Local-first approval middleware

ApproveKit

A premium control layer for agent actions that should pause before they touch production. Wrap Python tools, route risky calls to a human, redact sensitive payloads, and keep the audit trail intact.

Read docs Enter review room
approvekit-web 127.0.0.1:8765
Pending request waiting
risk high 45s timeout
Payload preview req_8f29 
{
  "to": "ceo@example.com",
  "subject": "Quarterly report",
  "body": "[REDACTED]"
}
Audit ready: send_email pending human review
Control surface

Give agents power with a checkpoint in the middle.

ApproveKit turns risky tool calls into reviewable events. The design goal is simple: every dangerous action becomes visible, explainable, and blockable before execution.

Default stance Deny on silence

Rejected and timed-out actions never reach the wrapped tool body.

Reviewer latency 0s

Policy timeouts keep agent runs from waiting forever.

Storage SQLite audit

Local-first history for approvals, rejects, timeouts, and auto-approvals.

Execution path

One small guard changes the entire failure mode.

Safe tools can still move fast. Risky tools pause, surface context, and resume only after a reviewer makes a decision.

01 Agent calls tool

`@kit.guard` captures tool name and arguments before execution.

02 Policy evaluates risk

Rules decide whether the call can auto-approve or must wait.

03 Reviewer decides

The browser inbox shows redacted payload, risk level, and notes.

04 Audit records outcome

Approved calls execute. Rejected and timed-out calls are blocked.

Workflow

From agent call to decision — in one view.

ApproveKit workflow: agent intent → policy check → approval request → reviewer decision → execution or block → audit trail, plus 'Why teams need this' callouts. ApproveKit workflow: agent intent → policy check → approval request → reviewer decision → execution or block → audit trail, plus 'Why teams need this' callouts.
Safety primitives

The parts that matter when an agent is one click from production.

Small primitives, deliberately boring where it counts, polished where humans need clarity.

Tool-body isolation

Approval happens before execution, so denied requests are not best-effort blocked after the fact.

Policy-visible risk

Risk labels, timeouts, redaction rules, and approval modes move with the request.

Redacted payloads

Configured fields are masked recursively before request storage and audit persistence.

Run it locally

Two terminals. One visible decision loop.

The guided demo creates a shared SQLite database. The agent waits while the reviewer makes decisions in the browser.

auto-approved read approval-required email rejected delete timeout block
Terminal 1 agent 
pip install approvekit
python3 demo/agent.py --db /tmp/approvekit_demo.db --reset
Terminal 2 reviewer 
approvekit-web --db /tmp/approvekit_demo.db --port 8765