A human-in-the-loop approval gate for agent-run operations. When a swarm of agents proposes actions across a business, agentgate scores each one by risk and routes it: safe work runs itself, high-risk work waits for a person, and the irreversible-and-costly is blocked for escalation. It is a transparent policy layer, not an LLM guessing, and it plugs into an orchestrator over MCP.
An agent orchestrator like Cofounder runs whole departments and keeps a human in the loop for high-risk actions. That gate is the part that makes letting agents run a business survivable: the difference between "the agent opened a PR" and "the agent force-pushed main, emailed 12,000 customers, and issued $4,800 in credits." agentgate is that gate, built as a standalone, auditable component you can put in front of any agent before it acts.
It answers one question per action: can this run on its own, does it need a human, or should it be stopped and escalated?
request -> coordinator -> department agents propose actions -> GATE -> auto-run / needs-human / block
The gate scores every proposed action across a fixed risk surface (reversible, touches production, external side effect, money spent, handles personal data, legal commitment, how many people it reaches) and decides:
- auto-run when the action is low risk (a reversible internal PR, a test run, a draft).
- needs human when it carries real risk but is recoverable (a production deploy, a CRM change touching personal data, a public status note).
- blocked / escalate when it is irreversible and high blast radius (production, a four-figure spend, a mass audience, or personal data), or makes a legal commitment: force-push to main, a mass email, issuing credits, a permanent customer-data export. These never auto-run.
The scoring is plain rules, so every decision comes with the exact reasons that fired. No model in the loop deciding what is safe.
npm install
npm run demo # runs a business request through the coordinator + gate, writes report.html + report.json
npm test # 10 tests, all offline
npm run typecheck # tsc --noEmit across the gate and the MCP layerThe demo runs one request, "Ship the new pricing page and email our waitlist about the launch," and shows the gate auto-running 3 actions, holding 4 for approval, and blocking 3 (the force-push, the 12,400-person email, and the $4,800 in credits).
npm start # stdio transport (local MCP clients)
npm run start:http # SSE/HTTP transport on :8080Two tools, so an orchestrator can call the gate before it lets an agent act:
| Tool | What it does |
|---|---|
review_action |
Score one proposed action and return AUTO_RUN, NEEDS_HUMAN, or BLOCK with reasons. |
review_plan |
Run a full request through the coordinator and gate and return every decision plus a summary. |
Any orchestrator that speaks MCP can call the gate before it lets an agent act, so agentgate drops in as the approval layer in front of high-risk actions, for a Cofounder-style swarm or anything else.
src/
types.ts AgentAction + the risk surface + Decision
gate.ts scoreAction / isCritical / classify (the policy)
agents.ts deterministic planner: request -> proposed department actions
coordinator.ts run the plan through the gate, summarize
tools.ts review_action + review_plan (FastMCP tools, Zod schemas)
server.ts buildServer(): FastMCP + tools
index.ts stdio by default, MCP_HTTP=1 for SSE/HTTP
scripts/demo.ts offline run, writes report.html + report.json
tests/gate.test.ts 10 tests over the scoring, the critical-action rules, and the demo plan
Honest note: the planner here is a deterministic stand-in so the demo is reproducible. In production the planner is the orchestrator's LLM. The gate is the real, reusable piece, and it does not depend on a model.
MIT. See LICENSE.
