1. The reason I like local-first is that I do not want logs from tools and agents going to some company.
With DuckDB everything stays on your system so you have control over it.
2. I want to be honest about something. Korveo is between the agent and the tools it uses.
If the agent itself is compromised it can still get around Korveo.
So Korveo is, like a guard that helps keep things safe. It also keeps a record of what happens.
It is not a solution but it helps.
I am happy to talk about how Korveo works with policies or how it supports certain frameworks if people want to know more about Korveo.
The trace view also made the firewall work well in practice: you can promote rules from a real captured call instead of guessing everything upfront in YAML.
There are still three things in the policy model that need work:
1. Cross-call behavior is a bit clumsy.
A single rule sees one tool call, but the failures you actually care about are sequences — exfiltration, cross-session bleed, "agent read a secret then called an external host." Right now I express that with chained rules and tags, and it feels hacky. I want a way to handle sequences and stateful flows.
2. The matching model isn't consistent.
Host allowlists, argument matching, and payload predicates developed separately, so parts of the syntax feel different. New users hit this issue quickly.
3. Deny explanations are not clear.
Right now you mostly get "rule X blocked this." I want explanations like "blocked because arg.url matched Y and host wasn't allowed." Without that, debugging in shadow mode isn't as useful as it should be.
If anyone here has built policy systems or rule engines — especially around stateful rules without turning the whole thing into a programming language — I'd love to hear how you handled it.