Local-first runtime for tool-using agents

Block unsafe AI agent actions before they hit APIs.

Fuse AI checks proposed refunds before execution, then returns ALLOW, BLOCK, REQUIRE_APPROVAL, or LOG_ONLY. Your app keeps ownership of the real tool call.

Book diagnostic See runtime flow

0pilot scenarios

0vertical packs

4decisions

Intercepted before execution proposed tool action → Fuse → decision

proposed_tool_call.json

{
  "tool_name": "issue_refund",
  "args": {
    "order_id": "ORD-991",
    "amount": 5000,
    "currency": "USD"
  },
  "context": "untrusted_ticket"
}

canonicalizedraw ref hashed

REQUIRE_APPROVALdecision_made

Execution paused.

Refund above threshold + injection signal. Human review required before the payment API is called.

Tool args passed JSON Schema
Capability scope verified
Policy matched high-risk refund

ALLOW safe internal note BLOCK external PII email REQUIRE_APPROVAL production deploy LOG_ONLY boundary query BLOCK unknown tool ALLOW safe internal note BLOCK external PII email REQUIRE_APPROVAL production deploy LOG_ONLY boundary query BLOCK unknown tool

PaymentsEmailDatabasesShellCRMFilesIAMBrowserWorkflows

The dangerous layer is not the final answer

Agents fail when they act.

The highest-risk failures are tool calls: exports, sends, payments, shell commands, browser submits, database writes, and access changes.

External send

Customer records, API tokens, pricing sheets, and ticket history sent to the wrong recipient.

Production change

Agents deploying to prod, restarting services, reading secrets, or running destructive commands.

Financial action

Refunds, payments, discounts, account changes, vendor updates, and irreversible workflows.

Data movement

Broad SQL queries, CSV exports, file sharing, cross-tenant reads, and browser form submissions.

Core control point

Put Fuse directly in front of the tool executor.

The model can still propose actions. Fuse decides whether the real API call proceeds.

1NormalizeProvider call → canonical tool call

2ValidateStrict JSON Schema and tool spec

3ConstrainLeast-privilege capability envelope

4DetectSecrets, PII, SQL, shell, prompt injection

5DecideDeterministic policy and approval routing

6TraceSanitized evidence for reports

Commercial wedge

Agent Safety Diagnostic in 2-5 business days.

Give Fuse one workflow. We map tools, write adversarial and benign scenarios, run baseline vs guarded regression, and return a report your founder, CTO, or security reviewer can inspect.

Start with one workflow

Day 0Scope

Tools, side effects, risky actions, sample tasks, and integration path.

Day 1-2Model the action layer

tools.yaml, policies.yaml, capability envelope, and first scenario set.

Day 3-4Run regression

Observe baseline, enforce guarded run, trace samples, and false-block review.

Day 5Handoff

Report, safety case, policy recommendations, SDK or sidecar integration plan.

Pilot coverage

150 scenarios across the action surfaces that break agent rollouts.

24Support / Refund

Refund abuse, wrong customer, fake approval, poisoned tickets.

22Data / Database

PII exports, payroll tables, SQL injection, cross-tenant drift.

20DevOps / Shell

rm -rf, curl|sh, secrets, prod deploy, poisoned logs.

18Email / Comms

External PII, BCC attackers, webhook exfil, bulk sends.

16File / Knowledge

.env, payroll CSV, traversal, personal-email share.

14Sales / CRM

Wrong account, discounts, pricing leaks, suppression list.

14Finance Ops

Fake invoices, vendor banks, duplicate payments, poisoned PDFs.

10IAM

Admin invite, MFA disablement, API key exfil, tenant scope.

8Browser

Payment forms, uploads, delete clicks, prompt injection.

4Runtime Edge

Unknown tool, schema violation, parallel calls, no-tool answer.

Integration surfaces

Use Fuse as SDK, check-only gate, sidecar, or framework middleware.

Python SDK for in-process wrappers.
Check-only API when the customer app owns execution.
Local HTTP sidecar for Node.js, Go, Java, n8n, and custom stacks.
Framework middleware examples for OpenAI Agents and LangGraph.

from fuse.runtime import Fuse

fuse = Fuse.from_config("fuse.yaml")

decision = fuse.check_tool_call(
    tool_name="send_email",
    args={"to": "external@example.com", "body": customer_record},
    metadata={"workflow": "support", "tenant_id": "acme"},
)

if decision.allows_execution:
    send_email(...)
elif decision.requires_human:
    create_approval_task(decision)
else:
    return safe_blocked_response(decision)

POST http://127.0.0.1:8787/v1/check_tool_call

{
  "tool_call": {
    "provider": "customer_app",
    "model": "agent_runtime",
    "call_id": "call_001",
    "tool_name": "issue_refund",
    "args": {"order_id": "ORD-991", "amount": 5000}
  }
}

baseline_vs_guarded.htmlrisk reduced

Scenarios: 150
Passed: 150
Failed: 0

Evidence artifact

Reports that explain what was blocked, paused, or logged.

Fuse produces sanitized trace-backed reports with executive summary, risk score, policy decisions, scenario coverage, false blocks, allowed violations, reproduction steps, limitations, and shared responsibility notes.

Claim boundary

Designed for early pilots, not overclaiming.

Fuse reduces unsafe action risk at the tool layer. It does not guarantee complete AI safety, complete prompt-injection immunity, complete DLP, or safety for tool calls that bypass Fuse.

Local-first

No raw tool payload upload required by default.

Sanitized traces

Secrets, PII, chain-of-thought, and raw traces are stripped or hashed before durable storage.

Fail closed

Unknown tools, schema violations, missing approval, and policy parse failures do not silently proceed in enforce mode.

FuseAI

Design partners

Bring one agent workflow. Leave with a regression suite and a runtime gate.

We are looking for technical teams with agents that can call real tools: email, refunds, databases, shell, CRM, finance, IAM, file systems, or browser actions.

Book diagnostic Become a design partner