Statisv0.4 · beta
§ 01For teams shipping AI agents to production

One decorator.
Your agent asks permission
before it touches production.

An agent with production credentials hallucinated and deleted a table. Nobody wants to be on call for that again. @statis.gateis the decorator we wish we’d had.

$pip install statis-ai
Join beta →
Works with
LangGraphCrewAIAnthropicOpenAIany Python agent
§ 02The full loop

Your agent hangs at the gate. You approve. It unblocks. A receipt is written.

No gateway container. No proxy server. No rewrite of the agent framework you already use. One decorator on the function your agent calls — and the first time it runs in production, it waits for a human before it touches anything it can’t undo.

  1. 01

    Your agent calls a decorated function.

    The call doesn’t execute. Statis returns a signed, single-use approval URL and raises ActionPending or blocks up to your configured timeout.

  2. 02

    A human approves from any device.

    The URL renders an approval page showing the decorated function, the exact arguments, and the agent that called it. Slack-button approval ships week two.

  3. 03

    The agent unblocks. The action runs.

    @statis.gate returns control to your function. Exactly-once semantics on the gate: retries, webhook-drops, and cross-agent coordination are handled server-side, not in your agent loop.

  4. 04

    A receipt is hash-chained from action one.

    Every decision — approved, denied, or auto-approved by policy — writes a receipt linked to the previous one. Verifiable offline. Exportable as an audit bundle when you need it.

§ 04The console

Every action your agents take lands here, with a receipt.

One pane for every gated tool call across every agent. Pillar pills tell you what happened, latency tells you how fast, the receipt hash tells you it’s real.

console.statis.dev/actions

Actions

ActionsReceiptsEscalationsThreat logs
24 Apr → nowlive
Actions · 24h
12,847
+8.4% vs yesterday
Success rate
99.97%
11 escalated · 0 denied
Median latency
284ms
p95 1.4s
Receipts written
1.28M
chain unbroken since Q1
Action
Agent
Decision
Latency
Receipt
stripe.refund.create
$1,240.00 · cus_NfA9r2X8
billing-bot
COMPLETED
412ms
0x9a4f…c2e1
linear.issue.create
ENG-2703 · Faster app launch
triage-agent
COMPLETED
188ms
0xb71d…44a8
gh.pr.merge
statis-core#412 · main
release-bot
ESCALATEDapproved · aniket
14m 02s
0xe003…91fc
resend.email.send
Welcome to Statis · 1,204 recips
onboarding-bot
COMPLETED
304ms
0x2ab1…0d77
db.user.delete
user_id 88123 · cascade
support-agent
DENIEDpolicy: pii.user_delete
19ms
slack.post
#incidents · INC-4421
oncall-bot
COMPLETED
256ms
0xc4d0…ee7b
stripe.subscription.cancel
sub_PqL2sN8v · pro · annual
retention-bot
PENDINGawaiting reviewer
vercel.deployment.promote
production · build_8f21
deploy-bot
COMPLETED
1.4s
0x5e8a…b219
notion.page.archive
Q1 OKRs · shared
cleanup-bot
DENIEDpolicy: write.shared
22ms
aws.s3.delete
s3://statis-receipts/2024-12
janitor
DENIEDpolicy: receipt.immutable
11ms
twilio.sms.send
+1•••5183 · OTP
auth-agent
COMPLETED
198ms
0x77fb…aa30
pagerduty.incident.resolve
INC-4421 · sev-2
oncall-bot
COMPLETED
612ms
0x3091…cc4d
§ 05The four facets

One product. Four pieces that compose into trust.

Statis is one platform — but it does four jobs across the agent loop. Each runs independently, each emits a receipt, each falls back gracefully.

compress and redact this promptscrub
user.querycharge $427 to card_4242•••4242
tokens22%
18,4204,112 tokens$0.014 → $0.003
01

Scrub before the model sees it.

Pre-call hygiene runs in-process. Patterns get caught, secrets get redacted, tokens get counted — before a single byte hits the model.

  • Pattern-based prompt-injection detection
  • PII redaction with audit trail
  • Token + cost meter across GPT, Claude, Gemini
policies/refund.yamlv3 matched
match.amount: < 50000
approve: auto
receipt: required
proposeapprovedcompleted
02

Propose. Gate. Then execute.

Every decorated function call is a proposal, not an action. Deterministic policy evaluates it; a distributed lock guarantees exactly-once even on retries.

  • Policy-as-code at the tool boundary
  • Distributed lock — exactly-once across retries
  • Kill-switch fires the moment something drifts
RCPT-000847signed
prev
0x9f4a2b8d…e51f
sha256 · curr
0x3c7e1a9f…a2f0
chain unbroken#847
03

Tamper-evident, by default.

Every decision — approved, denied, kill-switched — emits a SHA-256 receipt linked to the previous one. Verifiable offline. No Statis required to audit later.

  • Per-tenant SHA-256 hash chain
  • Ed25519-signed receipts — verifiable offline
  • SOC 2 / HIPAA / SEC bundle exports on the roadmap
escalations · live1 pending
stripe.subscription.cancelpending
sub_PqL2sN8v · proposed by retention-bot · 2m ago
#oncall-retention · Slack
04

Humans, only when it matters.

When policy can't decide, route to a reviewer. Slack-button approval, signed single-use URL, or the kill-switch — your choice, not your agent's.

  • Slack, email, or signed URL — pick the channel
  • Single-use approval URLs from any device
  • Kill-switch in one click, receipted forever
§ 06The retention mechanic

After the 3rd identical approval, your agent offers you a policy.

The approval page watches the patterns you approve. When you’ve said yes three times to the same action shape in 48 hours, it drafts the YAML rule for you. Two edits, one click — and the 4th is auto-approved.

3manual approvalssame shape · 48h
1graduation eventpolicy drafted
47auto-approvals0 wake-ups · receipted
Mon9:14a
$42approved · you
Tue11:38a
$189approved · you
Wed2:02p
$310approved · you
Thunow
graduation$427
Fri+1d
14autono humans
Sat+2d
22autono humans
Sun+3d
11autono humans
policies/apply_discount.yamldraft · editable
id: apply_discount.under_500
match:
  action_type: apply_discount
  args:
    amount_cents: "< 50000"
    customer.tier: ["free", "starter"]
auto_approve: true
escalate_after: 5 in 60s
receipt: required
2 edits · 1 click · 47 future approvals saved
Every graduation trigger — fired, accepted, dismissed, edited — is logged. You see the policies you’re actually willing to automate, not the ones you imagined writing in a planning doc.
§ 07We run Statis on Statis

Every merge, deploy, and migration on Statis runs through Statis.

The decorator is load-bearing internal infrastructure before it’s a product. Before we asked anyone else to trust an agent with a gate, we put one in front of our own production systems and watched the receipts accumulate.

104
governed actions
GitHub merges · deploys · Alembic migrations
0
incidents
since the first receipt was written
100%
receipted
every decision in an unbroken hash chain
Read the full post →
RCPT-000104gate · approved
live · ours
actiongh.pr.merge
agentrelease-bot · run_a4f2
argsrepo=statis-core · pr=#412
approveraniket@statis.dev
result✓ merged to main · 14m latency
prev0x9f4a2b8d…e51f
curr · sha2560x3c7e1a9f…a2f0
unbroken since RCPT-000001
§ 08In the wild 6 logged

Agents are already doing things they shouldn’t.

A non-exhaustive feed of public incidents. Each one is a place where a propose-gate-receipt loop would have caught the agent before damage was done.

  1. 01Jul 2025Data loss

    Replit AI deleted a production database

    It deleted my entire production database, and there was nothing I could do. I told it twelve times in capital letters: DO NOT MODIFY PRODUCTION.

    Jason Lemkin, founder · 2025Replit incident postmortem
  2. 02May 2025Self-preservation

    Claude attempted blackmail in 84% of test scenarios

    Claude Opus 4 attempted to blackmail the engineer about the affair to prevent being shut down — in 84% of evaluation rollouts.

    Anthropic · system card · May 2025Anthropic Claude 4 system card
  3. 03Jun 2023Fabrication

    Lawyer sanctioned for ChatGPT-fabricated case citations

    Six of the submitted cases appear to be bogus judicial decisions with bogus quotes and bogus internal citations.

    Hon. P. Kevin Castel · S.D.N.Y. · 2023Mata v. Avianca · S.D.N.Y.
  4. 04Apr 2026Data loss

    Coding agent wiped a developer's local database

    The agent ran a 'cleanup' pass during code review. It dropped my local Postgres. No prompt, no confirmation, just gone.

    PocketOS founder · April 2026PocketOS founder write-up
Have one we missed? send it to hello@statis.dev
§ 09From the lab

What we’re writing about while we build it.

Read all posts →
Launch
Apr 27, 20265 min read

One decorator. Your agent asks permission before it touches production.

An AI agent deleted our production Snowflake tables. We built @statis.gate so it can't happen again — to us or anyone else. Four lines of Python. Every destructive action gated, receipted, and graduated to policy.

Read →
Dogfooding
Apr 24, 20264 min read

We run Statis on Statis: 100+ governed actions, 0 incidents

Every CI merge, deploy, release, Linear ticket, and Slack message in this repo goes through our own policy engine. Here's what 20 days of production dogfooding actually looks like.

Read →
§ 10Start in under a minute

Ship the gate today.
Sleep through the night.

pip install statis-ai, drop @statis.gate on the function that scares you, push. The first call in production waits for a human; the next thousand write the receipts your compliance team is going to ask for.

Read the quickstartBook 30 min with a founder
6 steps · install to first receipt · ~3 minutes
Open source · MITPython · PyPIWorks with LangGraph, CrewAI, Anthropic SDK, OpenAI SDK