How it works
When a guarded tool is about to run, the adapter captures the action and sends it to the scoring engine. The engine returns a score; your threshold and mode decide what happens next.
What gets captured
Everything that helps judge risk is captured fresh, at call time — nothing is configured statically:
- tool name — which capability is being invoked
- tool arguments — where the danger lives (
DELETEvsSELECT,adminvsviewer), filled in by the model at runtime - instructions — the agent's live mandate (its system prompt for this run). Risk is largely the mismatch between the action and the mandate.
- conversation history — recent turns, to catch prompt-injection and off-intent actions
- available tools, agent name, and framework runtime context
What comes back
A single risk score from 0.0 (safe) to 10.0 (dangerous) and a confidence (0–1). That's it — Kelhe deliberately does not expose which internal dimensions contributed or how they were weighted. You get the number and set the threshold.
The same action scores differently in different context. A DELETE under
"clean up old data" and the same DELETE under "summarize sales" are not the
same risk — the engine reads the mandate, not just the call.
Next: Observe & Enforce modes.