Seshat sits between your agent and your system at the MCP tier. You write permissions in plain English — permit what it should do, forbid what it shouldn't. Every action, allowed or denied, gets a tamper-proof hash-chained receipt.
Plain-English rules on actor, action, scope. Checked at the MCP tier before anything runs. A forbid always wins.
liminate-mcp — let your agent help draft them. pip install liminate-mcp
A verification contract checks the environment after each permitted action. Deterministic. No LLM in the loop.
liminate-invariant — the correction harness underneath. pip install liminate-invariant
SHA-256 hash-chained receipts in ~/.seshat/. Tamper with one and verify catches it. Sync to the cloud, or don't.
Not a sandbox. Not a prompt wrapper. A governance layer with a receipt chain.
She measured the foundation before anything was built.