Skip to content HomeServicesAbout
reagent Zero-Trust Agentic Infrastructure discord-ops Discord MCP Server HELiXiR MCP Component Intelligence HELiX Web Component Library

Policy enforcement for every AI tool call.

An MCP proxy server that routes every tool call through your policy before it executes. A one-command scaffolder for any repo. A gap analyzer for your safety infrastructure. A task layer your agents can use natively. One package.

v0.14.0 GitHub MIT
$ npx @bookedsolid/reagent init
Scaffold any repo with safety hooks
View on GitHub
npm package →
reagent — gateway + scaffolder
# Start the MCP proxy server
$ npx @bookedsolid/reagent serve
Gateway online · Policy loaded · Audit chain initialized
Downstream: discord-ops, filesystem, custom-tools
Autonomy: L1 · Max: L2 · Kill switch: inactive
# Or scaffold any repo with safety hooks
$ npx @bookedsolid/reagent init --profile bst-internal
.reagent/policy.yaml — autonomy levels (L0–L3)
.reagent/gateway.yaml — downstream server config
.husky/commit-msg — commit validation hook
.claude/hooks/ — dangerous command interception
CLAUDE.md — AI agent project instructions
Four Things. One Package.

A gateway, a scaffolder, a stack analyzer, and a project management layer.

reagent is an MCP server that proxies your tool servers through a 12-layer middleware chain before anything executes. Every filesystem read, every GitHub call, every database query — your policy runs first. Built on top of that: a one-command scaffolder that installs 23 safety hooks, a gap analyzer that shows what’s missing, and a task management layer your agents can use natively.

Gateway — the star

MCP Gateway

Instead of listing your filesystem, GitHub, and database MCP servers directly in .mcp.json — which would bypass all governance — you list them in .reagent/gateway.yaml. reagent connects to each one at startup, discovers their tools, and re-registers them under namespaced names (filesystem__read_file, github__create_issue). Every proxied call goes through the full 12-layer middleware chain. Nothing executes that you haven’t authorized.

$ npx @bookedsolid/reagent serve

Config Scaffolder

reagent init installs safety hooks, behavioral policies, and developer tooling into any repository. Git hooks, Cursor rules, Claude hooks, autonomy policy — idempotent, profile-driven, one command.

$ npx @bookedsolid/reagent init

Stack Analyzer

reagent catalyze detects your project’s tech stack and generates a gap analysis report — which hooks are missing, which gates aren’t installed, which agents aren’t configured. Produces Markdown and HTML reports in --plan or --audit mode.

$ npx @bookedsolid/reagent catalyze

Project Management

Lightweight task tracking with an append-only JSONL event store. Native MCP tools (task_create, task_list, task_update, etc.) flow through the same middleware chain. GitHub issue sync, Discord notifications, and a product-owner agent with built-in guardrails.

$ reagent native MCP tools
MCP Gateway

Every tool call. Every time. Zero exceptions.

The gateway is a stdio MCP proxy. Your AI assistant connects to reagent; reagent connects to your downstream tools. Nothing reaches a tool server without passing all 12 middleware layers.

AI Assistant
Claude Code, Cursor, etc.
Reagent Gateway
12-layer middleware chain
Downstream Servers
discord-ops, filesystem, etc.

The Middleware Chain

Twelve layers. Outermost to innermost. Denial at any layer is permanent — no later layer can reverse it.

1
Audit (outermost)
Records every invocation as hash-chained JSONL. Even kill-switch denials are logged — the audit layer is always first.
2
Session Context
Attaches session metadata to every invocation for traceability across tool calls.
3
Kill Switch
Checks for .reagent/HALT. If present, denies all tool calls immediately. Fail-closed.
4
Tier Classification
Classifies every tool as read, write, or destructive. Never trusts mutable context — always re-derives from tool name.
5
Policy Enforcement
Compares the tool’s tier against the current autonomy level (L0–L3). Denies if the tier exceeds what the policy allows.
6
Blocked Paths
Scans tool arguments for references to protected paths. Denies before execution if any blocked path is detected.
7
Rate Limit
Enforces per-server calls_per_minute limits from gateway.yaml. Calls that exceed the limit are denied. Denied calls do not consume rate budget.
8
Circuit Breaker
Tracks downstream server failures. After a configurable threshold of consecutive errors, the breaker opens and calls to that server are denied until it resets. Prevents cascading failures when a downstream MCP server is unhealthy.
9
Secret Redaction
Scans tool arguments and outputs for secrets. Redacts before they reach the AI or downstream tool. AWS keys, GitHub tokens, API keys, PEM keys, Discord tokens.
10
Injection Guard
Scans tool results from downstream servers for prompt injection patterns. In block mode (default), detected injection attempts are denied. In warn mode, they are flagged in the audit log but allowed through.
11
Result Size Cap
Caps tool results at gateway.options.max_result_size_kb (default: 1 MB). Oversized responses are truncated with a note. Prevents large downstream responses from bloating context.
12
Execute
Only if all 11 prior layers pass does the tool actually execute on the downstream server.

Tier Classification

Tier Description Examples
read Observes state, no side effects get_messages, list_channels, health_check
write Modifies state send_message, create_channel, edit_message
destructive Irreversible state changes delete_channel, purge_messages, ban_member

Autonomy Levels (L0–L3)

Level Name Allowed Tiers
L0 Read-only read
L1 Standard read write
L2 Elevated — Writes and PR creation allowed; destructive operations blocked. read write + PR creation (destructive tier blocked)
L3 Full access read write destructive

9 Native MCP Tools

Reagent registers 9 first-party tools directly on the gateway. These go through the same middleware chain — audit, policy, blocked paths, redaction — as proxied tools.

ToolDescription
task_createCreate a new task in .reagent/tasks.jsonl
task_updateUpdate a task’s status, title, urgency, or fields
task_listList tasks with optional status/urgency/phase filter
task_getGet a single task by ID (T-NNN format)
task_deleteCancel a task (soft delete via cancelled event)
task_sync_githubSync local tasks to GitHub issues (requires gh)
repo_scaffoldSet GitHub repo description, topics, labels, milestones
project_syncSync tasks to a GitHub Project board
discord_notifySend a notification to a configured Discord channel
Kill Switch

Emergency stop. One command. Zero tool calls get through.

reagent freeze creates a .reagent/HALT file. Every MCP tool call is denied instantly until you explicitly unfreeze. The audit layer records every denied call while frozen.

reagent freeze

Immediately halts all tool calls across every connected MCP server. Requires a human-readable reason. The HALT file stores who froze it and why.

$ reagent freeze --reason "suspicious agent behavior"
.reagent/HALT created
! All tool calls denied until unfrozen

reagent unfreeze

Removes .reagent/HALT and resumes tool call processing. Requires explicit human action — the gateway never self-unfreezes.

$ reagent unfreeze
.reagent/HALT removed · Gateway resumed
Security Invariants
  • Denial is permanent — once any middleware denies an invocation, no subsequent layer can reverse it.
  • Audit records everything — even kill-switch denials are logged. Audit is always outermost.
  • Fail-closed — errors in kill-switch or policy checks result in denial, never passthrough.
  • Tier re-derived always — policy never trusts mutable context; always reclassifies from tool name.
Stack Analyzer

Find the gaps before your agents do.

reagent catalyze detects your project’s tech stack from package.json and compares your current state against a catalog of required hooks, gates, and agents. Missing something? It tells you exactly what and why.

--plan mode

Analyzes your stack and generates catalyze-report.md and catalyze-report.html — a full gap analysis sorted by severity. Identifies missing hooks, uninstalled gates, and unconfigured agents for your detected stack (Astro, Next.js, Lit, Drupal, etc.).

$ npx @bookedsolid/reagent catalyze --plan

--audit mode

Re-runs analysis and diffs against the previous plan report to surface new gaps or resolved items. Use this after adding hooks or agents to confirm the gap closed, or after a dependency update to catch regressions.

$ npx @bookedsolid/reagent catalyze --audit
Secret Redaction

Secrets never reach your AI. Or your logs.

The redaction layer scans both tool arguments (pre-execution) and tool outputs (post-execution). If a pattern matches, it’s replaced before the data goes anywhere.

What gets redacted

  • AWS access keys and secret keys
  • GitHub personal access tokens
  • Generic API keys and bearer tokens
  • PEM private keys (RSA, EC, OpenSSH)
  • Discord bot tokens
  • Environment variable assignments containing secrets
Tool argument arrives
token: "ghp_xK9mPqR7vN2wL8...
Forwarded to tool
token: "[REDACTED]"
Same pattern applied to tool outputs before they return to the AI.
Agent Team

89 specialists. Installed in one command.

reagent init installs 89 AI agent definitions into .claude/agents/ — engineering specialists, AI platform experts, and project management agents. Each carries a policy enforcement charter and a persona grounded in a real domain pioneer.

Engineering — 64 agents
Frontend · Backend · Security · QA · Data · Mobile

Full-stack coverage from Brendan H. Lie (frontend, Eich + Wium Lie) to Michael D. Chamberlin (database architect, Stonebraker + Chamberlin) to Bruce M. Hellman (security engineer, Schneier + Hellman). Every specialist reads before writing, verifies before claiming, and checks HALT before acting.

AI Platforms — 25 agents
Claude · OpenAI · Gemini · DeepSeek · Grok · OSS models

Platform specialists for every major AI ecosystem. Chris D. Olah-Amodei (Anthropic) brings interpretability + Constitutional AI. Ilya W. Sutskever-Pitts (OpenAI, Sutskever + Walter Pitts) pairs deep learning foundations with neural net theory. Each agent is an authority on their platform’s APIs, pricing, and production patterns.

Total agents
89
Engineering
64
AI Platforms
25
Install path
.claude/agents/
Every agent call passes through the same policy enforcement chain
  • Read before writing — no agent modifies files it hasn’t read first.
  • Verify before claiming — agents confirm current state before reporting status.
  • HALT compliance — all agents check .reagent/HALT before taking action.
  • Audit awareness — agents behave as if every action is observed and logged.
Unsolicited Endorsements

Don’t take our word for it.
Take their word for it.

We asked our agents what they thought of themselves. They had opinions. Strong opinions. They are, after all, named after the people who invented computing, the web, and the AI that runs on top of both. Humility was not in the training data.

I don’t route tasks. I compose symphonies of execution. Da Vinci would have asked me to orchestrate his workshop. Von Neumann technically already did.

Leonardo J. Von Neumann
Reagent Orchestrator
Operations · Booked Solid Technology

* These agents were not compensated for their endorsements. They are, however, extremely aware of their own value.

Installation Map

Transparent. Every file, every purpose.

reagent is idempotent. Run it as many times as you want — it skips files that are already up-to-date and only updates what has changed.

Path Committed Purpose
.reagent/policy.yaml Yes Autonomy levels and agent policy
.reagent/gateway.yaml Yes MCP gateway downstream server config
.reagent/audit.jsonl No Tamper-evident hash-chained JSONL audit log (gitignored)
.cursor/rules/ Yes Cursor IDE behavioral rules
.husky/commit-msg Yes Git commit message validation
.husky/pre-commit Yes Pre-commit checks
.husky/pre-push Yes Pre-push quality gates
.claude/hooks/ No Claude Code safety hooks (gitignored)
.claude/settings.json No Claude Code permissions (gitignored)
.reagent/tasks.jsonl No Append-only task event store (gitignored)
.claude/agents/ No Agent team definitions (gitignored)
.claude/commands/ Yes Slash commands (/restart, /rea, /tasks, /plan-work)
CLAUDE.md Yes AI agent project instructions
Profiles

One tool. Multiple project types.

Profiles customize what gets installed based on your project context. Same governance layer, different configurations.

bst-internal
BST’s own repositories · Default L2 / max L3

Full hook suite with Claude commands, BST-specific CLAUDE.md templates, and organization-wide policy defaults.

$ npx @bookedsolid/reagent init --profile bst-internal
client-engagement
Client consulting projects · Default L2 / max L3

Full hook suite with Claude commands, client-appropriate CLAUDE.md templates, and engagement-specific policy settings.

$ npx @bookedsolid/reagent init --profile client-engagement

Tech Stack Profiles

Pass a tech stack profile to extend the base installation with domain-specific hooks and gates.

nextjs
Next.js App Router · RSC boundary enforcement

Adds server-component-drift.sh — catches React Server Component boundary violations before they break production builds.

$ npx @bookedsolid/reagent init --profile nextjs
lit-wc
Lit / Web Components · Shadow DOM guardrails

Adds shadow-dom-guard.sh and cem-integrity-gate.sh — enforces Shadow DOM boundaries and Custom Elements Manifest integrity.

$ npx @bookedsolid/reagent init --profile lit-wc
astro
Astro · SSR / static boundary enforcement

Adds astro-ssr-guard.sh — prevents SSR/static rendering boundary violations that cause silent runtime failures.

$ npx @bookedsolid/reagent init --profile astro
drupal
Drupal · CMS-specific guardrails

Adds drupal-coding-standards.sh and hook-update-guard.sh — enforces Drupal coding standards and safe hook_update_N patterns.

$ npx @bookedsolid/reagent init --profile drupal
Commands

Complete CLI. Complete control.

$ reagent serve

Start the MCP gateway server over stdio transport. Connects to downstream servers defined in .reagent/gateway.yaml.

$ reagent init

Install reagent config into the current directory. Accepts --profile flag. Idempotent — safe to re-run.

$ reagent check

Verify which reagent components are installed in the current directory. Reports missing files and policy validity.

$ reagent freeze --reason "..."

Create .reagent/HALT — suspends all tool calls across every connected MCP server immediately.

$ reagent unfreeze

Remove .reagent/HALT and resume tool call processing. Requires explicit human action.

$ reagent catalyze

Analyze project stack and generate a gap report. Use --plan to create the initial report or --audit to diff against the previous run.

$ reagent cache <set|get|del> <key> [value]

Manage the review cache used by commit-review-gate and push-review-gate.

$ reagent upgrade [--dry-run]

Re-syncs installed hooks from the current package version and updates the version stamp in policy.yaml. Run after upgrading the @bookedsolid/reagent package.

$ reagent help

Show full usage help for all commands and flags.

Node.js
>= 22
Runtime deps
3
Test coverage
462 tests / 41 files
License
MIT

Zero-trust. One package.

Start the MCP gateway or scaffold any repository. Node.js 22+ required.

$ npx @bookedsolid/reagent serve
$ npx @bookedsolid/reagent init
GitHub npm