ai·toolhub

// approach · the thesis

Policy isn't approval.

AI agents can already act on real systems. The missing layer isn't more autonomy — it's a trustworthy way to keep a responsible human in the loop without grinding the work to a halt. This is the question every build here circles.

The gap

Most agent platforms answer the safety question with policy: rules that decide, in advance and in the background, what an agent is allowed to do. Policy is necessary and it scales — but it decides about categories, never about the specific action in front of you right now. "Allowed to send email" is not the same as "yes, send this email, to these people, with this content." For reversible, low-stakes actions, category-level policy is enough. For irreversible ones, it isn't.

What human-in-the-loop actually means

Human-in-the-loop is often reduced to a notification or a checkbox someone clicks without reading. That is theatre, not control. Real human-in-the-loop means a person sees the exact action, understands it, and makes a deliberate decision that the system then provably executes — nothing more, nothing less. The human is not a rubber stamp; they are the authority for that specific step.

WYSIWYS — what you see is what you sign

Borrowed from cryptographic signing: the thing you approve must be the exact thing that runs. If an agent requests an action, the precise request is shown to the human — on a separate device, in plain language — and the approval is bound to that request with a passkey (WebAuthn). No substitution between what was shown and what executes. This closes the gap where a vague "approve?" prompt hides what is really about to happen.

Fail-closed

The safe state is the default. No approval means no action — not a timeout that quietly proceeds, not a fallback that assumes yes. Convenience never overrides safety on the actions that matter. A system that fails open is a system that will, eventually, do the wrong thing on your behalf.

Defense in depth

The human gate is one layer, not the only one. Sensitive backends stay off the public internet, reached worker-to-worker via service bindings; secrets are managed, not embedded; infrastructure is code, reproducible and reviewable. The approval step is meaningful only because the surface around it is small and disciplined.

Where the human belongs — and where it doesn't

The goal is not to put a human in front of everything; that would defeat automation. The craft is choosing the gates: irreversible writes, deletions, anything touching real money, identity, or external parties. Everything else should flow. Drawing that line well is the actual engineering problem — and it's the one this work researches.

How the hub applies it

Each solution is an instance of the same principle. mcp-approval is the gate itself — passkey-signed, WYSIWYS approval for agent actions. mcp-knowledge keeps the data an agent works with off the public internet, so writes can be gated rather than exposed. voice-coach brings the same idea to a spoken interface: it coaches, it doesn't take over. Different surfaces, one thesis — automate the work, keep the human responsible.

See what I'm building → About this site