Change control for AI agents touching production
Novyx predicts blast radius before agents change databases, deploys, repos, billing, or customer systems. Safe changes auto-allow, risky changes require approval, and catastrophic changes block.
20250523_add_partial_index_orders
ProposedCREATE INDEX CONCURRENTLY idx_orders_customer_idON orders (customer_id)WHERE status = 'pending';ALTER TABLE ordersADD COLUMN source text;UPDATE ordersSET source = 'migrated'WHERE created_at < '2023-01-01';Large update affects about 8.7% of orders. Consider batching or off-peak window.
ALTER TABLE ordersSET NOT NULL source;DROP INDEX CONCURRENTLY idx_orders_old;Policy outcomes for every proposed change
How the gate works
Parse the exact action
Novyx reads the real mutation the agent proposes — every statement in a migration — not a content regex or a blanket allow/deny.
Join live impact facts
Each statement is joined with live facts: is it structurally reversible, and how many rows would it actually destroy right now?
Grade the blast radius
Two axes — reversibility × live data impact — produce one verdict per statement, and the migration takes the most severe.
Explain, then record
Every verdict comes with a plain-English reason in real numbers, built to record through governed actions and a tamper-evident audit chain.
See the gate decide
Run an agent's 8-statement migration through the gate in your browser. Five additive statements pass, a DROP COLUMN over 2.3M rows needs approval, an unrecognized ALTER fails closed, and a DROP TABLE over 84M rows is blocked — each explained in real numbers. No signup required.
Review a risky migration →A verdict you can read
The gate returns one verdict for the migration, a per-statement breakdown, and an argument-aware explanation — so a human reviews three real hazards instead of rubber-stamping eight statements.
Run it yourself: cd packages/novyx-blast-radius && PYTHONPATH=. python examples/demo.py
from novyx_blast_radius import BlastRadiusAnalyzer
# probe reads live schema facts: row counts, reversibility
report = BlastRadiusAnalyzer(probe).analyze(migration_sql)
report.verdict # block
report.explanation # "...drops table audit_events_2019, which
# holds 84,000,000 rows — catastrophic..."
report.flagged # only the 3 dangerous statementsThe primitives behind the gate
Change control is the wedge. Underneath it, Novyx Core ships the primitives that make a verdict trustworthy and a mistake survivable.
Audit
A tamper-evident audit trail records what happened, when, and why — the evidence behind every verdict.
Recover
Checkpoint recovery and Replay context help teams understand and recover from bad agent changes.
Remember
Durable run context gives the gate prior decisions, incidents, and agent history when a risky change needs review.
Execute once
A reusable execute/reconciliation stage so an approved action runs exactly once, even through retries.
Let agents act. Catch the one change that shouldn't ship.
Start with one production-changing action, run it through the gate, and add approval plus audit evidence before it reaches prod.
Join our Discord