Governed AI Workspaces

Governed AI workspaces.
One runtime. Configure it for anything.

A workspace is a scoped, AI-governed runtime — provisioned on your infrastructure or fully managed by us. Turn it into a customer agent, a developer console, a test bed. Policy-checked, audited, traceable from the first call.

Governed means every workspace action is policy-checked, audited, and traceable. No call happens without passing through the policy gate. No call without an immutable audit record. No record without a trace.
operator@toolshell — agent cli
The Agent

Don't run on laptops.
Run in governed workspaces.

One dies when the lid closes. The other is always on, always audited, always duplicable. Same tools. Different foundation.

Without workspaces
Dies when the lid closes. Not shareable.
No audit. No record of what happened.
One prompt, one response. No durable plan.
Generic tools. No scoping, no testing.
Scattered across machines. Nothing reproducible.
One agent per machine. No scale.
With governed workspaces
Lives in a workspace. Always on, always reachable.
Every action policy-checked, audited, traced.
Multi-step governed plans. Versioned, replayable.
Purpose-built tools, designed for each agent.
Duplicate the workspace — get an identical agent.
One workspace hosts many governed agents.

Platform

Built in-house. Not assembled from vendor SDKs.

Every system listed here is owned, deployed, and governed by the platform — not a wrapper around a third-party API. This is how agents improve: we trace, we RAG, we eval, we speed-test. Three tiers — pick the one that matches your ambition.

Every deployment includes all Basic features. Pro and Golden are the full platform — no tier gates, no add-ons.

Basic

Not a starter plan — the platform baseline.

Workflows, policy, vault, audit. If an agent runs on ToolShell, it runs governed. Included in every deployment — no gates, no add-ons.

workflow-engine
Workflow Engine
Multi-step execution engine with automated, scripted, governed, and human-gated step types. Every run is a durable, versioned record — versioned, replayable, retryable from the first failed node.
loop-engine
Loop Engine
Scheduled trigger layer over workflows. Configure interval, max-fires, TTL, fire conditions, and notification level. Loops are optional — The CLI is always the primary path.
skill-registry
Skill Registry
Tiered skill store (company → repo → workspace). Skills are versioned, forkable, promotable, and carry vault refs that resolve at request time — never logged. TTL prevents silent rot.
vault
Vault
Age-encrypted secret store. Secrets resolve via the policy cascade at runtime. Values are never returned to callers — only metadata. A secure key ceremony is the only durable write path.
governance-cascade
Governance Cascade
Company → repo → workspace policy with 8 verbs (show, trace, set, clear, lock, unlock, inventory, revoke). Intersection-only fields enforce ceilings lower tiers can never exceed.
dispatch-http
Policy Gate
Every operation passes through the policy gate: identity verified, policy evaluated, quota checked, action written to the immutable audit log. No operation — CLI, GUI, or loop — bypasses this path.
litellm-gateway
LLM Gateway
Multi-provider LLM router with per-workspace virtual keys and budget caps. Fallback chains are policy-configured. Switching providers is a config change, not a code change.
Pro

For teams that build with us.

Prompt testing, security scanning, inbound integrations, pod control. The full agent workshop — not a black box.

ticket-system
Ticket System
Internal work-tracking built into the platform. Create, assign, claim with lease TTL, comment, link to workflow runs or jobs. Auto-link via --ticket flag.
prompt-guard
Prompt Guard
In-house prompt injection defense. Regex scan family registry per workspace. Optional LLM judge for advisory verification. Scan events logged to the workspace timeline.
Try it →
package-scanner
Package Scanner
Supply-chain scanner for developer endpoints and dependencies. Read-only, never executes package-manager code. Runs against configurable rule sets owned and versioned internally.
Try it →
chatbot
Chatbot + Integrations
Per-workspace chatbot with Telegram and Slack integration. Approval gates, slash commands, notification mirroring. Human-in-the-loop for risky operations.
pod-control
Pod Control
Per-console pause, resume, and quarantine controls. Freeze a customer console mid-flight, inspect state, resume when ready. Fleet-wide incident response from a single pane.
cli-hub
CLI Hub
The platform is CLI-first — every action has a verb, every tool wraps into the CLI for more power. 29 top-level commands: workspace ops, workflows, tickets, loops, policy, skills, secrets, tracing. Any tool you register becomes a CLI command. GUI wraps the CLI — never the other way around.
llm-wiki
LLM Wiki + MkDocs
Gitignored knowledge base tied to your repo — init, save, compile, serve as a documentation site. Google OKF: company docs, roadmap, architecture decisions as a versioned static site. Write in Markdown, publish with a push.
Visit →
In-House Prompting Tools
usg
Structured User Prompt
JSON-schema-driven prompt editor. Define variables, constraints, and expected outputs. Export, load, and version your prompt templates. The single source of truth for every agent interaction.
starter-commands
Starter Commands
Dashboard command tiles generated from URLs. Paste a docs link, get copy-paste-ready command cheatsheets organized as tabs. Always aligned with the current workspace image — human operators and agents share the same entry points.
quick-actions
Quick Actions
File-extension shortcuts in the Files toolbar. Select a file, get context-aware prompts scoped to that file type. Each extension carries its own prompt list — no hunting through menus.
prompt-builder
Prompt Builder
Builds prompt trees — visual canvas editor with per-node Smart Expand. Drag, connect, branch complex prompt chains into tree structures. Test variants, export as JSON, promote to the company registry.
smart-expand
Smart Expand
LLM-driven prompt expansion from schema context. Paste a JSON schema, get a filled template. Version-controlled per workspace — no clipboard magic.
Testing Surfaces
functional-testing
Functional Testing
Pass/fail coverage for API, UI, and CLI surfaces. Catalog-driven test cases with structured result reports per run.
pentest
Pentest — Security
OWASP API Top 10 security probes. Passive-first, findings-not-regressions. Active probes gated behind --yes. Results in structured JSON for audit trails.
perf-testing
Perf — Timing SLIs
Single-user latency probes — average and peak latency against API, UI, and CLI surfaces. Not load/soak. Answers "did the new deploy slow anything down?" with evidence.
Golden

Agents that earn trust.

Tracing proves what happened. RAG proves what they knew. Evals prove what they got right. Three pillars, one platform.

jaeger-tracing
End-to-End Tracing
Traces from the CLI through the policy gate to workflow completion. Live toggle with no service restart. Span attributes carry policy source, model, and principal. We trace every call.
rag-graph
RAG / Knowledge Graph
Per-workspace knowledge graph seeded from customer docs. Agents reason over your corpus — Confluence, GitHub, PDFs — not a generic embedding store. Graph-backed retrieval with involvement tracking. We RAG over your docs.
Try it →
evals
Evals
Structured LLM output evaluation engine. Define pass/fail criteria per workspace, run eval suites against workflow outputs, surface regressions before they reach customers. Every model swap gated by the eval harness. We eval every output.
Try it →
speed-test
LLM Speed Test
Live model latency benchmark from production traces. Compare provider speed and cost per model with real dispatch data — not synthetic benchmarks. We speed-test every model.
Try it →
hive-mqtt
Hive Messaging (MQTT)
Cross-workspace messaging fabric for reliable agent-to-agent communication with delivery guarantees. Workspaces talk without sharing identity or policy scope. Built for multi-agent coordination.
cyber-audit
Code Security Audit
LLM-driven security audit using 754 security playbooks. Reads code via read/grep/glob, cross-references against domain-specific skill playbooks. Cost-gated with daily budget cap. We audit every line.
Try it →

How it works

Governed from day one

Workspace → scope → governed. Three steps, same for every customer.

01

We provision a governed workspace

Policy, vault, audit baseline — configured per customer. Every workspace is isolated. Customer A never touches customer B's data.

02

You pick the delivery scope

Agent-only, full console, or both — depends on what your customer needs. Same governance model, different surface. Start small, scale when ready.

03

Every action is traced, audited, and billable

No agent runs without a record. Audit trails are immutable. Traces are live. You know exactly what every agent did, when, and for whom.


Work Model

Loops → Workflows → Tickets

Three layers. One direction. No hidden state.

Layer 3 — ground truth

Tickets

Every action taken, deferred, or decided writes a ticket. Auto-linked to workflow runs. Not logs, not Slack threads — the record your team actually reads.

Layer 2 — what to do

Workflows

Named, versioned, replayable execution plans. Clone and test a repo. Run a security audit. Onboard a customer. Durably stored, retryable from any failed step.

Layer 1 — what to repeat

Loops

Scheduled triggers over workflows. Optional — The CLI is always the primary path. When you do need automation, a loop is the only sanctioned trigger in the system.


Why

Six principles that don't change when providers do

Six principles that keep your agents governed — no matter what changes underneath.

01
AI-native. Vendor-agnostic.

Anthropic, OpenAI, DeepSeek, a local model — the platform doesn't care. Providers plug into the workflow model; they don't define it. Swap a vendor without touching core logic.

02
CLI-first. Always.

Every platform action has a CLI verb. If ToolShell supports it, the CLI exposes it. No hidden behavior, no GUI-only paths. The CLI is the contract — everything else wraps it.

03
Workflows, not integrations.

Services and providers change constantly. We don't rebuild the system when they do. Our job is to make workflow-building flexible, portable, and resilient — not to own the wiring on both sides.

04
Workspace = scope boundary.

A workspace defines what work can happen, who can do it, and what it can touch. It is not an agent. It is not unlimited access. It is a controlled, governed scope.

05
Loops → Workflows → Tickets.

Tickets are ground truth. Workflows define what needs to happen. Loops define what needs to repeat. Work flows in one direction — no hidden state, no ephemeral decisions.

06
One cascade. All scenarios.

Simple, complex, manual, automated, multi-agent — the same cascade model handles all of them. No special cases, no rigid patterns forced on teams. The model bends; the principles don't.


Services

External data — not inner agent

Services are workspace-scoped data feeds and sinks. They don't carry identity inside the platform. They are pluggable inputs and outputs, not participants in governance.

ServiceRoleDirection
GitHubCode source, PR triggers, repo syncsource + sink
JiraTicket read/write from workflow resultssource + sink
ConfluenceDocumentation source for RAG ingestionsource
SlackWorkflow notifications and operator alertssink
DatadogExternal observability and metric feedssource
TelegramOperator bot, gate reports, chatbot surfacesink

Ready to govern your customers' AI agents?

See the live demo — provision an agent, watch the execution plan go green, copy the client config. Every call audited.

Book a demo →
In-House Harness

Agent CLI Blueprint

Our in-house solution for non-deterministic R&D — a governed workshop where human engineers and AI agents share the same CLI, the same probes, the same runbooks. Bootstrap a tenant, onboard integrations, run API/UI/CLI test flows, and review evidence bundles — all from one deterministic command layer with an agent-readable skill surface.

Explore the Blueprint →