47 refunds
The 3am page
Your agent created 47 duplicate Stripe refunds overnight. You got paged at 03:14. You’re the single point of failure when an LLM screws up in production.
The control plane for AI agents
Human approval and immutable audit trail for LLM agents in production. Python and TypeScript SDKs, hash-chained logs, EU-hosted. Live in 10 minutes.
01 — The problem
47 refunds
Your agent created 47 duplicate Stripe refunds overnight. You got paged at 03:14. You’re the single point of failure when an LLM screws up in production.
SEC-201
Pen-test asks: prove every agent action was either policy-approved or human-reviewed, with provenance. You have Slack history and git blame. You don’t have an answer.
6 months
You opened AGENT-447: "build approval layer (spike). 2 sprints." Six months later it’s still half-built, drowning in Slack-bot reliability tickets and policy edge cases.
02 — The solution
pip install pliuz or npm install @pliuz/sdk. Wrap any risky tool call with @pliuz.gated(). Ships with LangChain and Vercel AI SDK adapters; the decorator is framework-agnostic, so it drops into LangGraph, CrewAI, or Claude Agent SDK loops too.
pip install pliuzYour agent pauses. Pliuz evaluates the JSONLogic policy server-side. Low-risk auto-approves. High-risk routes to your approver group in Slack with one-click approve/reject/edit buttons.
@gated(policy="finance")Every decision lands in an append-only events table chained by SHA-256. Run pliuz_verify_chain() — it returns OK or names the broken event. Export it as Ed25519-signed JSONL and verify it offline with our open-source verifier — your evidence for SOC2 / EU AI Act Article 12.
SELECT * FROM pliuz_verify_chain()03 — What you get
Every audit event carries an auto_approve_source field — policy, tool_flag, or human. When the CISO asks "why did this action go through without review?" you have an exact answer, not a postmortem.
"auto_approve_source": "policy"SHA-256 AUDIT CHAIN
0x9f…
gate
0x3a…
policy
0xc7…
human
0x1e…
exec
pliuz_verify_chain() -> OK ✓
Wrap any tool call in Python or TypeScript with one decorator. Ships with LangChain and Vercel AI SDK adapters; the decorator is framework-agnostic, so it drops into LangGraph, CrewAI, Claude Agent SDK, or custom runners — and any HTTP-capable runner (n8n, etc.) calls the REST API directly.
@pliuz.gated()pip install pliuz · npm install @pliuz/sdk
Write JSONLogic once: amounts under €100 auto-approve, payloads matching prod-customer-* auto-reject, everything else routes to a human. Server-side evaluation, deterministic, no LLM.
{"<": [{"var": "args.amount"}, 100]}policies/finance.json
Every approval, edit, rejection, and execution lands in an append-only events table chained by SHA-256. Run pliuz_verify_chain() — it returns OK or names the broken event.
SELECT * FROM pliuz_verify_chain()public verification RPC
Supabase Frankfurt by default. RLS enabled on all 18 tables. SDK-side redaction primitives. DPA available at /legal/dpa before contract. No LLMs in the critical path.
eu-central-1 · RLS × 18 tables
Oversight, built in
This is the real product — the same gate, decision and policy from the quickstart docs ↗.
04 — Security & trust
EU-hosted by default
Supabase Frankfurt (eu-central-1). US region planned, not default.
Append-only events table
Cryptographic source of truth. Convenience tables are projections.
SHA-256 hash chain
Verifiable by you via SELECT * FROM pliuz_verify_chain()
RLS on all 18 tables
Multi-tenant isolation enforced at the database, not in the application.
No LLMs in the critical path
Policy evaluation is deterministic JSONLogic. Your payload never touches an external model.
SDK-side redaction
pliuz.mask("iban", "last4") lands the masked value in our DB. We never see the original.
Per-event auto_approve_source
Every audit row says whether a human, a policy, or a tool flag approved the action.
Sub-processors listed publicly
Supabase (EU), Cloudflare, Slack API at /legal/subprocessors
DPA at /legal/dpa
Signable. Required for any EU customer; available before contract.
Encryption at rest AES-256
TLS 1.3 in transit, no exceptions.
No training on customer payloads
No payload inspection for "product improvement". No retention beyond your configured policy.
0
PRPs shipped
core backend, SDKs, auth, metrics, docs
0
audit event types
CHECK-constrained at DB level
0
tables with RLS
multi-tenant at the database
0
materialized views
refreshed every 60 seconds
0
JSONLogic operators
whitelisted — no eval, no exec
Apache 2.0
Open-source SDKs
Python + TypeScript on GitHub
05 — FAQ
Today the SDK fails closed, always: if Pliuz is unreachable, the gated call raises a typed error (PliuzNetworkError / PliuzApprovalTimeoutError) and your tool never executes — for high-risk actions, halting is safer than acting unsupervised. A per-call fail_open mode for low-risk tools (execute on outage, reconcile to the audit chain on reconnect) is on the SDK roadmap but is NOT shipped yet — do not architect around it today. SLA targets: 99.9% on Pro/Team, 99.95% on Enterprise — committed in the MSA at signing. Currently in pre-launch waitlist phase, so a live availability metric is not yet meaningful; we will publish a public status page from launch.
Not in the MVP. BYOK field-level encryption via AWS KMS / HashiCorp Vault is on the roadmap, prioritized by first enterprise prospect ask. If you need it to sign, talk to us — we will ship it for you and you will be the design partner.
Not yet. Self-hosted edition (Docker Compose + Helm) is planned for ~month 9-12 at the Enterprise tier. EU-hosted SaaS covers most data-residency asks in the meantime.
You can — 2 senior engineers will ship the first cut in 4-8 weeks (€30k-€60k in salaries). What you trade for the time: (1) cryptographically-verifiable audit chain from day one, (2) EU AI Act Article 12/14/26 mapping done by experts not generalists, (3) cross-tenant pattern intelligence we publish quarterly, (4) the maintenance burden absorbed forever as Slack/frameworks/regulators change. Pliuz costs less per month than one day of one of your senior engineers.
Launch pricing — billing goes live at GA; today the SDK dev track is free and open-source. Free: 1 agent, 100 approvals/month. Pro €149/mo: 3 agents, unlimited approvals, Slack integration. Team €499/mo: 10 agents, multi-approver routing, audit export. Enterprise: custom (SSO, BYOK, dedicated cluster). No per-approval billing — we do not want you rationing approvals. Join the waitlist to lock in early-access terms.
SOC2 Type I planned for Q4 2026 — auditor selection in progress. HIPAA via BAA available on Enterprise tier once we have the design partner. EU AI Act Article 12 (audit logs) and Article 14 (human oversight) — the product is built to satisfy both; the legal certification is your auditor call, not ours.
You probably should not trust any startup with critical infrastructure without an exit path. Our exits: (a) SDKs are open-source so you can fork, (b) your audit data is yours — self-serve Ed25519-signed JSONL export, verifiable offline with our open-source verifier (no need to trust us at verify time), (c) the schema is documented so you can re-implement on top of Postgres if we disappear. We are betting you will stay because the product is good, not because you are locked in.
Early access · v0.1.x
Join the waitlist to lock in early-access terms. Running 3+ agents in production? You jump the queue.
pip install pliuz · Apache 2.0 · SDKs open-source on GitHub