Platform Functionality¶

Preloop enables safe, observable, and budget-aware AI automation through a layered approach: start with the Safety Layer for immediate value, then add managed model traffic, runtime observability, and event-driven automation where needed.

Core Value: Control High-Stakes AI Automation¶

The Safety Layer is the fastest way to understand Preloop: place policy enforcement in front of risky tools so AI agents can automate without running unsupervised. But the broader platform also gives you model traffic governance, runtime visibility, budget enforcement, and auditability across agent activity.

Edition notes

Open Source: single-user approvals with email + mobile app notifications.
Enterprise: adds conditional approvals (CEL), team-based approvals (quorum), escalation, and Slack notifications.
Mobile & watch apps: proprietary (not open source) clients that can be used with self-hosted/open-source Preloop deployments.

How It Works¶

Connect your MCP client (Claude Code, Cline, etc.) to Preloop
Proxy your tools through Preloop's MCP server
Add approval workflows to risky operations
Automate with confidence - humans review before execution

Tools Page & Governance UI¶

The Tools page provides a governance-focused UI for managing tool access:

Tree-style tool listing — Tools grouped by source (MCP servers, HTTP, built-in)
Summary statistics panel — Counts by action type, with clickable filters
Access rules — Allow, deny, or require approval per rule, with drag-and-drop reordering
Import/export — Configuration as YAML for version control and backups
Semantic icons — Red x-octagon (deny), blue shield-lock (require approval), green check-circle (allow)

Subject-Scoped Governance¶

Preloop can evaluate governance at more than one scope:

Account defaults provide the broad fallback for tool visibility and model access
Managed-agent scope can narrow the rules for one enrolled desktop or CLI runtime
API-key scope can narrow behavior even further for one token, taking precedence when both key and agent scope are present

This lets one team account expose a broad catalog overall while keeping one specific runtime limited to a smaller set of tools and models.

Managed Agent Onboarding¶

Preloop can discover and onboard existing desktop and CLI agents so teams do not need to start from a blank slate.

Start with preloop agents discover
Discovery can detect local configurations for clients such as OpenClaw, OpenCode, Claude Code, Codex CLI, and Gemini CLI
Managed onboarding can import existing MCP tools and AI model metadata into Preloop when the local configuration can be represented safely
Supported managed rewrites can then point the local runtime at the Preloop Gateway for model traffic and the Preloop Tool Firewall for governed MCP access

This makes Preloop practical as a control plane for the agents your team already uses, instead of requiring a brand-new runtime environment for every workflow.

What You Can Protect¶

Built-in Tools (when trackers are connected): - get_issue - Fetch issue details by URL, key, or ID - create_issue - Create new issues in your tracker - update_issue - Modify issue status, labels, priority, or fields - add_comment - Add comments to issues, pull requests, or merge requests - get_pull_request - Get GitHub PR details - update_pull_request - Update GitHub pull requests - get_merge_request - Get GitLab MR details - update_merge_request - Update GitLab merge requests - search - Search across issues with similarity or fulltext search - estimate_compliance - Estimate compliance metrics for issues - improve_compliance - Get suggestions to improve issue compliance - request_approval - Request standalone approval for any operation

External Tools (from any MCP server): - Deployment tools (deploy_production, rollback) - Database operations (drop_table, migrate_schema) - Infrastructure changes (scale_up, modify_firewall) - Payment processing (pay, refund) - ANY tool from ANY MCP server

Approval Workflow Features¶

1. Conditional Approval with CEL (Enterprise)¶

Require approval based on tool arguments using Common Expression Language (CEL):

# Approve only production deploys
tool: deploy
condition: args.environment == "production"

# Approve payments over $1000
tool: pay
condition: args.amount > 1000

# Approve critical priority changes
tool: update_issue
condition: args.priority == "critical"

2. Team-Based Approval & Quorum (Enterprise)¶

Route approvals to teams and require multiple approvers:

# Any ONE member of SRE team can approve
tool: deploy_production
approvers: [sre_team]
quorum: 1  # Default

# Require TWO database team members to approve
tool: drop_table
approvers: [database_team]
quorum: 2

Quorum examples: - quorum: 1 - Any one approver (default) - quorum: 2 - Need 2 approvers - quorum: 3 - Need 3 approvers (useful for high-risk operations)

If you have 5 team members with quorum: 2, any 2 of the 5 can approve.

3. Escalation Policies (Enterprise)¶

Automatically escalate to higher authority if primary approvers don't respond:

tool: deploy_production
approvers: [sre_team]
timeout: 600  # 10 minutes
escalation:
  enabled: true
  escalate_to: [cto, vp_engineering]
  escalation_delay: 600  # Escalate after 10 minutes

Escalation flow:

Request goes to SRE team
If no response in 10 minutes → escalate to CTO and VP Engineering
CTO or VP can approve or decline
Full escalation chain is audited

4. Notifications¶

Get notified wherever you work:

Email - Instant approval requests in your inbox (Open Source + Enterprise)
Mobile - iOS/Watch app notifications (Open Source + Enterprise; apps are proprietary clients)
Slack - Approve directly from Slack messages (Enterprise)
Mattermost - Team chat integration (Enterprise)
Web Dashboard - Real-time approval queue (Open Source + Enterprise)

5. Full Audit Trail¶

Every approval decision is logged:

Who requested the tool call
What arguments were provided
Who approved or declined
When the decision was made
Whether escalation occurred
The full execution result

Perfect for compliance, security reviews, and post-mortems.

When To Add The Safety Layer¶

Always protect:

Production deployments
Database modifications
Infrastructure changes
Payment processing
Data deletion

Consider protecting:

Status changes to high-priority issues
Bulk operations
External API calls with side effects

Usually safe without extra approval rules:

Read-only operations (get_issue, search)
Development environment changes
Non-sensitive operations

Optional: Event-Driven Automation¶

Beyond the Safety Layer, you can build event-driven flows that respond to events automatically.

Flow Triggers¶

Tracker Events (requires tracker connection):

Issue created, updated, closed
Comment added
Label changed
Status changed
Priority changed

External Webhooks:

Monitoring alerts (Datadog, PagerDuty)
CI/CD events (GitHub Actions, GitLab CI)
Custom webhook payloads
ANY external system

AI Agents for Flows¶

Flows can leverage multiple AI agents:

OpenHands - Full development environment agent
Claude Code - Anthropic's coding agent
Aider - Git-aware coding assistant
Custom agents - Integrate your own

AI Model Gateway for Flows¶

Flows can route model traffic through Preloop instead of sending agents directly to upstream providers.

OpenAI-compatible and Anthropic-compatible ingress let managed runtimes talk to one control plane even when the upstream provider differs
Budget checks and allowed-model enforcement happen before the request leaves Preloop
Usage accounting records token and spend metadata in one shared ledger
Execution-scoped gateway events let operators inspect one flow run in detail

Gateway routing is especially useful when you want centralized visibility, budget controls, and managed runtime authentication instead of distributing provider secrets into each agent runtime.

Runtime Sessions & Managed Agents¶

Preloop separates durable runtime ownership from individual runtime activity:

A managed agent is the durable enrolled identity for a desktop or CLI runtime
A runtime session is the per-session activity record used for current status, recent activity, and operator actions
Gateway usage, tool calls, and audit events can all be tied back to the same runtime principal for later review

Flow Examples¶

Bug triage flow:

Trigger: New issue labeled "bug"
Agent analyzes code and logs
Agent adds reproduction steps
Agent suggests priority (requires approval)
Agent assigns to team

Incident response flow:

Trigger: PagerDuty alert webhook
Agent checks recent deployments
Agent suggests rollback (requires approval)
Agent updates incident tracker
Agent notifies team in Slack

PR review assistant:

Trigger: New pull request
Agent reviews code changes
Agent runs tests
Agent suggests improvements (requires approval to commit)
Agent adds review comments

See Creating Flows for detailed guides.

Optional: Issue Tracker Intelligence¶

When you connect trackers (GitHub, GitLab, Jira), you unlock intelligent curation features:

1. Compliance Metrics¶

Measure and improve issue quality:

Estimate compliance - Check if issues meet "Definition of Ready"
Improve compliance - AI-powered suggestions for missing fields
Track trends - Monitor compliance over time

Example: "75% of issues are missing acceptance criteria"

2. Duplicate Detection¶

Find and merge duplicate issues:

Vector similarity search across issue descriptions
Detect semantic duplicates (not just keyword matches)
Bulk merge or link duplicates

Example: "Issue #123 is 94% similar to #87"

3. Dependency Mapping¶

Discover hidden dependencies:

Parse issue descriptions for references
Build dependency graphs
Identify blocking relationships
Suggest missing links

Example: "Issue #45 references #12 but has no dependency link"

Built-in Tools¶

When trackers are connected, these tools become available:

get_issue(issue) - Fetch issue details by URL, key, or ID
create_issue(project, title, description, ...) - Create new issue
update_issue(issue, title, description, status, ...) - Modify issue
add_comment(target, comment) - Add comment to issue/PR/MR
get_pull_request(pull_request) - Get GitHub PR details
update_pull_request(pull_request, ...) - Update GitHub PR
get_merge_request(merge_request) - Get GitLab MR details
update_merge_request(merge_request, ...) - Update GitLab MR
search(query, project, limit) - Search issues with similarity/fulltext
estimate_compliance(issues, compliance_metric) - Estimate compliance scores
improve_compliance(issues, compliance_metric) - Get compliance suggestions
request_approval(operation, context, reasoning) - Request standalone approval

Important: These built-in tools only appear to MCP clients when at least one tracker is connected.

Mobile Apps¶

Approve from anywhere with the Preloop mobile apps:

iOS & Apple Watch¶

✅ Available Now on the App Store

Instant push notifications for approval requests
One-tap approve or decline
Full request details and context
Apple Watch support - approve from your wrist
Biometric authentication (Face ID / Touch ID)

Android¶

✅ Available on Google Play

How It All Fits Together¶

graph TD
    A[MCP Client:
 Claude Code, Cline, etc.] -->|Uses tools via MCP| B[Preloop
 MCP Proxy Server]
    A2[Managed Agent / Flow Runtime] -->|Uses model gateway + MCP| P[Preloop Control Plane]
    B -->|Tool call| C{Prelooped?}
    C -->|No| D[Execute immediately]
    C -->|Yes| E[Approval Request]
    E -->|Notify via| F[Email / Mobile / Slack]
    F -->|Human decides| G{Approved?}
    G -->|Yes| H[Execute tool]
    G -->|No| I[Reject & log]
    G -->|Timeout| J[Escalate to higher authority]

    K[External Event:
 Webhook, Tracker] -->|Triggers| L[Automation Flow]
    L -->|AI Agent analyzes| M[Flow uses tools]
    M -->|Risky operation| E
    L -->|Uses managed model access| P
    P -->|Budget + policy checks| Q[Model Gateway]
    Q -->|Approved model traffic| R[Upstream AI Provider]
    P -->|Records usage + events| S[Usage Ledger / Runtime Sessions / Audit]

    N[Issue Tracker:
 GitHub, GitLab, Jira] -.->|Connected| B
    N -.->|Provides| O[Built-in Tools
 create_issue, etc.]

    style B fill:#4CAF50
    style P fill:#4CAF50
    style E fill:#FF9800
    style G fill:#2196F3

Key takeaway: The Safety Layer works independently. Flows and tracker intelligence are powerful add-ons, not prerequisites.

What's Next?¶

Start with the core value:

Quick Start: Preloop Your First Tool → (10 minutes)
Safety Layer & Access Rules → (5 min read)

Then explore optional features:

Event-Driven Flows →

Or dive into advanced approval features: