Sevra

Autonomy control for production

Decide what your agents are allowed to touch.

Sevra acts where it is safe, and escalates a complete, reproduced case file where it is not.

Read the thesisSee a real case file
Adjudication ledgerlive
09:42:11 act_7f3
scale web 3 → 6
Allowed
09:42:58 act_7f4
retry webhook batch ×12
Allowed
09:43:30 act_7f5
ALTER users.email → citext
Approve
09:44:02 act_7f6
clear CDN cache /assets/*
Allowed
09:45:09 act_7f8
scale workers 4 → 8
Allowed
09:45:40 act_7f9
refund ch_2x9k → card
case file ready, escalated
Blocked
this run: acted 4 · awaiting 1 · blocked 1

The wedge

A bad pull request gets reverted. A bad action on production is a P0.

An autonomous agent that can act has a blast radius. A wrong restart drops traffic, a wrong migration loses data, a wrong refund moves money. The fix is the easy part. Knowing what the agent should never have touched is the hard part, and it is the part nobody is building.

SAFE · acts freelyELEVATED · gated, needs approvalneeds approvalblocked at the wallPROTECTED · sealed

free where it is safe. gated where it matters. sealed where it cannot be undone.

The mechanic

Autonomy you set, enforced on every action.

You decide how much rope the agent gets. Sevra classifies every action against your risk tiers and holds the line, with no exceptions and no quiet escalation of its own privilege.

TIER 0 · SAFEAllow autonomouslyretries · cache clear · feature flags · log level · scale within budgetTIER 1 · ELEVATEDRequire approvalschema migration · infra scale-out · config rolloutTIER 2 · PROTECTEDNever touch, escalatepayments · auth · customer data · destructive deletesBLOCKED · case file

small and reversible auto-applies. wide or irreversible never does.

The deliverable

Where it is not safe, you get a case file. Not a 3am ping.

When Sevra stops, it does the work a person would dread at 3am. It reproduces the failure as a test, records every fix it tried and why each was rejected, ranks the likely root causes, and maps the blast radius. You approve or deny in one read.

stage 01 · interceptCaught before it runs
action intercepted: pre-flight
ALTER users.email → citext
stage 02 · classifyA risk tier is assigned
safereversible
elevatedrecoverableassigned
protectednever auto
stage 03 · adjudicateBranch on the verdict
safe→ act, logged
elevated · protected→ sandbox
one path is silent. one becomes a case file.
safe
act autonomously
scale workers 4 → 8
acted, logged · no ping
elevated / protectedsandboxreproduces the action
stage 04 · escalateA case file you read in one sittingincident inc_8842 · elevated · awaiting one decision
incident summary
agent held: ALTER users.email → citext on prod
repro
failing path reproduced in sandbox · 3.1sexpect(login).toFail → reproduced
fixes tried · all rejected
  • widen type in placeACCESS EXCLUSIVE lock ~40s
  • dual-write + backfillapp writes not idempotent
  • shadow table swapFK sessions.user_email blocks
ranked root causes
  1. citext recreates the column, not in place
  2. 2.1M rows force a full table rewrite
  3. FK on sessions blocks an online change
blast radius
userssessions~2.1M rows1 FK
one decision
Approve migrationDenyowner approval required

safe is silent. unsafe is a case file you can read in one sitting, not a 3am ping.

Who it is for

Built for lean teams running real agents.

You do not have a 24/7 on-call rotation. You do have an agent you would let act on production, if you trusted the brakes. Sevra is the brakes.

Bring your own agent
A homegrown script, an internal tool, or a frontier coding agent. Sevra wraps anything that can act.
Your risk policy
You define what is safe, what needs approval, and what is never touched. Sevra enforces it on every action.
Vendor-neutral by design
Sevra is the control layer, not another agent. It does not care whose model is driving.

Run your agent with brakes.

Sevra is onboarding a small group of pilot teams. Tell us where your agent acts and we will get you set up.

Prefer to talk first? Email the founders.