Why this matters
The goal is not another dashboard or another chatbot. The goal is an evidence-backed execution layer that knows what the company meant, what the team is doing, and what needs approval before agents act.
Meetings, tickets, GitHub, Slack, Notion, support, emails, and customer calls all hold different pieces of the truth. AI cannot reason well when the evidence is fragmented.
JAK starts with source-labeled artifacts and graph entities, so agents work from cited company evidence instead of vibes.
Roadmaps often say one thing, customer pain says another, and code activity can quietly move in a third direction. That gap is where teams waste sprints.
JAK compares signals, decisions, tasks, specs, and code-change evidence, then flags drift before it becomes expensive.
A system that can create specs, touch code, send messages, or operate tools must show evidence, ask approval, and leave a record.
JAK Shield puts risky tool calls behind permissions, approvals, sandboxing, risk scoring, defensive review, and tamper-evident audit trails.
The YC wedge
JAK is not claiming to be a finished all-company AI OS today. The honest beta wedge is sharper: make product and engineering context legible to AI, detect drift, generate executable specs, and gate action through JAK Shield.
Company memory
JAK stores source-labeled artifacts from docs, tickets, code, meetings, customer calls, support, Slack, Notion, Linear/Jira, GitHub, Gmail, or manual notes. It then extracts decisions, tasks, risks, owners, deadlines, customer signals, and code changes with citations.
Execution drift
The alignment engine looks for customer pain without matching work, decisions that never became tasks, execution that has no supporting decision, and stale high-priority tasks. It is a deterministic comparator, not a vague LLM opinion.
Agent-executable specs
When drift is found, JAK can generate an OpenAI-backed execution spec with objective, scope, acceptance criteria, test plan, agent task plan, approval gates, and cited evidence. A reviewer approves or rejects it before the team treats it as executable.
How It Works
Every JAK workflow runs the same pipeline. You see every step. You gate every risky one. You can replay every run.
You type a task in plain English. No syntax, no flags, no special prompt format.
commander.parses(intent)JAK breaks the task into ordered steps you can review before anything runs.
planner.decompose() → 4 stepsEach step goes to the right specialist agent — research, content, code, ops, design.
router.assign(task → CMO / CTO / Research)Specialists run with your connected tools — Gmail, Slack, GitHub, Notion, the browser.
worker.run() · live in cockpitAnything risky pauses for you. Inline card shows tool, payload, files, expected result.
approval.gate(payload-bound)JAK checks the work — citations, tone, safety, hallucination, payload integrity.
verifier.check() · 4-layerFinal output, signed audit trail, replayable run. Ready to ship — or reuse next time.
output.deliver() · audit.signedThe Cockpit
Your command on the left. The agent graph in the middle. The approval card and the result on the right. The audit on the bottom. One place to run, gate, and prove the work.
Your command
Compare customer feedback with this sprint and generate the execution spec
sent 12s ago · workflow #847
Recent runs
Agent graph · live
4/5 done · 1 running“Objective: reduce onboarding drop-off. Evidence: customer calls and GitHub issues. Acceptance criteria: guided import, empty-state copy, Playwright regression, rollout approval…”
What JAK actually ships
Every workflow should end in something concrete: a drift brief, an execution spec, a QA report, or an audit pack. Approval-gated where it matters, signed where it’s required, reversible where it’s risky.
Compares customer signals, decisions, tasks, specs, and code-change evidence, then explains where execution is drifting from intent.
Turns a drift finding or selected entities into a spec with objective, acceptance criteria, test plan, agent task plan, approval gates, and evidence citations.
“Fix onboarding activation gap with guided import, empty-state copy, and regression coverage.”
Uses browser automation to inspect pages, capture evidence, and report issues with source-file pointers or sandbox-only fixes when the repo is available.
Every workflow step can land in a tamper-evident audit log. When an enterprise asks, JAK exports a HMAC-SHA256-signed evidence bundle that verifies byte-for-byte. Compliance controls are seeded; not all are automatically evidenced.
Trust Layer
Six guarantees, every one wired into the runtime. Not policies. Not promises. Code paths reviewers can grep.
Every external action — send, post, deploy, charge — pauses for an inline approval card. Replays with a different payload are rejected.
approval-node.ts · payload-bound
Research-class agents must cite. The verifier flags any claim under the citation-density threshold before delivery.
verifier.agent.ts · density ≥ 0.7
Every tool carries an honest CI-enforced label: real, heuristic, llm_passthrough, config_dependent, or experimental. No tool ships unlabeled.
check:truth · 122 / 0 unclassified
Every workflow run, every approval decision, every external action emits an audit log row. Final evidence packs are HMAC-SHA256 signed.
audit-log plugin · bundle.service.ts
JAK is MIT-licensed. Run it on your laptop, your VPS, or your cluster. Hosted ops are a convenience, not a lock-in.
github.com/inbharatai/jak-swarm · MIT
JAK is OpenAI-only for model execution, with GPT-5.5/5.4-family tier routing and Responses API support for structured orchestration. No alternate LLM provider fallback is used.
openai-runtime.ts · provider-router.ts
JAK Shield
Before an agent touches your code, browser, files, email, GitHub, or business tools, JAK Shield checks permissions, scores risk, blocks unsafe actions, asks for approval where needed, and records every step in a tamper-evident evidence bundle.
Detects prompt-injection attacks and offensive-cyber requests (malware, exploits, credential theft, unauthorized scanning, phishing) BEFORE the LLM sees them. Defensive security work — audit my repo, harden auth, find CVEs — passes through.
packages/security/src/guardrails/offensive-cyber-detector.ts
Every tool call is classified across 6 risk tiers — READ_ONLY through CRITICAL_MANUAL_ONLY. Risky calls pause the workflow. Approval is bound to the exact payload via a SHA-256 hash; replays with modified payloads are rejected with HTTP 409.
packages/tools/src/registry/approval-policy.ts
Per-tenant tool registry + industry-pack restrictions + Standing Orders (allowed-tools whitelist + blocked-actions list + budget cap + expiry). REVIEWER+ role required to install or run anything destructive.
packages/tools/src/registry/tenant-tool-registry.ts
Browser sessions in per-tenant data dirs (500 MB quota), URL allowlist with cloud-metadata + RFC1918 + IPv6 link-local blocked, DNS-rebinding defense on every navigation, downloads disabled. Installer runs in a sandboxed subprocess with literal argv (never shell:true), 60s timeout, stripped env.
packages/tools/src/browser-operator/playwright-browser-operator.ts
JAK Shield supports defensive security work — repo audits, dependency scans, secret-leak detection, patch recommendations. Offensive work (writing exploits, generating malware, phishing kits) is blocked at the boundary.
docs/jak-shield-manifest.md
Every workflow lifecycle event lands in AuditLog. AgentTrace fields are PII-redacted at write time. workflows.{goal,error,finalOutput,planJson,stateJson} are AES-256-GCM encrypted at rest. Final evidence bundles are HMAC-SHA256 signed and verify byte-for-byte.
apps/api/src/services/bundle.service.ts
Safety boundary
JAK Shield is built for defensive security, safe automation, permissioned workflows, and audit-ready agent execution. It does not support offensive hacking, malware generation, credential theft, phishing, unauthorized scanning, or exploit generation. Defensive work is allowed. Offensive work is refused.
When you need audit-grade
You don’t need to think about SOC 2 on day one. Every workflow JAK runs is already tamper-evident, signed, and replayable — so when an enterprise customer asks, the evidence is already there.
182 controls seeded across three frameworks — 108 are operationally backed (evidence pulled from system activity) and 74 require reviewer attestation. LLM-driven control testing, reviewer-gated workpaper PDFs, HMAC-signed final evidence packs.
Open Audit WorkspacePricing
Run JAK free on your own infrastructure, forever. Upgrade when you want hosted OpenAI ops, higher limits, and SLA.
Run JAK on your own machine, forever.
Hosted runtime, OpenAI managed, approvals built in.
Higher limits and priority model access for teams.
SSO, audit exports, and dedicated deployment.
Start with the honest beta wedge: company evidence, drift detection, executable specs, approval gates, and audit trails. Open-source core. Self-hostable. OpenAI-first runtime.
Free to start · No credit card · MIT licensed · Self-host or cloud