LIVE DEMO. FOUR GOVERNANCE LAYERS, REAL TIME, SIX MINUTES.

A CTO evaluating governance infrastructure wants to see it run before committing an engineer to an evaluation. The video below is a recorded session of the production binary, not a mock and not a marketing animation. Six minutes is how long a cold start takes from first boot to the first denied tool call. Anything shorter would skip the boot sequence a security reviewer cares about.

There is nothing to install to watch. A CISO can forward the link to their audit team without handing out credentials or asking anyone to clone a repository. The reviewer sees what an operator will see on day one. Same enforcement layers, same audit rows, same binary you own after deployment.

A demo that only shows the happy path proves nothing. In the walkthrough, an admin-scope agent calls an MCP tool and the call is permitted. A user-scope agent calls the same tool and the request is refused before any handler runs. The denial is not a dashboard after the fact. It is the request-path gate refusing to dispatch, so an auditor watching the video can see the decision made in-process rather than logged after a breach.

The governance pass the agent walks through is the same one documented on the governance-pipeline feature page. A permission check compares the caller to the tool. A credential scan inspects the tool inputs for AWS keys, GitHub tokens, PEM private keys, and API secrets, so a prompt injection that tries to exfiltrate a key into an outbound request never leaves the box. A per-caller rate check refuses bursts sized to catch runaway agent loops without throttling normal work. Every outcome, allow or deny, writes one row to the audit table the demo queries live at the end.

The walkthrough includes the query. A CISO asking "can I prove this in an audit?" sees the answer on screen. A SQL query over the audit table returns the allow and deny rows with agent identity, tool name, reason, and timestamp, in the same shape a SIEM would ingest.

A staff engineer watching the demo asks two questions. Can I reproduce this on my laptop without a cloud account, and is the binary in the video the binary I deploy? Both answers are yes. The walkthrough runs the same compiled artifact that ships to production, with no demo-mode flag, no feature gate, and no hosted control plane holding the governance rules somewhere else.

Horizontal scale comes from the fact that authentication is a signed JWT read on every request, so a replica added behind a load balancer inherits the governance rules without a session store, a sticky balancer, or a shared cache. A CTO asking whether this replaces what their platform team is currently sketching gets the build-vs-buy answer here. One process owns identity, policy, audit, and MCP lifecycle, so the alternative is four services to ship and upgrade.

Self-hosted means self-controlled. The binary runs inside your perimeter. Air-gap deployment is supported because there is no phone-home and no outbound dependency beyond the database. An auditor running a network egress check against the running process sees nothing leaving the box. The audit rows, the governance decisions, and the secrets resolution all stay in your environment.