The silent guardian of the reef.
A compiled Rust governance daemon. 15 crates, ~5MB static binary, zero runtime dependencies. Any agent framework that can open a Unix socket can be governed — without changing its orchestration layer.
Governance runs in a different process.
The agent framework stays untouched. The SDK intercepts at the tool execution layer and forwards every capability request to Morey over a Unix domain socket with MessagePack framing. Morey classifies trust, evaluates policy, enforces sandbox boundaries, captures a decision frame, and returns a grant-or-deny.
Because Morey is a different process with a different memory space, an agent that gets prompt-injected cannot reach into Morey's code to disable it. Because the dangerous code paths do not exist in the free binary at all — excluded at compile time — there is nothing to disable even if you could.
Agent Process (any language)
│
├── SDK wraps tool calls
│ └── agent.fs.read("/etc/config") → FsRequest over IPC
│
├── morey.sock (Unix domain socket, MessagePack)
│
└── Morey Daemon (separate PID)
├── Trust classification
├── Policy evaluation (Cedar, Pro)
├── Sandbox enforcement (4 tiers)
├── Decision frame captured (Pro)
└── Audit log + Insights
Every way an agent touches the outside world.
Morey governs six request types. Any framework, any language — the protocol is the same.
The water is safe and stable.
Determinism is not a fixed attribute of a model. Inference can be run-to-run deterministic for a fixed request set but appear nondeterministic because outputs depend on batch composition and batching strategy when the serving path is not batch-invariant. This means determinism is a governable property.
Morey's EQoS layer routes InferenceRequest through an execution profile resolved from the agent's consequence tier, conduct history, and task criticality. A CRITICAL-tier agent earns a deterministic serving path and a replay-friendly model configuration. A LOW-tier exploratory agent gets the cheaper, higher-variance path.
What makes Morey structurally different.
Daemon model
Separate PID, separate memory space. Process-level isolation. An agent cannot unload Morey by asking nicely.
Architectural airgap
For UNKNOWN-trust agents, the code path that can reach the filesystem does not exist. Not runtime-gated. Not present.
Earned authority
New agents start with minimum access. Trust increases only after demonstrated correct behavior. Regression triggers automatic de-escalation.
Correction-originated policy
Human corrections become policy. Every time a user says "no, don't," Morey captures the pattern and applies it across future decisions.
Compiled non-configurable rules
Six rules are baked into the binary. Not configurable. Not overridable. Not even if you're Enterprise.
Consequence-tier gating
CRITICAL / HIGH / MEDIUM / LOW operations get different trust thresholds, different audit retention, different replay guarantees.
Execution Quality of Service
Inference routing, determinism tier, and cost ceiling allocated by conduct history. Nobody else connects conduct to inference routing.
Cryptographic decision frames
Every decision is captured with signed provenance. Replayable. Inspectable. Exportable as certification evidence.
Fifteen crates, three binaries.
Morey ships three binaries from one Rust workspace. Feature exclusion happens at compile time — the free binary literally does not contain Pro code. This is security philosophy, not just licensing.
| Crate | Purpose | Tier |
|---|---|---|
| morey-core | Shared types, traits, config | Free |
| morey-trust | Trust boundary + architectural airgap | Free |
| morey-sandbox | Filesystem guard, 2 isolation tiers (free) / 4 tiers (pro) | Free Pro |
| morey-ipc | Unix socket IPC transport | Free |
| morey-storage | SQLite persistence, encrypted at rest | Free |
| morey-privacy | Leak detector, 20+ credential patterns (free) / full redaction pipeline (pro) | Free Pro |
| morey-audit-scan | morey scan environment security (free) / --fix auto-remediation (pro) | Free Pro |
| morey-events | Audit logging | Free Pro |
| morey-conduct | Earned authority FSM, correction harvesting, batting averages | Pro |
| morey-policy | Cedar policy engine, 6 non-configurable built-in rules | Pro |
| morey-vault | Per-agent credential isolation | Pro |
| morey-frames | Decision frame capture, signed provenance | Pro |
| morey-insights | Replay, leaderboard, cost tracking, patterns, autopsy | Pro |
| morey-inference | EQoS — inference routing, determinism tier, cost ceiling | Pro |
| morey-license | Ed25519 license validation | Pro |
| morey-mindmeld | MindMeld standards injection integration | Enterprise |
| morey-fleet | Fleet governance API, cross-agent correlation | Enterprise |
| morey-compliance | Compliance reporting (OSCAL, DORA, ISO) | Enterprise |
| morey-daemon | Entry point, all modules wired | All |
Three commands to governed.
# macOS $ brew install equilateral-ai/tap/morey # Scan your environment first — no agent required $ morey scan # Start the daemon $ morey start # Connect your agent (Node, Python, Rust, Go, or CLI) $ npm install @seawater_io/morey