Your agent asks before it acts. DarlaStack answers in microseconds, writes a tamper-evident record of every decision, and survives a crash with the audit trail intact.
# the agent must ask the kernel before it acts result = kernel.evaluate("send_email", {"recipient_count": 8}) # -> decision: allow reason: allowed_rules_passed result = kernel.evaluate("send_email", {"recipient_count": 5000}) # -> decision: block reason: blocked_hard_rule # ...and an unforgeable line is written to the audit chain
An agent that can send, spend, or delete needs more than a prompt that says "be careful." It needs guardrails that actually block the dangerous call, a record of every decision that nobody can quietly rewrite, and that record has to outlive a restart. DarlaStack does those three things — and nothing it can't prove.
Every action the agent proposes is checked against a frozen contract of rules. Safe calls pass; rule-breaking calls are blocked, with a precise reason code and a rule pass-ratio — in tens of microseconds.
Each decision is appended to a SHA-256 hash chain. Change one past record and verification fails at the exact event. Spans are sealed under an Ed25519-signed Merkle root for court-ready evidence.
The audit chain is persisted to durable storage. Kill the process and restart: the chain reloads, re-verifies, and the Merkle root returns bit-identical. The memory of what happened doesn't die with the process.
This is the actual kernel running, not a recording. Send actions and watch them get allowed or blocked, forge a record and watch the chain catch it, then crash the agent and recover the proof from disk.
Every figure here was measured on the shipping code (Python 3.12, single thread). We show the honest production sizing, not just the flattering microbenchmark.
Lab microbenchmark reaches ~12,000 decisions/sec single-threaded on warm, identical input; the 500–1,000/sec figure is the conservative number we'd size capacity against for real multi-rule workloads. Signed Merkle checkpoint over 1,000 events is ~2.5 ms. Crash recovery has been verified to reproduce the Merkle root bit-for-bit.
DarlaStack governs every action an agent submits, and now enforces: an approved action receives an unforgeable signed capability token, and a gateway runs the real effect only against a valid token — so a blocked action gets no token and cannot execute. Deploy the gateway behind a private boundary and it is the only path to the effect. It is not an OS sandbox; that you compose it with. Being straight about the boundary is how trust is earned.
Run the kernel, the durable-audit layer, and this demo locally in two commands.
pip install -r darlastack_demo/requirements.txt uvicorn darlastack_demo.server:app --port 8000Launch the live demo →
DarlaStack is available for licensing and evaluation. Tell us your agent's threat model and we'll map a deployment.
Request an evaluation