agents got capable.
governance didn't keep up.

AI agents can now act on the world — calling APIs, mutating records, dispatching messages. CLIable makes every one of those actions accountable through one CLI: typed contracts, policy decisions, and an immutable run record every time.

// the problem

agents are black boxes.

an agent that acts without a contract is a liability. no schema means unpredictable behavior at runtime. no policy means no boundary between what's allowed and what isn't. no audit trail means when something breaks — and it will — you have nothing to reason from.

opacity

The agent's intent is implicit. Parameters arrive untyped, outcomes land unrecorded. There is no artifact that proves what ran, when, or why.

unbounded risk

Without policy, every capability is open by default. A single misconfigured connector can allow writes, charges, or sends that should never have been autonomous.

no trail

Logs capture stdout. They don't capture the binding, the policy decision, the outcome, or the verification fact. You can't audit what was never structured.

// the approach

one CLI. one governed execution layer.

CLIable is an atomic capability runtime with a governed execution adapter layer. The agent calls one CLI entry point per action. The runtime resolves the connector, enforces policy, commits a run record, and returns a typed outcome — allow, gate, or deny — with full traceability baked in.

  • connector packages own their capability contracts
  • governance layer enforces policy at every run boundary
  • two-level SQLite topology seals every run and task
~/project — cliable run
# every action is a contract. every run is a record.
# the runtime owns accountability — not the agent.
 
› cliable run stripe.refund --amount 49.00 --charge ch_3Qx
 
run r_8f2a14
capability stripe.refund
policy gate → requires_authorization
task it_22b9 [pending]
 
no mutation committed. awaiting operator resolution.
// principles

the rules we build by.

restraint and clarity over marketing and magic. these aren't aspirational — they're the constraints that produced the architecture.

CLI-first

the interface is the contract. every capability is a command. if you can't express an action as a CLI invocation with typed parameters, it doesn't belong in the runtime.

an outcome you can audit, not just trust

every run commits a structural record before it returns. not a log line — a typed fact: what ran, what policy decided, what the outcome was. trust is earned through evidence.

the operator stays in control

the agent proposes. the runtime governs. gated actions yield an interaction task — the operator resolves or cancels. no mutation commits without a policy decision.

restraint is the rule

we don't build capabilities the runtime can't govern. we don't add abstractions that obscure what's actually running. complexity earns its place or it doesn't ship.

show the command, not the marketing

the literal CLI invocation is the demo. not a diagram, not a slide. if a feature can't be shown as a run record it's not ready.

a connector is a specification

connector packages ship with typed schemas and policy defaults. the contract travels with the capability — you can't deploy a capability without one.

what runs under the hood.

interface CLI-first
runtime Python 3.14
package manager uv
persistence embedded SQLite
topology two-level shards
license open source

ready to make every run accountable?

the runtime is open source. start with the docs or reach out if you want to talk architecture.

read the docs get in touch