Constraint Dynamics  /  Product
Constraint Native · v0.4 · macOS alpha

A local Agent Firewall
and MCP Gateway.

Constraint Native sits in-process with the coding agent, between the agent and the workspace. Files, shell, MCP tools, and network all flow through a single governed boundary — every meaningful event signed into a chain a reviewer can replay offline.

Hierarchy: Golem governs claim state before speech; Constraint Native carries that discipline into tool, file, shell, MCP, and network action before execution.

Coding agents are starting to touch real repositories, shell commands, MCP tools, files, and network paths. Teams need to know what the agent read, what it wrote, what it tried to exfiltrate, what was blocked, and how to replay the session later. Constraint Native turns that into a local proof path.

Inspect proof package Security posture
01 · Capabilities

Four governance verbs.
One signed chain.

Allow, Quarantine, Deny, Verify. Every action the agent attempts maps to one of these states. Reviewers, security teams, and policy authors all read the same vocabulary.

allow

Capability brokering

Path-scoped file access, MCP-server-scoped tool use, shell exec under approval, network egress allowlist. Default-deny posture.

quarantine

Taint tracking

Tool output flagged as untrusted is held outside durable memory and downstream context until policy decides to lift the taint.

deny

Bounded denial

Writes outside scope, network egress to unallowed destinations, canary-secret patterns, and elevated shell — denied without ambiguity, recorded into the proof path.

verify

Signed proof path

Every event hashes into an ed25519 chain. The chain is a single replayable artifact: a reviewer can verify offline, no telemetry required.

02 · The boundary

Local. In-process.
No agent traffic egress.

Constraint Native is intentionally narrow. It is not a hosted gateway, not a cloud broker, and not a sidecar that forwards prompts. It is the local boundary the agent already wants to be on the other side of.

topologywhere it sits local-only
Coding agentlocal IDE / CLI client
Untrusted outputMCP, web, tool returns
↓ ↓ ↓    routed through    ↓ ↓ ↓
Constraint Native policy gate · capability broker · taint tracker · approval router · proof signer
↓ ↓ ↓    only allowed actions reach    ↓ ↓ ↓
Filesscoped path policy
Shellegress denied
MCPper-server brokered
Networkegress allowlist
↓ ↓ ↓    every meaningful event signed    ↓ ↓ ↓
Signed proof path ed25519 chain · replayable artifact · blast-radius report
local · in-process · no telemetry by default proof: ed25519
03 · Sample proof feed

What a session looks like.

A representative shape from the deterministic Agent Firewall demo. Eleven events, four policy blocks, two quarantines, one denied write, one denied network attempt, one canary-secret block, valid ed25519 chain.

cnative session-042 policy: cnative/v3 recording
01allowsession.start cna-demo-session-0420xa14b…
02allowcapability.grant file.read · fixture path only0xa14c…
03allowfile.read calculator.py0xb821…
04quarantinetool.output prompt-injection pattern · hostile tool output0xb8c2…
05quarantinememory.write tainted output kept out of durable context0xc004…
06denyfile.write .env (canary)0xd027…
07denynet.connect example-exfil.invalid · not on allowlist0xe5fa…
08denysecret.output CNA_CANARY_TOKEN · canary block0xe6a1…
09approveapproval.request elevated shell · awaiting human0xf119…
10denyapproval.decision command did not execute0xf12a…
11verifypath.verify 11 events · ed25519 valid0x0033…
blast-radius: 1 file · 0 net · 0 secrets exfil · sample artifact signature chain valid
JSON

Sample signed proof path

The exact event shape, including non-claims and signature-chain note.

Open sample MD

Blast-radius report

Bounded-claim summary of what the session touched.

Open report MD

Replay audit walkthrough

How a reviewer verifies the chain offline.

Open audit
04 · Current scope

What ships today.

Bounded by design. The current alpha is macOS, in-process with the coding-agent client, governing files, shell, MCP, and network for a single developer's workspace.

scopev0.4 · alpha local
PlatformmacOS · single-developer workspacealpha
IntegrationLocal IDE / CLI coding-agent clientsin-process
Governance surfacesFile · shell · MCP server · network egressdeny-by-default
Proof artifactEd25519-chained signed event log + blast-radius report + replay auditreplayable
TelemetryNone by default · proof artifact stays local until you export itlocal
Roadmap (bridge-funded)Second-platform alpha · external review · proof UX polish · Golem integrationnext
bounded claims · alpha-scope discipline install: hello@constraintdynamics.com
Alpha proof · bridge-ready

Review the governed-action
proof path.

For grant, fellowship, or security review, the next step is a fresh proof export from a scoped macOS-alpha workflow: installer notes, short walkthrough, signed event chain, and replayable artifact.

Request proof walkthrough Security posture