A refund only after the customer record was verified. Egress only after a safety scan ran. Kynara makes workflow order a policy condition — evaluated deterministically, outside the model, against the session's tamper-evident history.
Agents don't just make bad calls — manipulated agents skip steps. A prompt-injected
support agent jumps straight to payments.refund.issue without ever reading the customer
record. Every step looked individually authorized; the sequence was the exploit. The
OWASP AI Exchange #OVERSIGHT control
names this and prescribes "rule-based sanity checks during steps."
preceded_byOne condition in a Kynara policy makes ordering enforceable:
{
"op": "and",
"args": [
{ "op": "preceded_by", "args": ["crm.contacts.read", 30] },
{ "op": "lte", "args": ["ctx.resource.attrs.amount_cents", 10000] }
]
}
This allows a refund only if the same agent was allowed a
crm.contacts.read within the last 30 minutes of the same session
(context.session_id). Patterns support globs (kyc.check.*).
No session, no history — fail-closed.
require_approval, out-of-order attempts pause for a human instead of failing silently.You can hard-code step order into one agent's graph. But the rule then lives in that agent's code, invisible to security, different in the next agent, and gone after a refactor. As a Kynara policy it's centralized, versioned, applies to every framework (LangChain, CrewAI, MCP, raw SDK), and every violation lands in the audit chain.
Free plan: 3 seats, 10k decisions/month. One decorator or one MCP gateway URL to integrate.