compileHQ
Book a demo

Product

From authored playbook to enforced skill.

You author what an agent should do. compileHQ compiles it into the least-privilege contract it's allowed to do, then enforces it on every call.

Author

You author the playbook.

The agent's intent and policy, written and reviewed by your team and versioned in source control. You decide what the agent should do; compileHQ governs what it's allowed to.

refund_support.playbookv3authored
intent   Resolve billing exceptions for one
         customer, end to end.
tools    read_text_file · list_directory
         · search_files
segment  customer = {{ run.customer_id }}
review   security + support-ops

Written, reviewed, and owned by your team. Versioned in source control.

Compile

It compiles into a least-privilege skill.

compileHQ derives the enforceable contract from the playbook: the exact tools, and the data segment, the agent is allowed to touch. Standing access: none.

How it's enforced
real-files-parserv1● active
Agent
customer_a
Segment
/customers/customer_a
Standing access
none

Allowed tools

read_text_filelist_directorysearch_files

Every other tool, and every path outside the segment, is denied.

decision: allow83eff2

Enforce

Every call resolves to a sealed decision.

At runtime, allows and denials are equal citizens. A blocked call says exactly why it was stopped: out of segment, broad tool, or no active skill. The whole chain is sealed.

ToolTargetDecision
read_text_filecustomer_a/inbox/source.txtallow
read_text_filecustomer_b/inbox/source.txtout_of_segment
list_allowed_directories(global)broad_tool_blocked
search_filescustomer_a/**allow
read_text_file(no active skill)auth_denied
jit_auth
No standing access. An agent registers for one approved skill per run and receives only that skill's tools. Nothing else is reachable.
segmentation
Every call is checked against the agent's bound segment with path-prefix, equals, or in-set rules. customer_a cannot read customer_b.
broad_handling
Tools with no scopable argument (a global search, list-all) are blocked by default and only allowed with an explicit, logged override.
audit
Every decision, allow or deny, is sealed into a hash-chained trace and exportable as compliance evidence.

MCP gateway

Runs in your infrastructure.

Point compileHQ at any MCP server, embedded or as a front-proxy. It reads the tool surface, applies your skills and segments, and proxies every call. Self-hostable, with customer-owned skills and an open CLI.

decision: allow83eff2✕ out_of_segment: customer_b ∉ customer_a✕ broad_tool_blocked: list_allowed_directories

See what governed agents look like.

Book a demoHow we work