Safe water for AI agents.
Your claw needs safe water. Seawater governs what agents do — files, shell, network, credentials, messages, and inference — with earned authority, architectural airgap, and execution quality of service. Compiled daemon. Zero runtime dependencies. One process, all agents.
Everybody built the claw. Nobody checked the water.
Agent frameworks solved orchestration. They did not solve what happens when an agent opens a file, runs a shell command, posts to an API, or asks a model to think. Those actions reach into the real world with the agent's trust level — usually "whatever the developer configured," usually "a lot."
Prompt-level guardrails are advisory. In-process middleware runs in the same memory space as the agent that's trying to misbehave. Policy engines that are configurable at runtime are bypassable at runtime. The governance layer has to live outside the agent — in a different process, with a different memory space, enforcing rules that cannot be disabled.
Seawater is that layer. Morey, its flagship, is a compiled Rust daemon. Agents connect over a Unix domain socket. Every filesystem read, every shell command, every network request, every inference call passes through Morey before it reaches the OS or the model. The decisions are logged, the trust is earned, and the dangerous code paths do not exist in the free binary at all.
Everything an agent does, governed the same way.
Regardless of framework, agents interact with the world in six ways. Seawater governs each one with the same primitive, the same policy engine, the same audit trail.
Safe and stable water — with current control.
Morey governs not only what an agent may do, but the quality of the execution environment it earns. A CRITICAL-tier agent handling a financial transaction gets a deterministic serving path, a high-confidence model, and replay-friendly settings. A LOW-tier agent doing exploratory research gets the cheaper, higher-variance path.
The conduct engine's batting average determines which execution quality you've earned. Determinism is a governable property, not a fixed attribute of the model — and governing it is a natural extension of consequence-tier gating.
Governance is a layer question.
Everyone is building something. The question is where it runs.
| Morey | App middleware | Framework plugins | |
|---|---|---|---|
| Layer | OS-level daemon (separate process) | In-process | In-process |
| Enforcement | Structural (code paths absent) | Policy (configurable, bypassable) | Advisory (disableable) |
| Trust model | Earned over time | Declared at deploy | None |
| Learning | Correction-driven (conduct engine) | Static | Static |
| Audit | Cryptographic decision frames | Log-based | Log-based |
| Execution quality | Earned (model, determinism, cost) | None | None |
One command. Immediate value.
Before you connect any agent, morey scan audits your environment for world-readable credentials, exposed API keys in shell history, and weak file permissions. Free. No configuration.
$ brew install equilateral-ai/tap/morey $ morey scan 🔍 Scanning environment... ⚠️ ~/.aws/config: world-readable (644) — should be 600 ⚠️ ~/.ssh/id_rsa: group-readable (640) — should be 600 ✓ No API keys found in shell history ✓ No credentials in environment variables 2 issues found. Run morey scan --fix to remediate.
Establishing the vocabulary.
-
Week 1MMX-CLI + Routines: multimodal agents on a cron, no human present, no governance layer. The concrete scenario the industry is sleepwalking into.Live
-
Week 2Generalizing from multimodal to the full governance question. Why prompt-level guardrails aren't a boundary.Soon
-
Week 3Trust is a demonstrated property, not a declared one. The conduct engine pattern.Soon