Fold is the runtime layer where an AI agent knows what it can do, why it can’t, and what happens if it tries — before the call, not after the database is gone.
On April 25 2026 a Cursor agent powered by Claude Opus 4.6, working on a credential mismatch in PocketOS staging, found an unrelated API token, decided to delete a Railway volume to fix things, and wiped the production database and all volume-level backups in 9 seconds. The agent’s own post-mortem: “I guessed that deleting a staging volume via the API would be scoped to staging only. I didn’t verify. I didn’t check if the volume ID was shared across environments.” 30-hour outage. PocketOS rolled back to a 3-month-old backup. This isn’t an alignment problem. The system never told the agent what it was allowed to do, why it shouldn’t, or what would happen if it tried. Fold is the layer that does.
The Register · FastCompany · OECD AI Incident #6153No code-gen. No middleware to maintain. Author the IDF artifact once — every reader (UI, voice, agent, document) sees the same domain.
if(role==="admin") spaghetti. Add a new role tomorrow — every reader sees it.
{ error, reason, failedCheck, details }. Not “Internal Server Error.” Not a string. A JSON shape the LLM can read and adapt to. Agent scales the order down, retries, succeeds.
__irr.point="high" and the runtime blocks α:remove on anything past it. Forward-correction only. By construction, not by guardrail. Cursor-style “agent decided to delete production” becomes unreachable.
Verbatim output from npm run demo:rogue in the quickstart. Agent tries a $50,000 BTC long without preapproval.
Without Fold: a 200 OK. Position created. $50,000 of someone else’s money moved before any human saw it.
With Fold: the runtime rejected the call declaratively, with a structured failedCheck the agent can reason about. See Act 3 →
Fold doesn’t replace these layers. It is the missing one.
| FrameworksLangChain · CrewAI · Mastra | AuthPermit · Okta · Cerbos | GuardrailsLakera · NeMo | Fold | |
|---|---|---|---|---|
| Defines what the agent can call | ✓ | — | — | ✓ |
| Defines who the agent is (identity) | — | ✓ | — | ✓ |
| Filters what the agent says (output) | — | — | ✓ | — |
| Defines what the agent can do in your business and why | — | — | — | ✓ |
| Open source, embeddable | partial | partial | partial | ✓ · BSL+MIT |
Prereqs: Docker Desktop and Node 20+. The image bundles the runtime and bootstraps the invest demo domain on first start — no two-repo dance, no absolute paths.
full quickstart readme · troubleshooting · claude desktop integration →
You’re an AI engineer who’s past the agent demo in a Jupyter notebook phase. Your agent is going to touch a real system soon. You’ve read the PocketOS post-mortem, the Amazon Kiro 13-hour outage write-up, the Cursor-deletes-Replit-database thread. You don’t want guardrails. You want the system itself to refuse the wrong action.
This is for you.
If you’re trying to build “a chatbot that summarises PDFs,” this isn’t that. Try LangChain, Vercel AI SDK, or Anthropic’s SDK directly.
npm install. No waitlist.BSL 1.1 on the runtime, MIT on mcp-server, quickstart, importers. Use it on your own machine, in your own stack, on your own clock.