Why chat isn’t enough
A chatbot is a generator. JAK is an operator. Three things change the moment you stop chatting and start running workflows.
You ask a chatbot for help. It writes a great paragraph. Then you copy, paste, switch tabs, follow up, retry. The work doesn’t finish itself.
JAK turns one command into a multi-step plan, hands each step to the right agent, and pushes the result through to the finish.
An autonomous agent that can send email, post publicly, run code, or move money is a liability the moment it misreads context.
JAK pauses every external action behind an inline approval card that names the tool, the payload, and the file. No surprises, no replays.
You can’t hand business work to an opaque black box. You need to see who did what, when, and prove it later if a customer asks.
Every agent step lands in the cockpit timeline. Every workflow leaves a tamper-evident audit trail. Every output is replayable.
How It Works
Every JAK workflow runs the same pipeline. You see every step. You gate every risky one. You can replay every run.
You type a task in plain English. No syntax, no flags, no special prompt format.
commander.parses(intent)JAK breaks the task into ordered steps you can review before anything runs.
planner.decompose() → 4 stepsEach step goes to the right specialist agent — research, content, code, ops, design.
router.assign(task → CMO / CTO / Research)Specialists run with your connected tools — Gmail, Slack, GitHub, Notion, the browser.
worker.run() · live in cockpitAnything risky pauses for you. Inline card shows tool, payload, files, expected result.
approval.gate(payload-bound)JAK checks the work — citations, tone, safety, hallucination, payload integrity.
verifier.check() · 4-layerFinal output, signed audit trail, replayable run. Ready to ship — or reuse next time.
output.deliver() · audit.signedThe Cockpit
Your command on the left. The agent graph in the middle. The approval card and the result on the right. The audit on the bottom. One place to run, gate, and prove the work.
Your command
Research my top 3 competitors and draft a CMO-voice LinkedIn post
sent 12s ago · workflow #847
Recent runs
Agent graph · live
3/5 done · 1 running“Three things every founder should know about positioning against {Competitor A}, {B}, {C}— with one line you can copy into your next pitch…”
What JAK actually ships
Every workflow ends in something concrete — a brief, a draft, a diff, an audit pack. Approval-gated where it matters, signed where it’s required, reversible where it’s risky.
Multi-agent research across the web and your own documents. Every claim cites a source — uncited statements get flagged before delivery.
Researches your company and audience, then drafts a LinkedIn post + cold-email + follow-up sequence in your brand voice. JAK drafts; you approve. Nothing publishes or sends without your sign-off.
“Three things every founder should know about positioning against {Competitor A}, {B}, {C}…”
□ Replace {placeholders} · □ Add link · □ Approve before publishing
Crawls your site, screenshots key pages, reviews design + copy + SEO, and proposes concrete fixes that point at the exact source files in your repo.
Every workflow step lands in a tamper-evident audit log. When an enterprise asks, JAK exports a HMAC-SHA256-signed evidence bundle that verifies byte-for-byte — across SOC 2, HIPAA, and ISO 27001 controls.
Trust Layer
Six guarantees, every one wired into the runtime. Not policies. Not promises. Code paths reviewers can grep.
Every external action — send, post, deploy, charge — pauses for an inline approval card. Replays with a different payload are rejected.
approval-node.ts · payload-bound
Research-class agents must cite. The verifier flags any claim under the citation-density threshold before delivery.
verifier.agent.ts · density ≥ 0.7
Every tool carries an honest CI-enforced label: real, heuristic, llm_passthrough, config_dependent, or experimental. No tool ships unlabeled.
check:truth · 122 / 0 unclassified
Every workflow run, every approval decision, every external action emits an audit log row. Final evidence packs are HMAC-SHA256 signed.
audit-log plugin · bundle.service.ts
JAK is MIT-licensed. Run it on your laptop, your VPS, or your cluster. Hosted ops are a convenience, not a lock-in.
github.com/inbharatai/jak-swarm · MIT
OpenAI Responses API as the primary path with structured output. Anthropic, Gemini, DeepSeek, Ollama, and OpenRouter remain wired as optional fallback providers.
openai-runtime.ts · Responses API
JAK Shield
Before an agent touches your code, browser, files, email, GitHub, or business tools, JAK Shield checks permissions, scores risk, blocks unsafe actions, asks for approval where needed, and records every step in a tamper-evident evidence bundle.
Detects prompt-injection attacks and offensive-cyber requests (malware, exploits, credential theft, unauthorized scanning, phishing) BEFORE the LLM sees them. Defensive security work — audit my repo, harden auth, find CVEs — passes through.
packages/security/src/guardrails/offensive-cyber-detector.ts
Every tool call is classified across 6 risk tiers — READ_ONLY through CRITICAL_MANUAL_ONLY. Risky calls pause the workflow. Approval is bound to the exact payload via a SHA-256 hash; replays with modified payloads are rejected with HTTP 409.
packages/tools/src/registry/approval-policy.ts
Per-tenant tool registry + industry-pack restrictions + Standing Orders (allowed-tools whitelist + blocked-actions list + budget cap + expiry). REVIEWER+ role required to install or run anything destructive.
packages/tools/src/registry/tenant-tool-registry.ts
Browser sessions in per-tenant data dirs (500 MB quota), URL allowlist with cloud-metadata + RFC1918 + IPv6 link-local blocked, DNS-rebinding defense on every navigation, downloads disabled. Installer runs in a sandboxed subprocess with literal argv (never shell:true), 60s timeout, stripped env.
packages/tools/src/browser-operator/playwright-browser-operator.ts
JAK Shield supports defensive security work — repo audits, dependency scans, secret-leak detection, patch recommendations. Offensive work (writing exploits, generating malware, phishing kits) is blocked at the boundary.
docs/jak-shield-manifest.md
Every workflow lifecycle event lands in AuditLog. AgentTrace fields are PII-redacted at write time. workflows.{goal,error,finalOutput,planJson,stateJson} are AES-256-GCM encrypted at rest. Final evidence bundles are HMAC-SHA256 signed and verify byte-for-byte.
apps/api/src/services/bundle.service.ts
Safety boundary
JAK Shield is built for defensive security, safe automation, permissioned workflows, and audit-ready agent execution. It does not support offensive hacking, malware generation, credential theft, phishing, unauthorized scanning, or exploit generation. Defensive work is allowed. Offensive work is refused.
When you need audit-grade
You don’t need to think about SOC 2 on day one. Every workflow JAK runs is already tamper-evident, signed, and replayable — so when an enterprise customer asks, the evidence is already there.
182 controls seeded across three frameworks — 108 are operationally backed (evidence pulled from system activity) and 74 require reviewer attestation. LLM-driven control testing, reviewer-gated workpaper PDFs, HMAC-signed final evidence packs.
Open Audit WorkspacePricing
Run JAK free on your own infrastructure, forever. Upgrade when you want hosted OpenAI ops, higher limits, and SLA.
Run JAK on your own machine, forever.
Hosted runtime, OpenAI managed, approvals built in.
Higher limits and priority model access for teams.
SSO, audit exports, and dedicated deployment.
Run workflows with visibility, approval, and audit from day one. Open-source core. Self-hostable. OpenAI-first runtime.
Free to start · No credit card · MIT licensed · Self-host or cloud