A story of the session, not just the diff
Reconstruct what happened in order: which tools ran, which rules fired, and how verdicts were decided, without inferring intent from the final tree of files.
Guardrails and Observability for AI Coding Agents
Stop guessing what your coding agent just did
Prempti intercepts coding-agent tool calls before they run, evaluates them with Falco rules, and returns allow, deny, or ask verdicts, with a structured audit trail for every shell command, file read/write, web fetch, and MCP call.
Experimental preview.
Pair Prempti with sandboxing and system hardening for defense in depth.
Watch the demo
See guardrails, verdicts, and logging in a real session, not a slide deck.
Why Prempti
Most teams do not need another black box. They need the same things that made Falco work for infrastructure: clear rules, honest signals, and the option to enforce or just watch.
Policies your team can review
Write and share standard Falco YAML. No proprietary scoring, no mystery model. If it is in the rule, the agent can see why something was blocked or flagged.
Enforce when you are ready
Start in monitor mode to build confidence, then turn on guardrails so deny and ask verdicts actually shape what the agent is allowed to do.
How it works
- Prempti’s hook fires before each tool call.
- An interceptor sends the event to Falco via a Unix socket.
- Falco’s rule engine evaluates the event against your policies.
- Matching rules produce verdicts (deny / ask / allow).
- The interceptor delivers the verdict back to the agent.
Guardrails (default) enforces verdicts: deny blocks risky
tool calls, ask prompts you for confirmation, and everything else proceeds.
Use premptictl mode guardrails.
Monitor mode still evaluates rules and writes the same audit trail, but every
tool call is allowed, which fits tuning rules and observing without blocking. Use
premptictl mode monitor.
Coverage is at the hook level: Prempti sees the tool request (strongest for structured tools like Read/Write/Edit), not syscall-level behavior inside executed binaries. For kernel visibility on Linux, use Falco with eBPF alongside this layer.
Built for real development environments
Claude Code today on Linux,
macOS, and Windows (x86_64 and ARM/Apple Silicon).
Codex next. Draft custom rules interactively with
the optional Claude Code skill:
/plugin marketplace add falcosecurity/prempti.
Data handling and privacy
Prempti runs locally under your user account. Custom rules live in
~/.prempti/rules/user/ on Linux and macOS (
%LOCALAPPDATA%\prempti\rules\user\ on Windows), preserved across upgrades;
vendor defaults ship under rules/default/ in the install prefix.
- Falco runs in
nodrivermode: no kernel driver required for this use case - Default rules cover boundaries, sensitive paths, sandbox tampering, threats, MCP/skill content, and persistence patterns
- Alerts and logs stay on your machine unless you forward them with your own tooling
Install and verify
Install from the
latest release
(.pkg on macOS, tarball + install.sh on Linux, MSI + helper on Windows). Then
check the service, hook, and pipeline:
premptictl status
premptictl hook status
premptictl health
On Linux and macOS, binaries are under ~/.prempti/bin/ until you add that
directory to your PATH. Expected health output:
OK: pipeline healthy (synthetic event → allow). For observe-only tuning, run
premptictl mode monitor; default enforcement is
premptictl mode guardrails.
Example custom rule (YAML)
Add rules under ~/.prempti/rules/user/, then premptictl stop and
premptictl start. From the project docs: block piping into a shell:
- rule: Deny pipe to shell
desc: Block piping content to shell interpreters
condition: >
tool.name = "Bash"
and (tool.input_command contains "| sh"
or tool.input_command contains "| bash"
or tool.input_command contains "| zsh")
output: >
Falco blocked piping to a shell interpreter (%tool.input_command)
priority: CRITICAL
source: coding_agent
tags: [coding_agent_deny]Try Prempti on your machine
Grab the latest release and confirm the pipeline with premptictl health.