The non-negotiable rule
The safety spine is never for sale.
The audit log, the single side-effect gate, human-in-the-loop approvals and briefs,
segregation of duties, spend caps, receipts, the global pause, and the security floor of
tenant isolation, encrypted credentials and secret redaction. These are the product's core
trust promise, not an upsell. They are never gated behind a paid tier, and you can
always export your own audit data, in a documented format, at no cost.
Our test for every future feature: “Would removing it weaken the safety of a
self-hosted deployment, or the owner's ability to verify what the system did and why?”
If yes, it's open, free, and never gated. No exceptions.