Blast-radius containment for AI agents

Let your agent run.
Undo the mistakes.

Every action your agent takes is contained — the reversible ones roll back against your backend’s own state, the irreversible ones wait for your yes. Put agents on prod, payments, and customer data — without the fear.

$pip install pherix Watch the demos → Get started

Watch it in action.

An agent calls a tool and the effect just happens — a wiped table, a wrong payment, a clobbered file. That’s your blast radius, and nothing is holding it: no undo, no approval, no record. Pherix makes it contained, not catastrophic.

undo.py reversible

TABLE WIPED RESTORED ✓

Undo · wipe → snap back

The agent deletes the whole table. Pherix rolls it back to the exact prior state.

gate.py irreversible

charge $48,000 HELD APPROVED ✓

Gate · held for a human

A charge can’t be un-sent — so it waits at the line until you approve it.

policy.py capability

DROP TABLE users DENIED

Policy · only what you allow

Out-of-bounds calls never run — the agent stays inside the capabilities you grant.

isolation.py concurrent

row 142 A B B WAITS

Isolation · no clobbering

Two agents, one row. Pherix serialises them so neither corrupts the other.

lineage.py journal

> write users ok > charge $48k held > delete rows undone > email sent ok

Lineage · every move on record

An append-only journal: what ran, what was held, what was undone, and why.

§ 02 What you get

The one thing, two mechanisms.

01 Contain reversible

Contain the reversible

DB and file writes roll back through the backend’s own savepoints. Exact, not best-effort.

02 Hold irreversible

Hold the irreversible

A charge or an email can’t be un-sent, so it waits for a human’s yes before it fires.

03 the proof

On the record

Every action journalled: what ran, what was held, what was undone, and why. The proof, kept subordinate.

Where you’d reach for it.

3.1

Regulated data

Agents on customer & financial records; legal-hold rows can’t be deleted, every change audited.

3.2

Payments & money movement

Money moves only on human sign-off; a refund is its registered undo.

3.3

Production systems

Prod write access without the fear; a bad change rolls back to the exact prior state.

And what it’s not

× not this

Not durable execution

Temporal replays your code; Pherix transacts your resources.

× not this

Not observability

LangSmith / Langfuse watch; Pherix contains.

× not this

Not an agent framework

It wraps the tool calls of an agent you already have.

Set it up.

A library you pip install and wrap your agent’s tool layer with — your loop and model unchanged. Self-hosted, no telemetry. It makes the agent’s actions behave like a database transaction.

agent.py PYTHON

# wrap the tool, run inside a transaction
@tool
def delete_user(uid):
    db.execute("DELETE FROM users WHERE id = ?", uid)

with agent_txn() as txn:
    agent.run(task)              # tool calls journalled
    if txn.flagged:
        txn.rollback()         # exact prior state, restored