Guardrails
The safety layer that stops a wrong model output from becoming a destructive action.
PII redaction
Input · Mutate · registered in TrueFoundry
Masks secrets (credentials, tokens, IPs) in the gathered signals before the model ever sees them.
connection stringsapi keys / tokensemailsip addresses
Quality gate
Output · Validate · registered in TrueFoundry
Rejects ungrounded diagnoses before any action is planned.
suspected_resource ∈ servicessuspected_deploy_sha ∈ recent_deploysconfidence ≥ 0.5
Action-validation gate
Pre-execution · in-agent
The last line of defense — validates the proposed write against policy before it touches the cluster.
blast radius (no scope=all)no protected resources (prod-db, payments)target actually existsaction matches the diagnosis
Cascade circuit breaker
Resilience · in-agent
A running anomaly budget across steps. Trips and escalates to a human instead of amplifying a cascading failure.
counts blocked gates + tool errorstrips at budgetescalates to a human