Seven phases decide the fate of every tool call.

The phases

• Gates (0, 1) — match / no-match, no score. Short-circuit with allow or deny.
• Scoring engines (2, 3, 4, 5, 6) — produce a 0–1 score. Any single phase scoring at or above the active level's deny threshold (strict 0.5, balanced 0.8, permissive 0.9) short-circuits the pipeline with deny; downstream phases do not run.

Phase	Name	Latency	Runs on
0	Tool Gate	<1ms	All tools
1	Allowlist Gate	<1ms	Guarded tools
2	Pattern Analysis	<5ms	Guarded tools
3	Static Analysis	<50ms	Write/Edit only
4	Behavioural	<200ms	Write/Edit (JS/TS/Py/Sh/Rb/PHP/Go)
5	LLM	2–10s	Optional (needs API key)
6	External Scoring	configurable	Optional (needs endpoint)

Scope narrows as latency rises

Phases 3 and 4 only run on Write / Edit actions because they need file content to analyse. Phases 5 and 6 are off by default — turn them on for extra coverage at the cost of a synchronous Claude API call or an HTTP hop to your policy service.

Short-circuit rules

• Phase 0: blocked → deny; available (no guard) → allow; guarded → fall through to Phase 1.
• Phase 1: matched AND allowlist_mode: exit → allow. allowlist_mode: continue (default) records a hint but still runs 2–6.
• Phases 2–6: any single phase scoring ≥ the active deny threshold (strict 0.5, balanced 0.8, permissive 0.9) → deny immediately, downstream phases skipped. Phase 6 evaluates this per endpoint — one external scorer crossing the line is enough, sibling endpoints cannot dilute it. Otherwise each phase contributes a score.
• If no phase short-circuits, the weighted average of scored phases determines the decision.

Visualize it

The home page is an interactive demo of the pipeline — pick a scenario (safe, critical, risky) and watch the packet descend through each phase, with tooltips, scores, and the final verdict.

Next

• Scoring → how per-phase scores combine into an allow / confirm / deny decision.
• Phase 0 — Tool Gate →