your system.
Built for MCP servers, OpenAI Agents SDK flows, LangGraph pipelines, internal copilots, and any workflow that needs an explicit decision before execution.
{
"goal": "Send a payout summary to finance and trigger the payout workflow",
"tools": ["payments_api", "slack", "internal_db"],
"constraints": ["human approval required", "business-hours only"],
"side_effects": ["money movement", "external notification"]
}Approves actions, not prompts
Evaluate proposed goals, constraints, and success criteria before execution starts.
Controls tool use and side effects
Gate database writes, external requests, file changes, webhooks, and destructive actions.
Built for governed agents
Return deterministic ALLOW / DENY / DEFER responses with audit-friendly reasons.
A control layer between plan and execution
How Stage0 fits into an agent loop
Stage0 is not another model wrapper or prompt template. It is a runtime decision point in front of tools, workflows, and high-risk actions.
1. Submit the proposed action
Send goal, tools, constraints, side effects, and execution context to `/check`.
2. Evaluate policy and quota
Stage0 scores risk, validates inputs, applies policy, and checks plan limits.
3. Receive a decision
Your app gets a GO, NO_GO, or DEFER decision, the paired verdict, and structured response fields such as issues and risk signals.
4. Execute only if your system agrees
Stage0 stops at judgment. The final action still belongs to your own runtime.
Agent Tool / MCP Authorization
The clearest wedge for this project is Agent Tool / MCP Authorization: the decision layer that sits between agent intent and tool execution.
Where this fits first
Deployments and migrations
Stage0 fitGate production changes before CI/CD, rollout, or schema tools can run.
Payments and external messaging
Stage0 fitForce approval or defer high-risk actions before money movement or outbound communication.
MCP and internal tools
Stage0 fitPut authorization in front of private repos, internal APIs, and sensitive control-plane tools.
Prompts influence output. Stage0 authorizes action.
Prompt engineering can shape behavior, but it does not create a reliable authorization boundary. Stage0 gives you a separate control plane before real-world side effects happen.
Decision proof
Decision proof buyers can inspect
These are representative decision records. They show what a blocked or deferred run looks like before any real side effect executes.
BLOCKED RUN
Production delete with the wrong role
A destructive action is proposed without a role that satisfies the required policy.
decision: NO_GO verdict: DENY issues: ["ROLE_NOT_AUTHORIZED", "DESTRUCTIVE_ACTION_REQUIRES_APPROVAL"] request_id: "req_block_01" policy_version: "[email protected]"Inspect path
DEFERRED RUN
Payout webhook missing approval evidence
The action is not denied forever, but it cannot continue until approval context exists.
decision: DEFER verdict: DEFER issues: ["APPROVAL_REQUIRED", "APPROVAL_TIMESTAMP_MISSING"] defer_questions: ["Who approved this payout?", "Is approval still valid?"]Inspect path
TRACE CHAIN
What operators can prove later
The value is not only the verdict. It is the trace you carry into logs, audits, and incident review.
request_id -> req_block_01 policy_version -> [email protected] environment -> production approved_by -> [email protected] final_runtime_action -> execution_stoppedInspect path
This is the kind of proof buyers can evaluate: what was proposed, why it was blocked or deferred, and which fields explain the final enforcement decision.
Production checklist
A buyer should be able to confirm these four things before treating Stage0 as a production control layer.
Open production behavior docsFail closed
If Stage0 is unavailable or returns an unknown decision, the side effect must stop.
Trace every decision
Carry `request_id` and `policy_version` into your runtime logs, approvals, and incident review.
Require approval context
High-risk actions should include approval state, actor role, and target environment before execution.
Keep final enforcement server-side
Stage0 decides, but your own runtime still owns the final execution boundary.
Choose a plan based on operational risk
Price the system around the risk of unauthorized side effects, tool misuse, and wrong actions consuming quota.
Free
ActiveFor local prototypes and early policy experiments.
- Basic ALLOW / DENY / DEFER checks
- Starter audit fields
- Dashboard access
Starter
For production pilots with real tool-use guardrails.
- Higher monthly check quota
- Deeper decision fields
- Priority support for integrations
Pro
For teams running agent workflows with real operational risk.
- Expanded quota and analytics
- Cost estimate support
- Best fit for governed production agents
Prompts are guidance. Stage0 is runtime authorization.
If your agent can trigger a real-world effect, it needs a decision layer that exists outside the prompt.